On 11/05/2012 09:24 PM, Philip Guenther wrote:
On Mon, 5 Nov 2012, Admus wrote: ...
The output of `gnutls-cli --print-cert -p 636 ldap1.example.com` is:
- The hostname in the certificate matches 'ldap1.example.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
In order to verify the server's certificate, root CA that's 'above' the server's cert needs to be configured as a trusted CA for the client.
For OpenSSL, that's done by placing it in the file designated by the TLS_CACERT ldap.conf option, or in the directory designated by the TLS_CACERTDIR ldap.conf option with the correct hashed filename.
The ldap.conf(5) manpage indicates that the latter is ignored for GnuTLS, so presumably you just have to place the trusted root certificate(s) in a single file and point TLS_CACERT at that, in whatever format GnuTLS uses.
Philip Guenther
My cn=config looks as follow:
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/ldap1_slapd_cert.pem olcTLSCertificateKeyFile: /etc/ssl/private/ldap1_slapd_key.pem
I tried also set TLS_CACERT in /etc/ldap/ldap.conf to:
TLS_CACERT /etc/ssl/certs/cacert.pem
and
TLS_CACERT /etc/ssl/certs/ldap1_slapd_cert.pem
but without success, the error has became same.
What should be TLS_CACERT value? Is /etc/ldap/ldap.conf respected at all?
My client and server is the same host.