On Thursday, 25 November 2010 17:26:56 bluethundr wrote:
[root@LBSD2:/usr/home/bluethundr]#grep -i tls /usr/local/etc/openldap/slapd.conf## TLS options for slapd TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt
I have tried each of the following certs with no luck in getting my cert to talk to it's CA:
-rw-r--r-- 1 root bluethundr 2604 Nov 25 11:37 ca_bundle.crt -r--r----- 1 root ldap 4604 Nov 24 18:57 gd_bundle.crt -r--r----- 1 root ldap 1537 Nov 25 02:00 sf_issuing.crt
and I get the same result for each when I attempt to connect to SSL on the LDAP server:
[root@LCENT01:/tmp/Foswiki-1.1.2]#openssl s_client -connect ldap.example.com:389 -showcerts -CAfile sf_issuing.crt
I doubt your hostname is ldap.example.com, it looks like it is LBSD2.summitnjhome.com. Since hostname <=> certificate subjectCN is important, you may prefer to provide *accurate* information while asking for help ...
13730:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('sf_issuing.crt','r')
Please read the error message above carefully.
Your working directory of /tmp/Foswiki-1.1.2 most likely doesn't contain your certificate sf_issuing.crt. Maybe you should try:
openssl s_client -connect LBSD2.summitnjhome.com:636 -showcerts -CAfile /usr/local/etc/openldap/cacerts/sf_issuing.crt
(note, I don't think s_client can test LDAP+start_tls, only ldaps ... so this test assumes you have slapd started with a -h option that includes ldaps:///)
13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: 13730:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:279: CONNECTED(00000003) 13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
ldapsearch -h ldap.example.com -d -1 -ZZ "dc=example,dc=com"
ldapsearch doesn't read slapd.conf, did you supply the correct TLS_CACERT value in /usr/local/etc/openldap/ldap.conf ? Of course, you should use the hostname for which the cert is issued, or the next failure will be due to hostname/certificate subject mismatch.
Please see 'man ldap.conf'
TLS certificate verification: depth: 0, err: 20, subject: /O=LBSD2.summitnjhome.com/OU=Domain Control Validated/CN=LBSD2.summitnjhome.com, issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 TLS certificate verification: Error, unable to get local issuer certificate tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
It seems to indicate that it can't talk to it's CA...
No, seems it doesn't know where to look for the CA certificate ...
does anyone have any suggestions on how to make this work?
echo "TLS_CACERT /usr/local/etc/openldap/cacerts/sf_issuing.crt" >> /usr/local/etc/openldap/ldap.conf ?
Regards, Buchan