2:11 a.m.
Hi All,
my ldapsearch and other things were working perfectly fine but not sure what happened now.
Seem some SSL issue. When i am doing ldapsearch i am getting below error.
[root@xxx-xxx-xxx etc]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f
/usr/local/openldap/dit.ldif -H ldaps://xxx-xxx-xxx.example.com
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Logs error:
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
531ecbee daemon: activity on 1 descriptor
531ecbee daemon: activity on:531ecbee
531ecbee daemon: epoll: listen=7 active_threads=0 tvp=zero
531ecbee daemon: activity on 1 descriptor
531ecbee daemon: activity on:531ecbee 11r531ecbee
531ecbee daemon: read active on 11
531ecbee daemon: epoll: listen=7 active_threads=0 tvp=zero
531ecbee connection_get(11)
531ecbee connection_get(11): got connid=1000
531ecbee connection_read(11): checking for input on id=1000
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 30 .0
TLS trace: SSL3 alert read:fatal:unknown CA
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca.
531ecbee connection_read(11): TLS accept failure error=-1 id=1000, closing
531ecbee connection_closing: readying conn=1000 sd=11 for close
531ecbee connection_close: conn=1000 sd=11
531ecbee daemon: removing 11
531ecbee daemon: activity on 1 descriptor
531ecbee daemon: activity on:531ecbee
531ecbee daemon: epoll: listen=7 active_threads=0 tvp=zero
Please suggest.
Regards
Sam
6:23 a.m.
Please help me what could cause this ?
Thanks a ton everyone
Sent from my iPhone
On 11 Mar 2014, at 5:11 pm, saurabh ohri <sam_ohri(a)yahoo.co.in>
wrote:
Hi All,
my ldapsearch and other things were working perfectly fine but not sure what happened
now. Seem some SSL issue. When i am doing ldapsearch i am getting below error.
[root@xxx-xxx-xxx etc]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f
/usr/local/openldap/dit.ldif -H ldaps://xxx-xxx-xxx.example.com
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Logs error:
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
531ecbee daemon: activity on 1 descriptor
531ecbee daemon: activity on:531ecbee
531ecbee daemon: epoll: listen=7 active_threads=0 tvp=zero
531ecbee daemon: activity on 1 descriptor
531ecbee daemon: activity on:531ecbee 11r531ecbee
531ecbee daemon: read active on 11
531ecbee daemon: epoll: listen=7 active_threads=0 tvp=zero
531ecbee connection_get(11)
531ecbee connection_get(11): got connid=1000
531ecbee connection_read(11): checking for input on id=1000
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 30 .0
TLS trace: SSL3 alert read:fatal:unknown CA
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca.
531ecbee connection_read(11): TLS accept failure error=-1 id=1000, closing
531ecbee connection_closing: readying conn=1000 sd=11 for close
531ecbee connection_close: conn=1000 sd=11
531ecbee daemon: removing 11
531ecbee daemon: activity on 1 descriptor
531ecbee daemon: activity on:531ecbee
531ecbee daemon: epoll: listen=7 active_threads=0 tvp=zero
Please suggest.
Regards
Sam
7:10 a.m.
TLS trace: SSL3 alert read:fatal:unknown CA
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca.
531ecbee connection_read(11): TLS accept failure error=-1 id=1000, closing
Self descriptive, I think. Your client doesn't know (trust) the root CA
under which your server is certified. Therefore it can'n assert it's
connecting to the genuine server, and prefers to abort the connection.
2014-03-11 14:23 GMT+01:00 Saurabh Ohri <sam_ohri(a)yahoo.co.in>:
Please help me what could cause this ?
Thanks a ton everyone
Sent from my iPhone
On 11 Mar 2014, at 5:11 pm, saurabh ohri <sam_ohri(a)yahoo.co.in> wrote:
Hi All,
my ldapsearch and other things were working perfectly fine but not sure
what happened now. Seem some SSL issue. When i am doing ldapsearch i am
getting below error.
[root@xxx-xxx-xxx etc]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W
-f /usr/local/openldap/dit.ldif -H ldaps://xxx-xxx-xxx.example.com
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Logs error:
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
531ecbee daemon: activity on 1 descriptor
531ecbee daemon: activity on:531ecbee
531ecbee daemon: epoll: listen=7 active_threads=0 tvp=zero
531ecbee daemon: activity on 1 descriptor
531ecbee daemon: activity on:531ecbee 11r531ecbee
531ecbee daemon: read active on 11
531ecbee daemon: epoll: listen=7 active_threads=0 tvp=zero
531ecbee connection_get(11)
531ecbee connection_get(11): got connid=1000
531ecbee connection_read(11): checking for input on id=1000
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 30 .0
TLS trace: SSL3 alert read:fatal:unknown CA
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca.
