Thanks for the reply - it turns out I was the victim of Debian's package management deciding to install a version of ldapsearch that suddenly looks in /usr/etc/openldap/ for configuration files. I didn't notice this on the server because it was defaulting to connect to localhost. Obviously, my CA certificate was not listed in this default (blank) configuration file...
-Jon
On Feb 10, 2008 2:51 PM, Howard Chu hyc@symas.com wrote:
Jon Fink wrote:
After recently upgrading to a newer version of openldap I'm experiencing problems with start_tls on a connection to the slapd server. I'm fairly certain that the certificate is setup correctly.
Which "the certificate" are you talking about? There are always at least two in a correctly configured TLS installation.
In fact the following command works properly from a remote client:
ldapsearch -ZZ -LLL -x -W -h ldapserver.domain -D "cn=nss,dc=group" -b 'ou=People,dc=group' '(objectClass=*)'
but when I run exactly the same command *on* the server I get the the following error (with debug flags turned on):
TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=ldapserver.domain /ST=PA/C=US/O=GRP, issuer: /CN=GROUP_CA/ST=PA/C=US/O=GROUP TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. ldap_err2string ldap_start_tls: Connect error (-11)
I feel like this may be related somehow to the FQDN resolution on the server, but I've tried a few permutations of hostname setup to no avail (is there a way to confirm that this is the issue?)
It's quite easy to confirm that it is NOT the issue. The error message clearly says that the CA is unknown. The client was unable to find the certificate corresponding to the CA that signed the server certificate.
Any thoughts?
Thanks, Jon
Versions: slapd 2.4.7 openldap 2.4.7 openssl 0.9.8
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/