Digging further into it, I noticed that ther openssl command used to verify was " OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023)", but /usr/sbin/slapd is linked to libssl.so.1.1
Both certificates have "Public-Key: (2048 bit)", but I noticed that the "X509v3 extensions" are different. Maybe that's the problem.I'll re-create the certificate and see what happens. Anyway hunting for these type of problems is not much fun.. Kind regards, Ulrich Windl > -----Original Message----- > From: Windl, Ulrich <[email protected]> > Sent: Thursday, March 6, 2025 12:03 PM > To: Philip Guenther <[email protected]> > Cc: [email protected]; [email protected] > Subject: [EXT] RE: RE: Re: Getting details for "TLS trace: SSL3 alert > read:fatal:unsupported certificate" > > Hi! > > I used "openssl verify" to verify both certificates, using both, -CApath and - > CAfile, and both certificates were "OK". > I ran those commands as "root", but I also verified that certificate and key > can be read as "ldap". > > Kind regards, > Ulrich Windl > > > -----Original Message----- > > From: Philip Guenther <[email protected]> > > Sent: Thursday, March 6, 2025 8:48 AM > > To: Windl, Ulrich <[email protected]> > > Cc: [email protected]; [email protected] > > Subject: [EXT] RE: Re: Getting details for "TLS trace: SSL3 alert > > read:fatal:unsupported certificate" > > > > On Wed, 5 Mar 2025, Windl, Ulrich wrote: > > > thanks! Actually that's what I did: Comparing the data of the certificate > that > > worked with that which does not. > > > I could not find any relevant difference. > > > > The error being reported is from the OpenSSL library, not from OpenLDAP > > itself. The certs, or some CA the failing cert would chain through, are > > different in some way that _is_ relevant. > > > > > > Philip Guenther
