After recently upgrading to a newer version of openldap I'm experiencing problems with start_tls on a connection to the slapd server. I'm fairly certain that the certificate is setup correctly. In fact the following command works properly from a remote client:
ldapsearch -ZZ -LLL -x -W -h ldapserver.domain -D "cn=nss,dc=group" -b 'ou=People,dc=group' '(objectClass=*)'
but when I run exactly the same command *on* the server I get the the following error (with debug flags turned on):
TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=ldapserver.domain /ST=PA/C=US/O=GRP, issuer: /CN=GROUP_CA/ST=PA/C=US/O=GROUP TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. ldap_err2string ldap_start_tls: Connect error (-11)
I feel like this may be related somehow to the FQDN resolution on the server, but I've tried a few permutations of hostname setup to no avail (is there a way to confirm that this is the issue?)
Any thoughts?
Thanks, Jon
Versions: slapd 2.4.7 openldap 2.4.7 openssl 0.9.8
Jon Fink wrote:
After recently upgrading to a newer version of openldap I'm experiencing problems with start_tls on a connection to the slapd server. I'm fairly certain that the certificate is setup correctly.
Which "the certificate" are you talking about? There are always at least two in a correctly configured TLS installation.
In fact the following command works properly from a remote client:
ldapsearch -ZZ -LLL -x -W -h ldapserver.domain -D "cn=nss,dc=group" -b 'ou=People,dc=group' '(objectClass=*)'
but when I run exactly the same command *on* the server I get the the following error (with debug flags turned on):
TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=ldapserver.domain /ST=PA/C=US/O=GRP, issuer: /CN=GROUP_CA/ST=PA/C=US/O=GROUP TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. ldap_err2string ldap_start_tls: Connect error (-11)
I feel like this may be related somehow to the FQDN resolution on the server, but I've tried a few permutations of hostname setup to no avail (is there a way to confirm that this is the issue?)
It's quite easy to confirm that it is NOT the issue. The error message clearly says that the CA is unknown. The client was unable to find the certificate corresponding to the CA that signed the server certificate.
Any thoughts?
Thanks, Jon
Versions: slapd 2.4.7 openldap 2.4.7 openssl 0.9.8
Thanks for the reply - it turns out I was the victim of Debian's package management deciding to install a version of ldapsearch that suddenly looks in /usr/etc/openldap/ for configuration files. I didn't notice this on the server because it was defaulting to connect to localhost. Obviously, my CA certificate was not listed in this default (blank) configuration file...
-Jon
On Feb 10, 2008 2:51 PM, Howard Chu hyc@symas.com wrote:
Jon Fink wrote:
After recently upgrading to a newer version of openldap I'm experiencing problems with start_tls on a connection to the slapd server. I'm fairly certain that the certificate is setup correctly.
Which "the certificate" are you talking about? There are always at least two in a correctly configured TLS installation.
In fact the following command works properly from a remote client:
ldapsearch -ZZ -LLL -x -W -h ldapserver.domain -D "cn=nss,dc=group" -b 'ou=People,dc=group' '(objectClass=*)'
but when I run exactly the same command *on* the server I get the the following error (with debug flags turned on):
TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=ldapserver.domain /ST=PA/C=US/O=GRP, issuer: /CN=GROUP_CA/ST=PA/C=US/O=GROUP TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. ldap_err2string ldap_start_tls: Connect error (-11)
I feel like this may be related somehow to the FQDN resolution on the server, but I've tried a few permutations of hostname setup to no avail (is there a way to confirm that this is the issue?)
It's quite easy to confirm that it is NOT the issue. The error message clearly says that the CA is unknown. The client was unable to find the certificate corresponding to the CA that signed the server certificate.
Any thoughts?
Thanks, Jon
Versions: slapd 2.4.7 openldap 2.4.7 openssl 0.9.8
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
"Jon Fink" jon.fink@gmail.com writes:
Thanks for the reply - it turns out I was the victim of Debian's package management deciding to install a version of ldapsearch that suddenly looks in /usr/etc/openldap/ for configuration files.
Uh.
Well, that certainly wasn't intentional, and that path is completely wrong for a Debian package. Please file a Debian bug with the details if you haven't already.
Hi,
What TLS directive is used in /etc/ldap.conf file on both machines (client/server)? Does the certificate bundle available on server machine?
*TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA*
That means, there is no CA certificate on server machine to verify the server certificate.
Thanks, Digambar
On 2/11/08, Jon Fink jon.fink@gmail.com wrote:
After recently upgrading to a newer version of openldap I'm experiencing problems with start_tls on a connection to the slapd server. I'm fairly certain that the certificate is setup correctly. In fact the following command works properly from a remote client:
ldapsearch -ZZ -LLL -x -W -h ldapserver.domain -D "cn=nss,dc=group" -b 'ou=People,dc=group' '(objectClass=*)'
but when I run exactly the same command *on* the server I get the the following error (with debug flags turned on):
TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=ldapserver.domain /ST=PA/C=US/O=GRP, issuer: /CN=GROUP_CA/ST=PA/C=US/O=GROUP TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. ldap_err2string ldap_start_tls: Connect error (-11)
I feel like this may be related somehow to the FQDN resolution on the server, but I've tried a few permutations of hostname setup to no avail (is there a way to confirm that this is the issue?)
Any thoughts?
Thanks, Jon
Versions: slapd 2.4.7 openldap 2.4.7 openssl 0.9.8
openldap-software@openldap.org
-
Digambar Sawant -
Howard Chu -
Jon Fink -
Russ Allbery