I know this has been hashed over before, but I simply cannot get my LDAP clients to talk TLS/SSL to my LDAP server. I keep getting
TLS certificate verification: Error, self signed certificate in certificate chain
errors. A standard "openssl s_client" test works fine, but a client such as ldapsearch simply refuses to cooperate. I have the "tls_cacertdir" set to point at a directory that has a copy of every certificate I've created and it still won't work.
The certificates were created based on the instructions at:
http://www.openldap.org/faq/data/cache/185.html
as specified in the admin manual. I'm the first to admin I'm not an SSL guy, but this has got me stumped! I'll be happy to provide whatever bits of the various config files you need.
Help me Obi-Wan Kenobi! ---------------------------------------------------------------------- - Rick Stevens, Unix Geek rps2@socal.rr.com - - - - Treat each day as if it's your last...a lot of crying and whining - - usually gets you what you want! -- Sam Sledge - ----------------------------------------------------------------------
Hi Rick,
On Wed, Jul 8, 2009 at 8:22 PM, Rick Stevensrps2@socal.rr.com wrote:
I know this has been hashed over before, but I simply cannot get my LDAP clients to talk TLS/SSL to my LDAP server. I keep getting
TLS certificate verification: Error, self signed certificate in certificate chain
errors. A standard "openssl s_client" test works fine, but a client such as ldapsearch simply refuses to cooperate. I have the "tls_cacertdir" set to point at a directory that has a copy of every certificate I've created and it still won't work.
Could you outline which version of openldap and OS you're using?
Rick Stevens rps2@socal.rr.com writes:
I know this has been hashed over before, but I simply cannot get my LDAP clients to talk TLS/SSL to my LDAP server. I keep getting
TLS certificate verification: Error, self signed certificate in certificate chain
This error may not be the culprit, if the error (or warning) is referring to the CA. What is the CN of the server certificate and what is the host part of your search string? In order to debug the TLS session run ldapsearch with -d3 option.
-Dieter
Dieter Kluenter wrote:
Rick Stevensrps2@socal.rr.com writes:
I know this has been hashed over before, but I simply cannot get my LDAP clients to talk TLS/SSL to my LDAP server. I keep getting
TLS certificate verification: Error, self signed certificate in certificate chain
This error may not be the culprit, if the error (or warning) is referring to the CA.
Wrong. It is *exactly* the culprit.
What is the CN of the server certificate and what is the host part of your search string?
If the cert CN were the problem, the error message would have said that. Don't second-guess these error messages.
In order to debug the TLS session run ldapsearch with -d3 option.
Am Donnerstag, 9. Juli 2009 schrieb Rick Stevens:
I know this has been hashed over before, but I simply cannot get my LDAP clients to talk TLS/SSL to my LDAP server. I keep getting
TLS certificate verification: Error, self signed certificate in certificate chain
errors. A standard "openssl s_client" test works fine, but a client such as ldapsearch simply refuses to cooperate. I have the "tls_cacertdir" set to point at a directory that has a copy of every certificate I've created and it still won't work.
The certificates were created based on the instructions at:
http://www.openldap.org/faq/data/cache/185.html
as specified in the admin manual. I'm the first to admin I'm not an SSL guy, but this has got me stumped! I'll be happy to provide whatever bits of the various config files you need.
So, you have created your certs with openssl. Are your ldap binaries linked against openssl or gnutls libraries?
ldd $(which ldapsearch) libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7e34000)
This openldap installation is linked against gnutls!
If your openldap installation also uses gnutls, then you MUST reorder the certificates.
Openssl certs begins with the top-level cert (normaly the ca), gnutls certs ends with the ca-cert :-( .
Help me Obi-Wan Kenobi!
- Rick Stevens, Unix Geek rps2@socal.rr.com
- Treat each day as if it's your last...a lot of crying and
whining - - usually gets you what you want! -- Sam Sledge -
openldap-software@openldap.org
-
Dieter Kluenter -
Harry Jede -
Howard Chu -
Mathias Gug -
Rick Stevens