Hi Ken,
----- Original Message -----
> On 02/04/13 12:10, Nathan Scott wrote:
> >
> >
> > ----- Original Message -----
> >> Apologies ... I did not check the script and misread the output.
> >>
> >> The issue really appears to be the "Peer's Certificate issuer is not
> >> recognized" error ... which is also seen in QA/712.
> >>
> >
> > These tests generate a self-signed certificate for use to validate
> > the SSL connections (so the certificate issuer is the qa host).
> > The qa/common.secure nss_setup_certificates function does this bit
> > fwiw.
> >
> >> What am I doing wrong here?
> >
> > Not clear, as the above certainly appears to be accepted on my setup
> > (nss-3.13.6-2). Check the results of the nss_subject_name function
> > in common.secure might be a starting point, as this drives $certdomain
> > used later on (712.full should have greater detail).
>
> Well it appears this test for me is always either not run (no certutils, PCP
> build w/out secure sockets support) or fails.
>
> I tried moving closer to your environment with CentOS 5.9 and nss-3.13.6-3
> but the problem got worse!
Heh, Murphys Law.
> I installed the nss-devel and nspr-devel rpms, rebuilt PCP, and installed the
> new PCP rpms.
>
> But now I _cannot_ start pmcd ... each time I run /etc/init.d/pcp start I end
> up with an empty ~kenj/.pki/nssdb directory being created (if it does not
> already exist) and then
pmcd (and pmproxy) uses the system certificate database via sql:/etc/pki/nssdb
(iirc - havent double-checked, limited net access atm)
> Arrgghh ....
I'd suggest/recommend going through the step-by-step recipe in the secure conns
howto (lab.secure.html in pcp-gui tutorial docs, or on oss) - we should be able
to see at what point the wheels fall off then. Or at least where your setup is
deviating from that, and also shows how to dump certs, etc. Dave may be able
to help with further interactive debugging on irc while I'm away (he taught me
eveything I know :)
Theres a certutil invocation there (iirc) describing how to remove certificates
as well, which sounds like might be in order here (I'm guessing that somehow an
invalid PCP Collector certificate has been generated for your host, and pmcd is
dutifully refusing to proceed with it).
cheers.
--
Nathan
|