I tried several times, but nothing seems to work. First I changed the names to be the same as in FAQ
olcTLSCACertificateFile: /etc/ldap/ssl/cacert.pem olcTLSCertificateFile: /etc/ldap/ssl/servercrt.pem olcTLSCertificateKeyFile: /etc/ldap/ssl/serverkey.pem
All three files are rwx for everyone and all belong to openldap (the user I am using for ldap).
Error log:
Dec 15 14:28:21 axew0204 slapd[24383]: @(#) $OpenLDAP: slapd 2.4.11 (Oct 25 2008 00:04:08) $ ^Ibuildd@yellow :/build/buildd/openldap-2.4.11/debian/build/servers/slapd Dec 15 14:28:21 axew0204 slapd[24383]: main: TLS init def ctx failed: -60 Dec 15 14:28:21 axew0204 slapd[24383]: slapd stopped. Dec 15 14:28:21 axew0204 slapd[24383]: connections_destroy: nothing to destroy.
I tried running su - ldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/'
# su - openldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/servercrt.pem' subject= /C=AU/ST=Some-State/L=Sydney/O=Internet Widgits Pty Ltd/CN=axew0204/emailAddress=alfonsas.stonis@axegroup.com.au # su - openldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/cacert.pem' subject= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=axew0204/emailAddress=alfonsas.stonis@axegroup.com.au
# su - openldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/serverkey.pem' unable to load certificate 24190:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
I assume the last error message is fine, because it is a private key and not a certificate itself.
Any ideas what to try next?
2008/12/12 Buchan Milne bgmilne@staff.telkomsa.net
On Thursday 11 December 2008 08:04:24 Alfonsas Stonis wrote:
Hi,
I am trying to configure openldap and tls I am following instructions however, I can not start slapd http://www.openldap.org/faq/data/cache/185.html
My cn=config.ldif
olcTLSCACertificateFile: /etc/ldap/ssl/demoCA/cacert.pem olcTLSCertificateFile: /etc/ldap/ssl/newcert.pem olcTLSCertificateKeyFile: /etc/ldap/ssl/demoCA/newreq.pem
[...]
However there is nothing in log :(
Dec 11 16:47:41 axew0204 slapd[434]: @(#) $OpenLDAP: slapd 2.4.11 (Oct 25 2008 00:04:08) $ ^Ibuildd@yellow
:/build/buildd/openldap-2.4.11/debian/build/servers/slapd
Dec 11 16:47:41 axew0204 slapd[434]: main: TLS init def ctx failed: -34 Dec 11 16:47:41 axew0204 slapd[434]: slapd stopped. Dec 11 16:47:41 axew0204 slapd[434]: connections_destroy: nothing to destroy.
The most common cause for this error message in my experience, is: -Path to certificates or key is wrong -The user slapd runs as cannot access the certificates or keys -The certificates or keys are in the wrong format
So, I would do this to test:
su - ldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/newcert.pem'
su - ldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/demoCA/newreq.pem'
(replace the user - 'ldap' in this case - with the username your slapd runs as).
However, it's probably not the best idea to configure slapd to find the certs or keys in the demoCA directory (if you sign another cert on that box, you will probably overwrite those files).
(The FAQ entry could also consider recommending to place the SSL key in a different file than the CSR ....)
(It may also be worthwhile adding an FAQ entry on this, with the error message, as googling the error message doesn't turn up and good answers, just bad questions ...)
Regards, Buchan