Quanah Gibson-Mount schrieb:
--On Monday, October 12, 2009 11:18 AM -0700 Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Monday, October 12, 2009 3:02 PM +0200 Iruwen iruwen@gmx.net wrote:
Seems like the ca-bundle wouldn't be used at all, does slapd expect a different format or something?
Maybe someone could shed some light on this for me, thanks a lot in advance.
You need to provide the full train of trust when using Comodo certs.
s/train/chain/ :P
So... I'd have to change what exactly? ;)
I created the ca-bundle following the information this page:
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&...
And the format generally seems to be correct since it works for HTTPS (and SMTP with TLS in postfix, just tried that too).
HTTPS:
office:/etc/ssl/private# openssl s_client -connect localhost:443 CONNECTED(00000003) depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
SMTP with TLS:
office:/etc/ssl/private# openssl s_client -connect localhost:25 -starttls smtp CONNECTED(00000003) depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
But LDAPS:
office:/etc/ssl/private# openssl s_client -connect localhost:636 CONNECTED(00000003) depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de verify error:num=27:certificate not trusted verify return:1 depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
I don't get it :(