Hello,
I found a very similar and recent post on the Mailing List but no solution. May be I missed something.
I migrated my openLdap server from Debian Sarge (slapd 2.2.23-8) to Debian Etch (slapd 2.3.30-5)
On Sarge all was working fine (LDAP server with and withouth SSL) but now SSL acces is unusable. Using clear access (port 389) LDAP server works fine.
With SSL, I check all my certificates (Root CA and LDAP certificate) and renew all of them, successless. Always the same error message.
Althought all seems OK about certificates.
# openssl x509 -in LDAPserver-cert.pem -text -noout ======================== Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=FR, ST=France, O=MYDOMAIN, CN=mydomain.net Root CA/emailAddress=user@mydomain.net Validity Not Before: Apr 19 21:47:31 2007 GMT Not After : Apr 18 21:47:31 2008 GMT Subject: C=FR, ST=France, L=Nice, O=MYDOMAIN, CN=fully_qualified_name_machine.mydomain.net/emailAddress=user@mydomain.net Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c2:20:97:ed:17:fa:d5:87:bd:c8:1e:36:4c:e5: 3e:30:25:2b:e1:35:71:89:9f:68:55:38:41:e2:00: ......... 75:5b:c4:bd:62:dc:43:df:b2:9c:9f:c9:e5:bd:fb: 9e:bb:fc:51:ba:60:3e:53:6c:e9:b3:85:56:9a:7e: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: Object Signing Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: CE:19:D6:9C:.............................. X509v3 Authority Key Identifier: keyid:4D:58:60:..............................
Signature Algorithm: sha1WithRSAEncryption 48:f0:90:2f:93:cb:ae:93:3f:ac:c9:d8:7e:2f:95:1f:9b:86: ca:aa:34:a7:f0:63:e4:aa:1d:47:8d:ad:6f:ed:e1:d6:58:7d: .................................................... 30:b5:37:21:c5:3e:1a:f3:f6:29:1a:17:6d:c6:fb:06:d2:44: 20:24:b4:9e =============================
# ldapsearch -d1 -x -H ldaps://localhost:636/ gives me the following answer : ================================== ldap_create ldap_url_parse_ext(ldaps://localhost:636/) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 26, subject: /C=FR/ST=France/L=Nice/O=MYDOMAIN/CN=fully_qualified_name_machine.mydomain.net /emailAddress=user@mydomain.net, issuer: /C=FR/ST=France/O=MYDOMAIN/CN=my domain.net RootCA/emailAddress=user@mydomain.net
TLS certificate verification: Error, unsupported certificate purpose TLS trace: SSL3 alert write:fatal:unsupported certificate TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ============================================
I'm just wondering what's wrong. I've been searching for few days.
Is something wrong with ldap server 2.3.30 ? Did I miss some evidence ?
If someone can give me any lights because I feel alone without any solutions.