Jon Fink wrote:
After recently upgrading to a newer version of openldap I'm experiencing problems with start_tls on a connection to the slapd server. I'm fairly certain that the certificate is setup correctly.
Which "the certificate" are you talking about? There are always at least two in a correctly configured TLS installation.
In fact the following command works properly from a remote client:
ldapsearch -ZZ -LLL -x -W -h ldapserver.domain -D "cn=nss,dc=group" -b 'ou=People,dc=group' '(objectClass=*)'
but when I run exactly the same command *on* the server I get the the following error (with debug flags turned on):
TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=ldapserver.domain /ST=PA/C=US/O=GRP, issuer: /CN=GROUP_CA/ST=PA/C=US/O=GROUP TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. ldap_err2string ldap_start_tls: Connect error (-11)
I feel like this may be related somehow to the FQDN resolution on the server, but I've tried a few permutations of hostname setup to no avail (is there a way to confirm that this is the issue?)
It's quite easy to confirm that it is NOT the issue. The error message clearly says that the CA is unknown. The client was unable to find the certificate corresponding to the CA that signed the server certificate.
Any thoughts?
Thanks, Jon
Versions: slapd 2.4.7 openldap 2.4.7 openssl 0.9.8