Comment # 2 on bug 1198282 from 
the directory was setup by that module without any problems.  however, i had to
use certutil to reinstall  my own certificate ca, server cert p12 file.  that
all started without problems

my certificates are set up correctly:

openssl s_client -connect www.nc.com:636
CONNECTED(00000003)
depth=1 C = NZ, O = Global Certificates Ltd., CN = globalcertsca
verify return:1
depth=0 C = NZ, O = Global Certificates Ltd., CN = www.nc.com
verify return:1
---
Certificate chain
 0 s:C = NZ, O = Global Certificates Ltd., CN = www.nc.com
   i:C = NZ, O = Global Certificates Ltd., CN = globalcertsca
 1 s:C = NZ, O = Global Certificates Ltd., CN = globalcertsca
   i:C = NZ, O = Global Certificates Ltd., CN = globalcertsca
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC0DCCAjKgAwIBAgIIYhTylJZcqiEwCgYIKoZIzj0EAwQwSDELMAkGA1UEBhMC
TloxITAfBgNVBAoTGEdsb2JhbCBDZXJ0aWZpY2F0ZXMgTHRkLjEWMBQGA1UEAxMN
Z2xvYmFsY2VydHNjYTAgFw0yMjA0MTAwNTM3MDBaGA8yMDYyMDQxMDA1MzcwMFow
RTELMAkGA1UEBhMCTloxITAfBgNVBAoTGEdsb2JhbCBDZXJ0aWZpY2F0ZXMgTHRk
LjETMBEGA1UEAxMKd3d3Lm5jLmNvbTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAE
AB++mM0Cr+oVGYNS9YaXmJY2ZajXKt8kSt+ty5uLV3WrStcbFhWHOME0G4KijYRO
LtyTg8gl1wLoFFhmqGIEZyzqAbkh3e9XqdoEYNPvciRakWKgQ4lnule9+OMgBxwo
9ddfnAwk/pRBKbRBqwKc8ouxhglbS55k+gBhteqOfl2ShAcbo4HDMIHAMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFFoCFqObkZH0GsjD0q7XJ4FNlTGJMB8GA1UdIwQY
MBaAFLrIsG+n6Vtl++4AB+BqJaXCGx9uMAsGA1UdDwQEAwID+DATBgNVHSUEDDAK
BggrBgEFBQcDATAbBgNVHREEFDASggp3d3cubmMuY29thwTAqDkCMBEGCWCGSAGG
+EIBAQQEAwIGQDAeBglghkgBhvhCAQ0EERYPeGNhIGNlcnRpZmljYXRlMAoGCCqG
SM49BAMEA4GLADCBhwJCAek/1qOSzq5bMcrgS9sc0/4f4lcJjqgjn7xftvRH4Vso
nKxeufHwF92TA62yGG34O8JcU5IQLM0tqYuUWK1XNjVvAkFmumOD6TYKZY+j/Lrj
axUl8OhzyZH3cbi1FLjhtDfMIeH0Qe0mWRuNx6U7IKJILj57bn8JB42KtIqwnaQ4
eaMvXA==
-----END CERTIFICATE-----
subject=C = NZ, O = Global Certificates Ltd., CN = www.nc.com

issuer=C = NZ, O = Global Certificates Ltd., CN = globalcertsca

---
Acceptable client certificate CA names
C = NZ, O = Global Certificates Ltd., CN = globalcertsca
Requested Signature Algorithms:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1
Shared Requested Signature Algorithms:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA512
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1897 bytes and written 414 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 521 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

You are receiving this mail because: