On Monday, 8 March 2010 21:55:51 Chris Jacobs wrote:
Hello,
I'm having a heck of a time getting certs to function correctly. This server is being setup with another server in mirrormode - and currently they cannot talk to each other (or themselves when using ldapsearch).
We have a root CA, with a subordinate CA used to sign the cert our ldap server is using.
I have both appended to the /etc/pki/tls/certs/ca-bundle.crt file (CentOS5)
- root first, sub second.
I have both (also in the same order) in the cacert.pem used by slapd.conf. TLS directives: TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/cacerts/ldapcrt.pem TLSCertificateKeyFile /etc/openldap/cacerts/ldapkey.pem
# ldapsearch -H ldaps://localhost/ ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)
Add:
TLS_CACERT /etc/openldap/cacerts/cacert.pem
to /etc/openldap/ldap.conf
(see 'man ldap.conf').
Most likely it will now fail validation unless your subject CN is "localhost", the hostname you provide to ldapsearch should be the one that matches the subject CN on the cert (or, subjectAltNames).
Regards, Buchan