Hello,
I'm having an issue starting up slapd with TLS enabled. I tried to search for the error code but I couldn't find any GnuTLS error codes that match. Here are the log entries that appear:
Sep 25 21:07:05 dir0 slapd[15018]: main: TLS init def ctx failed: -1 Sep 25 21:07:05 dir0 slapd[15018]: DIGEST-MD5 common mech free Sep 25 21:07:05 dir0 slapd[15018]: slapd stopped. Sep 25 21:07:05 dir0 slapd[15018]: connections_destroy: nothing to destroy.
Is there a way to check and see if this build is enabled with TLS support? I installed it from a package manager rather than compiling it. Here are the TLS portions of the config:
# SSL TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/ssl/ca.pem TLSCertificateFile /etc/openldap/ssl/server.pem TLSCertificateKeyFile /etc/openldap/ssl/server.key TLSVerifyClient demand
Here are the files listed: (I changed the permissions during troubleshooting)
[09/25/12 9:16PM][root@dir0 /etc/openldap]# ls -lah ssl total 12 drw------- 2 _openldap _openldap 512B Sep 25 19:59 . drwxr-xr-x 4 root wheel 512B Sep 25 19:54 .. -rwxrwxrwx 1 _openldap _openldap 3B Sep 25 20:08 digits.srl -rwxrwxrwx 1 _openldap _openldap 887B Sep 25 19:56 server.key -rwxrwxrwx 1 _openldap _openldap 904B Sep 25 20:08 server.pem -rwxrwxrwx 1 _openldap _openldap 684B Sep 25 19:57 server.req
[09/25/12 9:16PM][root@dir0 /etc/openldap]# ls -lah /etc/ssl total 170 drwxr-xr-x 4 root wheel 512B Sep 25 19:52 . drwxr-xr-x 27 root wheel 2.5K Sep 24 20:50 .. -rw-r--r-- 1 root wheel 912B Sep 23 16:30 ca.crt -rw-r--r-- 1 root wheel 912B Sep 25 19:52 ca.pem -rw-r--r-- 1 root wheel 17B Sep 23 17:51 ca.srl -r--r--r-- 1 root bin 147K Feb 12 2012 cert.pem drwxr-xr-x 2 root wheel 512B Feb 12 2012 lib -r--r--r-- 1 root bin 1.6K Feb 12 2012 openssl.cnf drwx------ 2 root wheel 512B Sep 23 16:29 private -rw-r--r-- 1 root wheel 1.0K Sep 25 19:52 privkey.pem -r--r--r-- 1 root bin 1005B Feb 12 2012 x509v3.cnf
Is this an issue with the build I'm running? (SSL not enabled or?)
Thanks! Brian
--On Tuesday, September 25, 2012 6:20 PM -0700 Brian Empson brian_empson@yahoo.com wrote:
Hello,
I'm having an issue starting up slapd with TLS enabled. I tried to search for the error code but I couldn't find any GnuTLS error codes that match. Here are the log entries that appear:
Sep 25 21:07:05 dir0 slapd[15018]: main: TLS init def ctx failed: -1
95% of the time, this means slapd can't access the files you have specified. This could be blocked by things like AppArmor in addition to file/directory permissions. At a guess, your permissions on /etc/openldap/ssl are wrong, as it is missing "x".
I would suggest you try reading the various files "as" the _openldap user using sudo.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
De : Quanah Gibson-Mount quanah@zimbra.com
À : Brian Empson brian_empson@yahoo.com; openldap-technical@openldap.org
I'm having an issue starting up slapd with TLS enabled. I tried to
search
for the error code but I couldn't find any GnuTLS error codes that
match.
Here are the log entries that appear:
Sep 25 21:07:05 dir0 slapd[15018]: main: TLS init def ctx failed: -1
95% of the time, this means slapd can't access the files you have specified. This could be blocked by things like AppArmor in addition to file/directory permissions. At a guess, your permissions on /etc/openldap/ssl are wrong, as it is missing "x".
I would suggest you try reading the various files "as" the _openldap user using sudo.
In your first mail I can see that you have [09/25/12 9:16PM][root@dir0 /etc/openldap]# ls -lah ssl total 12 drw------- 2 _openldap _openldap 512B Sep 25 19:59 .
I don't see the x permission, that could mean that the _openldap user cannot enter the directory. Moreover the permissions for other files rwxrwxrwx or rw-r--r-- could be improved
Brian:
Check the permission of your cert and key files.
Thanks a lot!
Yan
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Brian Empson Sent: Tuesday, September 25, 2012 9:20 PM To: openldap-technical@openldap.org Subject: TLS error on startup
Hello,
I'm having an issue starting up slapd with TLS enabled. I tried to search for the error code but I couldn't find any GnuTLS error codes that match. Here are the log entries that appear:
Sep 25 21:07:05 dir0 slapd[15018]: main: TLS init def ctx failed: -1 Sep 25 21:07:05 dir0 slapd[15018]: DIGEST-MD5 common mech free Sep 25 21:07:05 dir0 slapd[15018]: slapd stopped. Sep 25 21:07:05 dir0 slapd[15018]: connections_destroy: nothing to destroy.
Is there a way to check and see if this build is enabled with TLS support? I installed it from a package manager rather than compiling it. Here are the TLS portions of the config:
# SSL TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/ssl/ca.pem TLSCertificateFile /etc/openldap/ssl/server.pem TLSCertificateKeyFile /etc/openldap/ssl/server.key TLSVerifyClient demand
Here are the files listed: (I changed the permissions during troubleshooting)
[09/25/12 9:16PM][root@dir0 /etc/openldap]# ls -lah ssl total 12 drw------- 2 _openldap _openldap 512B Sep 25 19:59 . drwxr-xr-x 4 root wheel 512B Sep 25 19:54 .. -rwxrwxrwx 1 _openldap _openldap 3B Sep 25 20:08 digits.srl -rwxrwxrwx 1 _openldap _openldap 887B Sep 25 19:56 server.key -rwxrwxrwx 1 _openldap _openldap 904B Sep 25 20:08 server.pem -rwxrwxrwx 1 _openldap _openldap 684B Sep 25 19:57 server.req
[09/25/12 9:16PM][root@dir0 /etc/openldap]# ls -lah /etc/ssl total 170 drwxr-xr-x 4 root wheel 512B Sep 25 19:52 . drwxr-xr-x 27 root wheel 2.5K Sep 24 20:50 .. -rw-r--r-- 1 root wheel 912B Sep 23 16:30 ca.crt -rw-r--r-- 1 root wheel 912B Sep 25 19:52 ca.pem -rw-r--r-- 1 root wheel 17B Sep 23 17:51 ca.srl -r--r--r-- 1 root bin 147K Feb 12 2012 cert.pem drwxr-xr-x 2 root wheel 512B Feb 12 2012 lib -r--r--r-- 1 root bin 1.6K Feb 12 2012 openssl.cnf drwx------ 2 root wheel 512B Sep 23 16:29 private -rw-r--r-- 1 root wheel 1.0K Sep 25 19:52 privkey.pem -r--r--r-- 1 root bin 1005B Feb 12 2012 x509v3.cnf
Is this an issue with the build I'm running? (SSL not enabled or?)
Thanks! Brian
openldap-technical@openldap.org
-
Brian Empson -
Mik J -
Quanah Gibson-Mount -
Yan Gong