Hi,
What TLS directive is used in /etc/ldap.conf file on both machines (client/server)?
Does the certificate bundle available on server machine?
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
That means, there is no CA certificate on server machine to verify the server certificate.
Thanks,
Digambar
On 2/11/08, Jon Fink <jon.fink@gmail.com> wrote:
After recently upgrading to a newer version of openldap I'm
experiencing problems with start_tls on a connection to the slapd
server. I'm fairly certain that the certificate is setup correctly.
In fact the following command works properly from a remote client:
ldapsearch -ZZ -LLL -x -W -h ldapserver.domain -D "cn=nss,dc=group" -b
'ou=People,dc=group' '(objectClass=*)'
but when I run exactly the same command *on* the server I get the the
following error (with debug flags turned on):
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject:
/CN=ldapserver.domain /ST=PA/C=US/O=GRP, issuer:
/CN=GROUP_CA/ST=PA/C=US/O=GROUP
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
ldap_err2string
ldap_start_tls: Connect error (-11)
I feel like this may be related somehow to the FQDN resolution on the
server, but I've tried a few permutations of hostname setup to no
avail (is there a way to confirm that this is the issue?)
Any thoughts?
Thanks,
Jon
Versions:
slapd 2.4.7
openldap 2.4.7
openssl 0.9.8