ti, 2010-08-31 kello 11:05 +0200, Frederik Bosch kirjoitti:
After getting my ACL right (thanks Dieter!), I have problems installing an official certificate. I bought a certificate at RapidSSL. Starting slapd gives me the following error.
TLS init def ctx failed: -69
This error is thrown in openldap 2.4.17. Since I am on debian, slapd is compiled against GnuTLS. When I was using 2.4.11 I had another error:
Do you have the complete certificate chain installed? If that is installed, it could be that the certificate bundle provided by RapidSSL doesn't have the certificates in order that GnuTLS expects them to be.
I haven't used commercial certificates with OpenSSL, but self-signed roots with intermediate-CA's. In this setting GnuTLS requires that the certificates are in specific order - first rootca, then the certificates below it so that always the one following has to be signed by the previous one. OpenSSL doesn't have this restriction if I've understood correctly.
I've used setup like this with Ubuntu's slapd package where ca-bundle.pem is created with OpenSSL and contains multiple certificates: rootca, subca, subsubca. slapd-server.crt is signed with subsubca.
olcTLSCACertificateFile: /path/to/ca-bundle.pem olcTLSCertificateFile: /path/to/slapd-server.crt olcTLSCertificateKeyFile: /path/to/slapd-server.key
This blog posting was helpful when I first encountered this issue:
http://www.sapphirepaw.org/blog/index.php?/archives/172-GNU-TLS-is-braindead...
Veli-Matti