On 25/11/10 17.26, bluethundr wrote:
I have setup the certificate chain in my slapd.conf like so:
[r...@lbsd2:/usr/home/bluethundr]#grep -i tls
/usr/local/etc/openldap/slapd.conf## TLS options for slapd
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt
TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem
TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt
I have tried each of the following certs with no luck in getting my
cert to talk to it's CA:
-rw-r--r-- 1 root bluethundr 2604 Nov 25 11:37 ca_bundle.crt
-r--r----- 1 root ldap 4604 Nov 24 18:57 gd_bundle.crt
-r--r----- 1 root ldap 1537 Nov 25 02:00 sf_issuing.crt
As mentioned in my previous mail, there is no need to specify
TLSCACertificateFile in slapd.conf unless your server will request
client certificate for authentication. Nor is there any point in trying
multiple files, you can concatenate the CA certificates into a single fiel.
Since these are certificates you can leave global read access.
and I get the same result for each when I attempt to connect to SSL on
the LDAP server:
[r...@lcent01:/tmp/Foswiki-1.1.2]#openssl s_client -connect
ldap.example.com:389 -showcerts -CAfile sf_issuing.crt
13730:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('sf_issuing.crt','r')
13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
13730:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:279:
CONNECTED(00000003)
13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
Can't find sf_issuing.crt, well, from your CWD it appears that the
certificate is not found in that path.
ldapsearch -h ldap.example.com -d -1 -ZZ "dc=example,dc=com"
TLS certificate verification: depth: 0, err: 20, subject:
/O=LBSD2.summitnjhome.com/OU=Domain Control
Validated/CN=LBSD2.summitnjhome.com, issuer:
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
Certification Authority/serialNumber=07969287
TLS certificate verification: Error, unable to get local issuer certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
It seems to indicate that it can't talk to it's CA...
does anyone have any suggestions on how to make this work?
No. I assume that your hostname is the CN indicated above, so your -h is
not the issue. When you do -ZZ then ldapsearch will fail if it cannot
validate the certificate. You can try with a single -Z to see if it works.
You have not included your ldap.conf above, the ldapsearch reads
ldap.conf, including where to find any ca certificates. Either you have
not installed the godaddy CA certificate or not updated our ldap.conf
accordingly.
BR, Erik
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]"
