On 04/13/2011 04:37 PM, Rich Megginson wrote:
Also post the output of openssl x509 -in /path/to/the/server-cert.pem -text
# # openssl x509 -in /etc/openldap/cacerts/curri3-cert.pem -text Certificate: Data: Version: 1 (0x0) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=ES, ST=Barcelona, L=Badalona, O=company, OU=linux, CN=server.fdqn/emailAddress=jflo@imppc.org Validity Not Before: Apr 12 15:55:56 2011 GMT Not After : Jan 6 15:55:56 2014 GMT Subject: C=ES, ST=Barcelona, L=Badalona, O=company, OU=linux, CN=client.fdqn/emailAddress=jflo@imppc.org
I notice that the format of the Issuer here does not match the format of the Subject, but that may be just a difference in the way moznss and openssl handle the "/emailAddress=...". You could confirm by doing openssl x509 -in /path/to/cacert.pem -text
I don't know - I don't see anything obviously wrong here.
I'm just following the steps, I no longer know what to do, but I'm afraid that I'm kind of stuck. As the server is a rhel6 its openldap is compiled against openssl, the clients are using openldap with moznss, so it looks like I'll be forced to recompile everything to either moznss or openssl but it looks very very complicated. I will try to make the setup from fedora to fedora with certificates and see if the tls communication is easier. if that works I think that I will abandon the setup with rh, I can afford spending more time on this, specially if you (that know a lot more than me) think that there's nothing wrong..
If you think this is a problem with openldap+moznss (that is, if you can get it to work with openldap+openssl), please file a bug/its.
if I can give it a try later on, I'll do it. Thanks, j