I tried several times, but nothing seems to work. First I changed the names to be the same as in FAQ

olcTLSCACertificateFile: /etc/ldap/ssl/cacert.pem
olcTLSCertificateFile: /etc/ldap/ssl/servercrt.pem
olcTLSCertificateKeyFile: /etc/ldap/ssl/serverkey.pem

All three files are rwx for everyone and all belong to openldap (the user I am using for ldap).

Error log:

Dec 15 14:28:21 axew0204 slapd[24383]: @(#) $OpenLDAP: slapd 2.4.11 (Oct 25 2008 00:04:08) $ ^Ibuildd@yellow:/build/buildd/openldap-2.4.11/debian/build/servers/slapd
Dec 15 14:28:21 axew0204 slapd[24383]: main: TLS init def ctx failed: -60
Dec 15 14:28:21 axew0204 slapd[24383]: slapd stopped.
Dec 15 14:28:21 axew0204 slapd[24383]: connections_destroy: nothing to destroy.

I tried running
su - ldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/'

# su - openldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/servercrt.pem'
subject= /C=AU/ST=Some-State/L=Sydney/O=Internet Widgits Pty Ltd/CN=axew0204/emailAddress=alfonsas.stonis@axegroup.com.au
# su - openldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/cacert.pem'
subject= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=axew0204/emailAddress=alfonsas.stonis@axegroup.com.au

# su - openldap -s /bin/bash -c 'openssl x509 -noout -subject -in /etc/ldap/ssl/serverkey.pem'
unable to load certificate
24190:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE

I assume the last error message is fine, because it is a private key and not a certificate itself.

Any ideas what to try next?

2008/12/12 Buchan Milne <bgmilne@staff.telkomsa.net>
On Thursday 11 December 2008 08:04:24 Alfonsas Stonis wrote:
> Hi,
>
> I am trying to configure openldap and tls
> I am following instructions however, I can not start slapd
> http://www.openldap.org/faq/data/cache/185.html
>
> My cn\=config.ldif
>
> olcTLSCACertificateFile: /etc/ldap/ssl/demoCA/cacert.pem
> olcTLSCertificateFile: /etc/ldap/ssl/newcert.pem
> olcTLSCertificateKeyFile: /etc/ldap/ssl/demoCA/newreq.pem

[...]

> However there is nothing in log :(
>
> Dec 11 16:47:41 axew0204 slapd[434]: @(#) $OpenLDAP: slapd 2.4.11 (Oct 25
> 2008 00:04:08) $ ^Ibuildd@yellow
>
> :/build/buildd/openldap-2.4.11/debian/build/servers/slapd
>
> Dec 11 16:47:41 axew0204 slapd[434]: main: TLS init def ctx failed: -34
> Dec 11 16:47:41 axew0204 slapd[434]: slapd stopped.
> Dec 11 16:47:41 axew0204 slapd[434]: connections_destroy: nothing to
> destroy.



The most common cause for this error message in my experience, is:
-Path to certificates or key is wrong
-The user slapd runs as cannot access the certificates or keys
-The certificates or keys are in the wrong format

So, I would do this to test:

su - ldap -s /bin/bash -c 'openssl x509 -noout -subject -in
/etc/ldap/ssl/newcert.pem'

su - ldap -s /bin/bash -c 'openssl x509 -noout -subject -in
/etc/ldap/ssl/demoCA/newreq.pem'


(replace the user - 'ldap' in this case - with the username your slapd runs
as).

However, it's probably not the best idea to configure slapd to find the certs
or keys in the demoCA directory (if you sign another cert on that box, you
will probably overwrite those files).

(The FAQ entry could also consider recommending to place the SSL key in a
different file than the CSR ....)

(It may also be worthwhile adding an FAQ entry on this, with the error
message, as googling the error message doesn't turn up and good answers, just
bad questions ...)

Regards,
Buchan