[pubcookie-users] Could not build a secure connection to
keyserver error when running keyclient.exe manually
Matthew Scott
matt at spotwerks.com
Mon Feb 7 19:36:56 PST 2005
I believe we have multiple ssl certs on the server assigned to different
sites and ips. Not sure about their common name. They do all have the same
domain name.. Is that the same as "common name". Each server differs
slightly in the host name.
Is there a way to force the keyclient to use a specific cert?
The ssl cert should match the application hostname that we're giving it, and
its issued by Verisign.
We've previously been able to install pubcookie on our development
environment with a different cert and hostname that was issued by Verisign.
Matt
-----Original Message-----
From: Nathan Dors [mailto:dors at cac.washington.edu]
Sent: Monday, February 07, 2005 7:17 PM
To: Matthew Scott
Cc: pubcookie-users at u.washington.edu
Subject: Re: [pubcookie-users] Could not build a secure connection to
keyserver error when running keyclient.exe manually
Does the group hosting the login server see anything in their syslogs from
their keyserver, i.e. anything that would indicate that the keyclient
connection is getting through and maybe why it's failing?
My initial guess is the keyclient.exe doesn't trust the CA that issued the
keyserver certificate, or the keyserver doesn't trust the CA that issued
your server certificate.
Note that the keyclient.exe cannot select between multiple certs in the
Windows cert store with the same Common Name. If you have more than one with
the right CN, and they're signed by different CAs, you might be picking up
the wrong certificate.
-Nathan
On Mon, 7 Feb 2005, Matthew Scott wrote:
> I'm attempting to load Pubcookie into our production environment and I
> keep getting this error during the install (which of course ends up
> causing the rollback).
>
> The server I'm working on is part of a web farm (3 total machines)
> that all have the same SSL cert registered for the same domain name.
> They sit behind a firewall/load balancer. Just to be on the safe side,
> I took the other two machines out of the rotation to make sure any
> incoming messages went directly to my specific server.
>
> I loaded a debug version of keyclient onto that machine and tried
> again. It displayed the following error:
>
> **** Error 0x80090328 returned by InitializeSecurityContext (2)
>
> I've double checked with the group hosting the weblogin server and
> port 2222 is open, and they've authorized our hostname.
>
> Any ideas?
>
> Matthew Scott
>
More information about the pubcookie-users
mailing list