531ecbee connection_read(11): TLS accept failure error=-1 id=1000, closing
531ecbee connection_closing: readying conn=1000 sd=11 for close
531ecbee connection_close: conn=1000 sd=11
531ecbee daemon: removing 11
531ecbee daemon: activity on 1 descriptor
531ecbee daemon: activity on:531ecbee
531ecbee daemon: epoll: listen=7 active_threads=0 tvp=zero
Please suggest.
Regards
Sam
--
Erwann.
7:14 a.m.
Thanks erwann. But I am running ldap search with rootdn from ldap server only. Configured
the certs file path I n config file of ldap.
It was working fine since past 1 week not sure what changes make it stopped working today.
Tried reloading the ask certs again and reloaded the config file from slapd.conf but still
issue exists.
Please suggest what could have caused this and how to fix it. Thanks again
Regards
Sam
Sent from my iPhone
On 11 Mar 2014, at 10:10 pm, Erwann Abalea <eabalea(a)gmail.com> wrote:
> TLS trace: SSL3 alert read:fatal:unknown CA
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> TLS trace: SSL_accept:failed in SSLv3 read client certificate A
> TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca.
> 531ecbee connection_read(11): TLS accept failure error=-1 id=1000, closing
Self descriptive, I think. Your client doesn't know (trust) the root CA under which
your server is certified. Therefore it can'n assert it's connecting to the genuine
server, and prefers to abort the connection.
2014-03-11 14:23 GMT+01:00 Saurabh Ohri <sam_ohri(a)yahoo.co.in>:
> Please help me what could cause this ?
>
> Thanks a ton everyone
>
> Sent from my iPhone
>
>> On 11 Mar 2014, at 5:11 pm, saurabh ohri <sam_ohri(a)yahoo.co.in> wrote:
>>
>> Hi All,
>>
>> my ldapsearch and other things were working perfectly fine but not sure what
happened now. Seem some SSL issue. When i am doing ldapsearch i am getting below error.
>>
>> [root@xxx-xxx-xxx etc]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W
-f /usr/local/openldap/dit.ldif -H ldaps://xxx-xxx-xxx.example.com
>> Enter LDAP Password:
>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>
>> Logs error:
>>
>> TLS trace: SSL_accept:SSLv3 flush data
>> tls_read: want=5 error=Resource temporarily unavailable
>> TLS trace: SSL_accept:error in SSLv3 read client certificate A
>> TLS trace: SSL_accept:error in SSLv3 read client certificate A
>> 531ecbee daemon: activity on 1 descriptor
>> 531ecbee daemon: activity on:531ecbee
>> 531ecbee daemon: epoll: listen=7 active_threads=0 tvp=zero
>> 531ecbee daemon: activity on 1 descriptor
>> 531ecbee daemon: activity on:531ecbee 11r531ecbee
>> 531ecbee daemon: read active on 11
>> 531ecbee daemon: epoll: listen=7 active_threads=0 tvp=zero
>> 531ecbee connection_get(11)
>> 531ecbee connection_get(11): got connid=1000
>> 531ecbee connection_read(11): checking for input on id=1000
>> tls_read: want=5, got=5
>> 0000: 15 03 01 00 02 .....
>> tls_read: want=2, got=2
>> 0000: 02 30 .0
>> TLS trace: SSL3 alert read:fatal:unknown CA
>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>> TLS trace: SSL_accept:failed in SSLv3 read client certificate A
>> TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca.
>> 531ecbee connection_read(11): TLS accept failure error=-1 id=1000, closing
>> 531ecbee connection_closing: readying conn=1000 sd=11 for close
>> 531ecbee connection_close: conn=1000 sd=11
>> 531ecbee daemon: removing 11
>> 531ecbee daemon: activity on 1 descriptor
>> 531ecbee daemon: activity on:531ecbee
>> 531ecbee daemon: epoll: listen=7 active_threads=0 tvp=zero
>>
>> Please suggest.
>>
>> Regards
>> Sam
--
Erwann.
7:46 a.m.
Hi,
On Tue, 11 Mar 2014, Saurabh Ohri wrote:
Thanks erwann. But I am running ldap search with rootdn from ldap
server only. Configured the certs file path I n config file of ldap.
It was working fine since past 1 week not sure what changes make it stopped working
today. Tried reloading the ask certs again and reloaded the config file from slapd.conf
but still issue exists.
If a certificate suddenly stops working I usually check if it has expired.
Greetings
Christian
Please suggest what could have caused this and how to fix it. Thanks again
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
3486
days inactive
3486
days old
openldap-technical@openldap.org
4 comments
4 participants
participants (4)
-
Christian Kratzer -
Erwann Abalea -
saurabh ohri -
Saurabh Ohri