[My, it's been a while. I got pulled away from this and it's been a busy few months. Now I'm beating my head against it some more.]
I backed up and started over with this. Here is the state of things:
# certutil -d /etc/pki/nssdb -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
LDAP-Server-Cert u,u,u CA certificate CTu,u,u
# certutil -d /etc/pki/nssdb -L -n 'CA certificate' Certificate: Data: Version: 3 (0x2) Serial Number: 1000 (0x3e8) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=Endoframe CA cert,DC=endoframe,DC=net" Validity: Not Before: Tue Jan 17 07:48:20 2012 Not After : Mon Jan 17 07:48:20 2022 Subject: "CN=Endoframe CA cert,DC=endoframe,DC=net" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key:
[snip]
Signed Extensions: Name: Certificate Basic Constraints Critical: True Data: Is a CA with no maximum path length.
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature:
[snip]
Fingerprint (MD5):
[snip]
Fingerprint (SHA1):
[snip]
Certificate Trust Flags: SSL Flags: Valid CA Trusted CA User Trusted Client CA Email Flags: User Object Signing Flags: User
# certutil -d /etc/pki/nssdb -L -n 'LDAP-Server-Cert' Certificate: Data: Version: 3 (0x2) Serial Number: 1001 (0x3e9) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=Endoframe CA cert,DC=endoframe,DC=net" Validity: Not Before: Thu Jan 19 06:13:01 2012 Not After : Wed Jan 19 06:13:01 2022 Subject: "CN=ldap.endoframe.net" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key:
[snip]
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature:
[snip]
Fingerprint (MD5):
[snip]
Fingerprint (SHA1):
[snip]
Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User
Given the above, I generate the cert for the client:
# certutil -d /etc/pki/nssdb -L -n LDAP-Server-Cert -a > /etc/openldap/cacerts/ldap-server-cert.pem
In cn=config.ldif, I have:
olcTLSCACertificatePath: /etc/pki/nssdb olcTLSCertificateFile: LDAP-Server-Cert
In ldap.conf, I have:
TLS_CACERT /etc/openldap/cacerts/ldap-server-cert.pem
Finally, when I run ldapsearch, I get this error:
# ldapsearch -H ldaps://ldap.endoframe.net -b dc=endoframe,dc=net -x -d1 ldap_url_parse_ext(ldaps://ldap.endoframe.net) ldap_create ldap_url_parse_ext(ldaps://ldap.endoframe.net:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.endoframe.net:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.0.0.21:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: loaded CA certificate file /etc/openldap/cacerts/ldap-server-cert.pem. TLS: certificate [CN=Endoframe CA cert,DC=endoframe,DC=net] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user.. TLS: error: connect - force handshake failure: errno 21 - moznss error -8172 TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Is there something I need to do to mark the issuer as trusted on the client? (The client and server are actually the same machine in this case, FWIW.)
Braden