Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionStephen Gallagher
2011-09-30 11:33:47 UTC
Description of problem:
Many customers have certificate issues when using the System Security Services Daemon. However, the debug logs are of no use because the openldap libraries do not return useful error messages explaining the cause of the failure.
This is in turn caused by the mozilla-nss libraries not returning these messages to openldap. (Note: this should be viewed as a regression in SSSD and openldap because the openldap libraries that used openssl for crypto reported this information in a useful way).
Without this information, it is very difficult for customers to identify where their problems are located.
Version-Release number of selected component (if applicable):
nss-3.12.10-11.el6
How reproducible:
Every time
Steps to Reproduce:
1. Configure SSSD to talk to an LDAP server with a server certificate issued by a private CA (that is not in the standard CA list).
2. Attempt to use SSSD over a secure channel (ldaps or ldap_id_use_start_tls = true)
3. The debug logs will report that an error occurred, whose message is "unknown".
Actual results:
"Unknown" error message in the logs
Expected results:
The logs should identify that the error was caused by an invalid certificate chain.
Additional info:
As mentioned above, this worked properly until openldap converted to mozilla-nss.
Related upstream ticket for openldap: http://www.openldap.org/its/index.cgi/Incoming?id=6789
Comment 2Stephen Gallagher
2011-09-30 12:03:05 UTC
*** Bug 736866 has been marked as a duplicate of this bug. ***
Comment 3Elio Maldonado Batiz
2011-09-30 16:38:31 UTC
It would actually be a lot easier and risk-free to rebase to NSS 3.13.
Comment 5RHEL Program Management
2011-10-07 16:01:42 UTC
Since RHEL 6.2 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.
Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 6Elio Maldonado Batiz
2012-10-24 22:25:58 UTC
This bug should be closed as we updated to upstream nss-3.13 which the release that added the support for localizable error strings. That update occurred at the start of the year.