Hi Hauke,
I still can't get TLS to work. Here is the error message.
TLS certificate verification: Error, self signed certificate tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. ldap_err2string ldap_start_tls: Connect error (-11)
Thanks
----- Original Message ---- From: Hauke Coltzau hauke.coltzau@FernUni-Hagen.de To: Dat Duong datduong2000@yahoo.com Cc: openldap-technical openldap-technical@openldap.org Sent: Tuesday, October 7, 2008 1:25:37 AM Subject: AW: StartTLS is not working
Hi Dat,
first of all: Please send your questions to the list so that other users with the same problem can find the solution, too.
To your problem: Please make sure that you have a correct value for your ServerCA's private key in your openssl.cnf. It should read something like this:
[ ServerCA ]
# Where is the base directory for the ServerCA dir = /usr/lib/ssl/ServerCA
# Where is the ServerCA's certificate certificate = $dir/ServerCA.cert.pem
# and where is the ServerCA's private key private_key = $dir/private/ServerCA.key.pem
Without the private key, the ServerCA will not be able to sign your LDAP certificate. You will find more configuration hints for openssl.cnf in the tutorial.
Hope this helps,
Hauke
Dat Duong datduong2000@yahoo.com writes:
Hi Hauke,
I still can't get TLS to work. Here is the error message.
TLS certificate verification: Error, self signed certificate tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Please describe the parameters to create your certificate chain. I presume you have not signed your certificates with a known certificate authority.
-Dieter
openldap-technical@openldap.org