Whenever I set olcTLSCACertificateFile to
/etc/pki/tls/certs/ca-bundle.crt LDAP clients get cert errors
connecting to the server. But it works fine when I point
olcTLSCACertificateFile at the actual server cert instead of the
CA bundle.
With olcTLSCACertificateFile pointed at
/etc/pki/tls/certs/ca-bundle.crt:
CLIENT:
# LDAPTLS_CACERT=/etc/pki/tls/certs/ca-bundle.crt ldapsearch -H
'ldap://fqdn.to.my.server' -ZZ -x -b '' -s base '+'
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
(unable to get local issuer certificate)
SERVER (from "slapd -d conns"):
TLS: can't accept: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
Why is this happening. olcTLSCACertificateFile is supposed to
control the certificates that OpenLDAP will recognize, not affect
the certificate it gives to clients (right?).
This is OpenLDAP 2.4.31
-Patrick