moznss with openldap - error -8018:Unknown PKCS #11 error

Fri, 09 Aug 2013 08:21:24 -0700 

Hi List,
I have a Centos 6.4, fresh install, and I'm trying to configure
OpenLDAP with moznss. For now, self signed certificate is sufficient
for my needs. But when I try to search using secure connection (-Z
option), I got error:

ldap_start_tls: Connect error (-11)
        additional info: TLS error -5938:Encountered end of file
In openLdap logs:
connection_read(14): checking for input on id=1000
TLS: certdb config: configDir='/etc/openldap/certs/'
tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/certs/', error -8018:Unknown
PKCS #11 error.
TLS: skipping 'cert8.db' - filename does not have expected format
(certificate hash with numeric suffix)
TLS: skipping 'key3.db' - filename does not have expected format
(certificate hash with numeric suffix)
TLS: skipping 'secmod.db' - filename does not have expected format
(certificate hash with numeric suffix)
TLS: error: the certificate 'LDAPServer' could not be found in the
database - error -8187:security library: invalid arguments..
TLS: could not read certificate file LDAPServer - error -5950:File not found.
TLS: error: could not initialize moznss security context - error
-5950:File not found
TLS: can't create ssl handle.
connection_read(14): TLS accept failure error=-1 id=1000, closing
connection_close: conn=1000 sd=14

I cannot resign from using moznss, as it is in default with openldap
package in CentOS 6.4. I created TLS certificates like this:

[root@ldap ~]# openssl req -new -x509 -extensions v3_ca -keyout
/etc/pki/CA/private/CAss.key -out /etc/pki/CA/certs/CAss.pem -days 200
#got rid of certificate password:
[root@ldap ~]# openssl rsa -in /etc/pki/CA/private/CAss.key -out
/etc/pki/CA/private/CAssNOpass.key
#created pkcs12 key+cert
[root@ldap ~]# openssl pkcs12 -export -inkey
/etc/pki/CA/private/CAssNOpass.key -in /etc/pki/CA/certs/CAss.pem -out
/etc/pki/ldap.example.com.p12 -nodes -name 'LDAPServer'
#import p12 certificate to openldap keybase:
[root@ldap ~]# pk12util -i /etc/pki/ldap.example.com.p12 -d /etc/openldap/certs
#import CA, as CA to certificate keybase:
[root@ldap ~]# certutil -A -d /etc/openldap/certs -n "LDAPServer" -t
CT,, -i /etc/pki/CA/certs/CAss.pem
# verify:
[root@ldap ~]# certutil -d /etc/openldap/certs -L
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
LDAPServer                                                   CTu,u,u
# keybase has ldap permission, and ldap is able to read from it:
[root@ldap ~]# chown root:ldap /etc/openldap/certs/*
[root@ldap ~]# chmod 0640 /etc/openldap/certs/*
#openldap uses this keystore:
[root@ldap ~]# cat /etc/openldap/slapd.conf |grep -i tls
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile LDAPServer
TLSVerifyClient allow

What I did wrong?
Best regards,
Augustin
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to