Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Nathan005
Nathan005 Author
User level: Level 1
21 points

SSL Verify Return Code:21

Running: +openssl s_client -connect server.domain.com:636+

I get the following error:
Verify return code: 21 (unable to verify the first certificate)

I believe this is an issue with the CA or the Key not being verified/accepted

I installed the ca bundle from here: http://certs.ipsca.com/Support/SSLServerSUPPORT.asp

Then I edited the httpd.conf file to include: +SSLCertificateChainFile "/etc/apache2/conf/IPS-IPSCABUNDLE.crt"+

pasted the crt data in my crt - via server admin

the issuer checked my site and they said it was installed correctly, however it appears not to be.
If I go to https://server.domain.com it connects with no issue, if I go to https://server.domain.com:### It asks me if I want to trust the crt.

Thanks for the help

MacBook Pro, Mac OS X (10.5.7)

Posted on Jun 25, 2009 6:33 PM

Reply
5 replies
User profile for user: Nathan005
Nathan005 Author
User level: Level 1
21 points

Jun 25, 2009 7:43 PM in response to Mabel O'Farrell

Neither - but I did request a mod-ssl crt.

I found the company and followed the steps from here:
http://www.stanford.edu/group/macosxsig/blog/2008/03/gettingssl_certs_leopardserv.html

I was not trying to connect to port 636 via https, I did use 8443 for caldav - because it wouldn't work unless I trusted that crt. The client (ical) would not give me the option to trust it, so I accessed it through the browser. I was working on connecting to ldap with ssl, which brought me to the error.
Reply
User profile for user: Nathan005
Nathan005 Author
User level: Level 1
21 points

Jun 30, 2009 7:40 AM in response to Mabel O'Farrell

It would be helpful if I knew where server admin saves the cert's that are created in it.
It seems to me that the error is that there is no key given to the client.

Here is the output of the cal error log. (wow they need a code input... to keep formating correct)

2009-06-30 08:51:26-0400 [-] [caldav-8009] [OpenDirectoryService] Record disabled due to conflict: <OpenDirectoryRecord[groups@058167af-ace8-519a-ac3d-e166498db024(/Search->/Loca l/Default)] ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050(admin) 'Administrators'>
2009-06-30 08:51:26-0400 [-] [caldav-8009] [OpenDirectoryService] Record disabled due to conflict: <OpenDirectoryRecord[groups@058167af-ace8-519a-ac3d-e166498db024(/Search->/LDAP v3/127.0.0.1)] 7D0CD28A-D68E-4501-92EA-A1AA88C8D70C(admin) 'Open Directory Administrators'>
2009-06-30 08:51:26-0400 [-] [caldav-8009] [OpenDirectoryService] Record disabled due to conflict: <OpenDirectoryRecord[groups@058167af-ace8-519a-ac3d-e166498db024(/Search->/Loca l/Default)] ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000014(staff) 'Users'>
2009-06-30 08:51:26-0400 [-] [caldav-8009] [OpenDirectoryService] Record disabled due to conflict: <OpenDirectoryRecord[groups@058167af-ace8-519a-ac3d-e166498db024(/Search->/LDAP v3/127.0.0.1)] E1F6927D-1F72-4882-BB9C-BBF51679E801(staff) 'Open Directory Users'>
2009-06-30 08:51:26-0400 [-] [caldav-8009] [AMP,client] PROPFIND /calendars/ _uids_/C2511463-0A52-4A21-B6C8-26ED39AB1585/ HTTP/1.1
2009-06-30 08:51:26-0400 [-] [caldav-8010] [AMP,client] PROPFIND /calendars/ _uids_/E6808172-E1C3-4C20-A120-C5DDE13ABD86/ HTTP/1.1
2009-06-30 08:51:26-0400 [-] [caldav-8010] [OpenDirectoryService] Reloading users record cache
2009-06-30 08:51:26-0400 [-] [caldav-8010] [OpenDirectoryService] Record disabled due to conflict: <OpenDirectoryRecord[users@058167af-ace8-519a-ac3d-e166498db024(/Search->/Local /Default)] FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000(root) 'System Administrator'>
2009-06-30 08:51:26-0400 [-] [caldav-8010] [OpenDirectoryService] Record disabled due to conflict: <OpenDirectoryRecord[users@058167af-ace8-519a-ac3d-e166498db024(/Search->/LDAPv 3/127.0.0.1)] 791FBD53-1D1C-459E-80C3-C28AE11972B0(root) 'System Administrator'>
2009-06-30 08:51:26-0400 [-] [caldav-8010] [AMP,client] PROPFIND /principals/ _uids_/DDEA30CB-484D-4217-BDC0-2D57321E7D43/ HTTP/1.1
2009-06-30 08:51:26-0400 [-] [caldav-8009] [AMP,client] PROPFIND /principals/ _uids_/DDEA30CB-484D-4217-BDC0-2D57321E7D43/ HTTP/1.1
2009-06-30 08:51:26-0400 [-] [caldav-8009] [OpenDirectoryService] Reloading resources record cache
2009-06-30 08:51:26-0400 [-] [caldav-8009] [OpenDirectoryService] Reloading locations record cache
2009-06-30 08:51:26-0400 [-] [caldav-8009] [AMP,client] PROPFIND /principals/ _uids_/8094FA63-F1F8-4EEC-BEA3-A080162C9478/ HTTP/1.1
2009-06-30 08:51:26-0400 [-] [caldav-8009] [AMP,client] PROPFIND /principals/ _uids_/DB0DFA19-A819-4EF2-B15E-514E52FC952F/ HTTP/1.1
2009-06-30 08:51:26-0400 [-] [caldav-8009] [AMP,client] PROPFIND /principals/ _uids_/E6808172-E1C3-4C20-A120-C5DDE13ABD86/ HTTP/1.1
2009-06-30 08:51:26-0400 [-] [caldav-8009] [AMP,client] PROPFIND /principals/ _uids_/C2511463-0A52-4A21-B6C8-26ED39AB1585/ HTTP/1.1
Reply
User profile for user: Mabel O'Farrell
Mabel O'Farrell
User level: Level 3
975 points

Jun 30, 2009 9:37 AM in response to Nathan005

It seems as though you have two problems here. These errors:

caldav-8010 OpenDirectoryService Record disabled due to conflict: <OpenDirectoryRecordusers@058167af-ace8-519a-ac3d-e166498db024(/Search->/Local/ Default) FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000(root) 'System Administrator'>
caldav-8010 OpenDirectoryService Record disabled due to conflict: <OpenDirectoryRecordusers@058167af-ace8-519a-ac3d-e166498db024(/Search->/LDAPv3 /127.0.0.1) 791FBD53-1D1C-459E-80C3-C28AE11972B0(root) 'System Administrator'>
caldav-8009 OpenDirectoryService Record disabled due to conflict: <OpenDirectoryRecordgroups@058167af-ace8-519a-ac3d-e166498db024(/Search->/Local /Default) ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050(admin) 'Administrators'>
caldav-8009 OpenDirectoryService Record disabled due to conflict: <OpenDirectoryRecordgroups@058167af-ace8-519a-ac3d-e166498db024(/Search->/LDAPv 3/127.0.0.1) 7D0CD28A-D68E-4501-92EA-A1AA88C8D70C(admin) 'Open Directory Administrators'>
caldav-8009 OpenDirectoryService Record disabled due to conflict: <OpenDirectoryRecordgroups@058167af-ace8-519a-ac3d-e166498db024(/Search->/Local /Default) ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000014(staff) 'Users'>
caldav-8009 OpenDirectoryService Record disabled due to conflict: <OpenDirectoryRecordgroups@058167af-ace8-519a-ac3d-e166498db024(/Search->/LDAPv 3/127.0.0.1) E1F6927D-1F72-4882-BB9C-BBF51679E801(staff) 'Open Directory Users'>
indicate that there is a sync problem with the directory. Take a look at this post:

http://discussions.apple.com/message.jspa?messageID=7484260#7484260

for a possible solution -take the server offline and do a full diskimage backup before you attempt this.

The certs should be in /usr/share/certs. There is a wealth of information regarding ssl certificates in the Leopard Security Manual that might give insight into this issue:

http://images.apple.com/server/macosx/docs/LeopardServer_Security_Configv10.5.pdf
Reply

SSL Verify Return Code:21

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up