Hello,
I found a very similar and recent post on the Mailing List but no solution. May be I missed something.
I migrated my openLdap server from Debian Sarge (slapd 2.2.23-8) to Debian Etch (slapd 2.3.30-5)
On Sarge all was working fine (LDAP server with and withouth SSL) but now SSL acces is unusable. Using clear access (port 389) LDAP server works fine.
With SSL, I check all my certificates (Root CA and LDAP certificate) and renew all of them, successless. Always the same error message.
Althought all seems OK about certificates.
# openssl x509 -in LDAPserver-cert.pem -text -noout ======================== Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=FR, ST=France, O=MYDOMAIN, CN=mydomain.net Root CA/emailAddress=user@mydomain.net Validity Not Before: Apr 19 21:47:31 2007 GMT Not After : Apr 18 21:47:31 2008 GMT Subject: C=FR, ST=France, L=Nice, O=MYDOMAIN, CN=fully_qualified_name_machine.mydomain.net/emailAddress=user@mydomain.net Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c2:20:97:ed:17:fa:d5:87:bd:c8:1e:36:4c:e5: 3e:30:25:2b:e1:35:71:89:9f:68:55:38:41:e2:00: ......... 75:5b:c4:bd:62:dc:43:df:b2:9c:9f:c9:e5:bd:fb: 9e:bb:fc:51:ba:60:3e:53:6c:e9:b3:85:56:9a:7e: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: Object Signing Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: CE:19:D6:9C:.............................. X509v3 Authority Key Identifier: keyid:4D:58:60:..............................
Signature Algorithm: sha1WithRSAEncryption 48:f0:90:2f:93:cb:ae:93:3f:ac:c9:d8:7e:2f:95:1f:9b:86: ca:aa:34:a7:f0:63:e4:aa:1d:47:8d:ad:6f:ed:e1:d6:58:7d: .................................................... 30:b5:37:21:c5:3e:1a:f3:f6:29:1a:17:6d:c6:fb:06:d2:44: 20:24:b4:9e =============================
# ldapsearch -d1 -x -H ldaps://localhost:636/ gives me the following answer : ================================== ldap_create ldap_url_parse_ext(ldaps://localhost:636/) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 26, subject: /C=FR/ST=France/L=Nice/O=MYDOMAIN/CN=fully_qualified_name_machine.mydomain.net /emailAddress=user@mydomain.net, issuer: /C=FR/ST=France/O=MYDOMAIN/CN=my domain.net RootCA/emailAddress=user@mydomain.net
TLS certificate verification: Error, unsupported certificate purpose TLS trace: SSL3 alert write:fatal:unsupported certificate TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ============================================
I'm just wondering what's wrong. I've been searching for few days.
Is something wrong with ldap server 2.3.30 ? Did I miss some evidence ?
If someone can give me any lights because I feel alone without any solutions.
On Tue, 24 Apr 2007, Jean-Claude wrote: ...
With SSL, I check all my certificates (Root CA and LDAP certificate) and renew all of them, successless. Always the same error message.
Althought all seems OK about certificates.
# openssl x509 -in LDAPserver-cert.pem -text -noout
...
Netscape Cert Type: Object Signing
The certificate has a "Netscape Cert Type" field, but that field doesn't include the "SSL Server" flag. Your certificate creation setup needs to be corrected and a new certificate created. To quote the "X509 CERTIFICATE EXTENSIONS" part of the openssl(1) manpage:
SSL Server The extended key usage extension must be absent or include the "web server authentication" and/or one of the SGC OIDs. keyUsage must be absent or it must have the digitalSignature set, the keyEncipherment set, or both bits set. Netscape certificate type must be absent or have the SSL server bit set.
Philip Guenther Sendmail, Inc.
Philip Guenther guenther+ldapsoft@sendmail.com wrote:
# openssl x509 -in LDAPserver-cert.pem -text -noout
...
Netscape Cert Type: Object SigningThe certificate has a "Netscape Cert Type" field, but that field doesn't include the "SSL Server" flag. Your certificate creation setup needs to be corrected and a new certificate created. To quote the "X509 CERTIFICATE EXTENSIONS" part of the openssl(1) manpage:
SSL Server The extended key usage extension must be absent or include the "web server authentication" and/or one of the SGC OIDs. keyUsage must be absent or it must have the digitalSignature set, the keyEncipherment set, or both bits set. Netscape certificate type must be absent or have the SSL server bit set.Philip Guenther Sendmail, Inc.
Thank you Philippe for the answer.
You was right. That was the problem. I corrected this point, renew my LDAP certifcate and there's no more error message. I had to test deeply now, but I am optimistic
I can't remember if i adjusted this parameter a year ago with my old Debian sarge, but obviously I would had to.
Again, many thanks.
Jean-Claude wrote:
Hello,
I found a very similar and recent post on the Mailing List but no solution. May be I missed something.
The solution was in this post: http://www.openldap.org/lists/openldap-software/200704/msg00129.html
openldap-software@openldap.org
-
Howard Chu -
Jean-Claude -
Philip Guenther