Digging further into it, I noticed that ther openssl command used to verify was " OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023)", but /usr/sbin/slapd is linked to libssl.so.1.1
Both certificates have "Public-Key: (2048 bit)", but I noticed that the "X509v3 extensions" are different. Maybe that's the problem.I'll re-create the certificate and see what happens. Anyway hunting for these type of problems is not much fun..
Kind regards, Ulrich Windl
-----Original Message----- From: Windl, Ulrich u.windl@ukr.de Sent: Thursday, March 6, 2025 12:03 PM To: Philip Guenther pguenther@proofpoint.com Cc: noloader@gmail.com; openldap-technical@openldap.org Subject: [EXT] RE: RE: Re: Getting details for "TLS trace: SSL3 alert read:fatal:unsupported certificate"
Hi!
I used "openssl verify" to verify both certificates, using both, -CApath and - CAfile, and both certificates were "OK". I ran those commands as "root", but I also verified that certificate and key can be read as "ldap".
Kind regards, Ulrich Windl
-----Original Message----- From: Philip Guenther pguenther@proofpoint.com Sent: Thursday, March 6, 2025 8:48 AM To: Windl, Ulrich u.windl@ukr.de Cc: noloader@gmail.com; openldap-technical@openldap.org Subject: [EXT] RE: Re: Getting details for "TLS trace: SSL3 alert read:fatal:unsupported certificate"
On Wed, 5 Mar 2025, Windl, Ulrich wrote:
thanks! Actually that's what I did: Comparing the data of the certificate
that
worked with that which does not.
I could not find any relevant difference.
The error being reported is from the OpenSSL library, not from OpenLDAP itself. The certs, or some CA the failing cert would chain through, are different in some way that _is_ relevant.
Philip Guenther