On Thursday, July 28, 2016 8:07:43 AM PDT, Nat Sincheler wrote:
On 7/27/2016 11:19 PM, Ulrich Windl wrote:
>>>> ...
> Nachricht <991f77f9-fd05-eb9b-7f07-f350c4a7bc68(a)macrotex.net>:
> ...
% grep -R Certificate *.ldif
olcTLSCACertificatePath: /etc/ssl/certs
olcTLSCertificateFile: /etc/ssl/certs/server.pem
olcTLSCertificateKeyFile: /etc/ssl/private/server.key
% directory2:/etc/ldap# openssl verify -CApath /etc/ssl/certs
-verbose /etc/ssl/certs/server.pem
/etc/ssl/certs/server.pem: OK
So, the openssl command line can find the certificate chain.
Why can't openldap?
Of course, the problem is not in OpenLDAP but the SSL library that your
build of OpenLDAP is using. The chances are good that your build is using
GNUTLS. GNUTLS does not support a CA Certificate Path, you have to put all
of the CA cert chain in a single file and use olcTLSCACertificateFile
instead.
Bill
--
"Can't sing louder than the guns when I'm gone,
so I guess I'll have to do it while I'm here."
Phil Ochs