5:22 p.m.
I know this has been hashed over before, but I simply cannot get my
LDAP clients to talk TLS/SSL to my LDAP server. I keep getting
TLS certificate verification: Error, self signed certificate in
certificate chain
errors. A standard "openssl s_client" test works fine, but a client
such as ldapsearch simply refuses to cooperate. I have the
"tls_cacertdir" set to point at a directory that has a copy of every
certificate I've created and it still won't work.
The certificates were created based on the instructions at:
http://www.openldap.org/faq/data/cache/185.html
as specified in the admin manual. I'm the first to admin I'm not an
SSL guy, but this has got me stumped! I'll be happy to provide whatever
bits of the various config files you need.
Help me Obi-Wan Kenobi!
----------------------------------------------------------------------
- Rick Stevens, Unix Geek rps2(a)socal.rr.com -
- -
- Treat each day as if it's your last...a lot of crying and whining -
- usually gets you what you want! -- Sam Sledge -
----------------------------------------------------------------------
7:52 a.m.
Hi Rick,
On Wed, Jul 8, 2009 at 8:22 PM, Rick Stevens<rps2(a)socal.rr.com> wrote:
I know this has been hashed over before, but I simply cannot get my
LDAP clients to talk TLS/SSL to my LDAP server. I keep getting
TLS certificate verification: Error, self signed certificate in
certificate chain
errors. A standard "openssl s_client" test works fine, but a client
such as ldapsearch simply refuses to cooperate. I have the
"tls_cacertdir" set to point at a directory that has a copy of every
certificate I've created and it still won't work.
Could you outline which version of openldap and OS you're using?
--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com
8:23 a.m.
Rick Stevens <rps2(a)socal.rr.com> writes:
I know this has been hashed over before, but I simply cannot get my
LDAP clients to talk TLS/SSL to my LDAP server. I keep getting
TLS certificate verification: Error, self signed certificate in
certificate chain
This error may not be the culprit, if the error (or warning) is
referring to the CA.
What is the CN of the server certificate and what is the host part of
your search string?
In order to debug the TLS session run ldapsearch with -d3 option.
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E
12:50 p.m.
Dieter Kluenter wrote:
Rick Stevens<rps2(a)socal.rr.com> writes:
> I know this has been hashed over before, but I simply cannot get my
> LDAP clients to talk TLS/SSL to my LDAP server. I keep getting
>
> TLS certificate verification: Error, self signed certificate in
> certificate chain
This error may not be the culprit, if the error (or warning) is
referring to the CA.
Wrong. It is *exactly* the culprit.
What is the CN of the server certificate and what is the host part
of
your search string?
If the cert CN were the problem, the error message would have said that. Don't
second-guess these error messages.
In order to debug the TLS session run ldapsearch with -d3 option.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11:05 p.m.
Am Donnerstag, 9. Juli 2009 schrieb Rick Stevens:
I know this has been hashed over before, but I simply cannot get my
LDAP clients to talk TLS/SSL to my LDAP server. I keep getting
TLS certificate verification: Error, self signed certificate in
certificate chain
errors. A standard "openssl s_client" test works fine, but a client
such as ldapsearch simply refuses to cooperate. I have the
"tls_cacertdir" set to point at a directory that has a copy of every
certificate I've created and it still won't work.
The certificates were created based on the instructions at:
http://www.openldap.org/faq/data/cache/185.html
as specified in the admin manual. I'm the first to admin I'm not an
SSL guy, but this has got me stumped! I'll be happy to provide
whatever bits of the various config files you need.
So, you have created your certs
with openssl. Are your ldap binaries
linked against openssl or gnutls libraries?
ldd $(which ldapsearch)
libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7e34000)
This openldap installation is linked against gnutls!
If your openldap installation also uses gnutls, then you MUST reorder
the certificates.
Openssl certs begins with the top-level cert (normaly the ca), gnutls
certs ends with the ca-cert :-( .
Help me Obi-Wan Kenobi!
---------------------------------------------------------------------
- - Rick Stevens, Unix Geek rps2(a)socal.rr.com
- -
- - Treat each day as if it's your last...a lot of crying and
whining - - usually gets you what you want! -- Sam
Sledge -
---------------------------------------------------------------------
-
--
Gruss
Harry Jede
5194
days inactive
5195
days old
openldap-software@openldap.org
4 comments
5 participants
participants (5)
-
Dieter Kluenter -
Harry Jede -
Howard Chu -
Mathias Gug -
Rick Stevens