Latest LQ Deal: Linux Power User Bundle
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 07-09-2008, 06:01 PM   #1
LQ Newbie
Registered: Jul 2008
Posts: 13

Rep: Reputation: 0
Error:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: TRUSTED CERTIF

LDAP Server: DSEE 6.2 on Solaris 10
LDAP Client: Openldap on RHEL 5.1

Would anyone know how to get the correct client cert files to the client machine? I copied the cacert.pem, cert8.db, key3.db and secmod.db files from the server. I copied the files into /etc/openldap/cacerts directory. So, when I run the /usr/bin/authconfig-gtk tool and get everything configured, I click OK to save the configurations, the message I get back is:

4722:error:0906D06C:PEM routines:PEM_read_bio:no start lineem_lib.c:644:Expecting: TRUSTED CERTIFICATE

From this website it has:
a. Copy the root CA and subordinate CA certificates in PEM format. If they are in DER format, use the following commands to convert them to PEM format, and then copy them over to the /etc/openldap/cacerts directory.

# openssl x509 -inform DER -outform PEM -in rootca.der -out
# openssl x509 -inform DER -outform PEM -in subca.der -out
Note: If the root CA certificate does not begin with ...BEGIN TRUSTED CERTIFICATE, the openssl commands might fail on both the certificates or the LDAP library might not use the certificate. In such a case, you need to modify the "trust" properties of the root CA certificate using the following command:

# openssl x509 -trustout -in rootca.cer -out rootca.pem

b. As root, copy the PEM-formatted certificate files to the/etc/openldap/cacerts directory and change their permissions:

# cp rootca.pem /etc/openldap/cacerts
# cp subca.pem /etc/openldap/cacerts
# chmod 644 /etc/openldap/cacerts/*.pem

No where did I see a DER formated file for the root CA or subordinate CA certificates. On the server I saw a cacert.pem locate in /CA directory and in /var/ldap directory were cert8.db, key3.db and secmod.db files. I am not sure which certificate files to use. I tried the cacert.pem file but get the error message above. I believe if I get this problem solved, it will fix the other problems. I have followed the instructions from the website above and do not know what else to do. Has anyone ever been successful at authenticating a RHEL 5.1 Openldap client with Sun DSEE 6.2 server? I need some help.
Old 07-18-2008, 12:06 PM   #2
LQ Newbie
Registered: Jul 2008
Posts: 13

Original Poster
Rep: Reputation: 0
I found out why DSEE server kept asking to change my password each time I kept trying to login. The Linux Openldap client was seeing the password as being expired from the shadowLastChange attribute. So what I did was use the ldapmodify command to modify the shadowLastChange attribute to a more current date. Then I tried to ssh with my account and it worked.

ldapmodify -x -ZZ -H ldap:// -D "cn=ldapmgr" -w <manager passwd>
dn: uid=username,ou=people,dc=server,dc=com
changetype: modify
replace: shadowLastChange
shadowLastChange: <new value>
<ctrl d>
<ctrl d>

My account worked just fine before I even change the shadowLast Change on the Solaris client. I was informed,

"The reason is DSEE 6.2 and Solaris 10 does not need to use the shadowLastChange, Waring, Max, and Min any longer. It is provided through the global password policies located inside the DSEE server. In order to have a solaris sytem recognize a password expiration, you must deny access for the proxyagent to read the password attribute of the user's in ou=people. This forces Solaris to utilize PAM to honor the built in global password policies.

Changing your global password policy creates a snowball effect that leads you to have to change the encryption method to the passwords from the default SSHA and force you to change the passwords for all existing users."

Would anyone be able to help configure Linux PAM to look at the global password policies on the DSEE server work the same as Solaris client with the DSEE?

Last edited by al.lmco; 07-18-2008 at 12:16 PM.
Old 03-30-2009, 05:09 PM   #3
LQ Newbie
Registered: Aug 2004
Posts: 14

Rep: Reputation: 0
Lightbulb Expecting: TRUSTED CERTIFICATE - authconfig

I discovered the real reason for why, when running authconfig, one might receive one or more "Expecting: TRUSTED CERTIFICATE" errors. If you've configured the linux box to use LDAP at all, authconfig will automatically "rehash" the certificate directory. (Check the ldap.conf file for TLS_CERT* lines). During the "rehash" operation, for every file in the certificate directory that is not a valid PEM certificate file, you will get that warning/error printed out.

So, in reality, this is not actually an error for authconfig, but it appears to be, and it's damned alarming.

Solution: remove all non-certificate files from that directory.

I had placed a host key file that I was allowing the LDAP user to read in my cacert directory, and then began receiving the error. Renaming that file to start with a '.' eliminated the error from occurring.


authconfig, certificates, ldap, linux

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure Carpo Slackware 1 07-10-2007 09:46 AM
gcc compile error with X11 library routines jrbrearley Programming 2 07-26-2006 02:50 PM
error:25066067:DSO support routines :DLFCN_LOAD:could not load the shared library berserker-ky Linux - Wireless Networking 1 02-20-2006 11:20 PM
HELP MEEEE! cant install - PCI Cache line size to large expecting 16. danny2055 Linux - General 4 11-24-2003 12:54 PM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 09:56 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration