Hello,
I just got an SSL certificate issued by Comodo which doesn't work as expected with slapd. Which means I get an untrusted certificate warning in Thunderbird. Probably I just missed something.
For Apache2 for example, I just configured
SSLCACertificateFile mycert.ca-bundle SSLCertificateFile mycert.crt SSLCertificateKeyFile mycert.key
and I don't get any warnings in Firefox. Also if I test the connection using openssl s_client it looks fine:
office:~# openssl s_client -connect localhost:443 CONNECTED(00000003) depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
To achieve the same with OpenLDAP, I tried:
TLSCACertificateFile mycert.ca-bundle TLSCertificateFile mycert.crt TLSCertificateKeyFile mycert.key
But the result is different, Thunderbird doesn't trust the certificate and throws a corresponding warning and the output of openssl s_client looks like this:
office:~# openssl s_client -connect localhost:636 CONNECTED(00000003) depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de verify error:num=27:certificate not trusted verify return:1 depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
Seems like the ca-bundle wouldn't be used at all, does slapd expect a different format or something?
Maybe someone could shed some light on this for me, thanks a lot in advance.
Regards, Iruwen