8:26 a.m.
Hey list,
I was having a similar SSL/openLDAP problem to this last week. I had
a chance to look at this again today and it still appears to not be
working. I called godaddy and had the last cert cancelled and reissued
as I had mis-typed the name of the CN on the last one.
I am trying to setup a Godaddy turbo SSL certificate with an openLDAP
2.4 server under FreeBSD 8.1.
[root@LBSD2:/usr/home/bluethundr]#pkg_info | grep openldap
openldap-sasl-client-2.4.23 Open source LDAP client implementation
with SASL2 support
openldap-sasl-server-2.4.23 Open source LDAP server implementation
I have setup the certificate chain in my slapd.conf like so:
[root@LBSD2:/usr/home/bluethundr]#grep -i tls
/usr/local/etc/openldap/slapd.conf## TLS options for slapd
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt
TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem
TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt
I have tried each of the following certs with no luck in getting my
cert to talk to it's CA:
-rw-r--r-- 1 root bluethundr 2604 Nov 25 11:37 ca_bundle.crt
-r--r----- 1 root ldap 4604 Nov 24 18:57 gd_bundle.crt
-r--r----- 1 root ldap 1537 Nov 25 02:00 sf_issuing.crt
and I get the same result for each when I attempt to connect to SSL on
the LDAP server:
[root@LCENT01:/tmp/Foswiki-1.1.2]#openssl s_client -connect
ldap.example.com:389 -showcerts -CAfile sf_issuing.crt
13730:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('sf_issuing.crt','r')
13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
13730:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:279:
CONNECTED(00000003)
13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
ldapsearch -h ldap.example.com -d -1 -ZZ "dc=example,dc=com"
TLS certificate verification: depth: 0, err: 20, subject:
/O=LBSD2.summitnjhome.com/OU=Domain Control
Validated/CN=LBSD2.summitnjhome.com, issuer:
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
Certification Authority/serialNumber=07969287
TLS certificate verification: Error, unable to get local issuer certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
It seems to indicate that it can't talk to it's CA...
does anyone have any suggestions on how to make this work?
thanks!
--
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
9:04 a.m.
On Thu, 25 Nov 2010, bluethundr wrote:
Hey list,
I was having a similar SSL/openLDAP problem to this last week. I had
a chance to look at this again today and it still appears to not be
working. I called godaddy and had the last cert cancelled and reissued
as I had mis-typed the name of the CN on the last one.
I am trying to setup a Godaddy turbo SSL certificate with an openLDAP
2.4 server under FreeBSD 8.1.
[root@LBSD2:/usr/home/bluethundr]#pkg_info | grep openldap
openldap-sasl-client-2.4.23 Open source LDAP client implementation
with SASL2 support
openldap-sasl-server-2.4.23 Open source LDAP server implementation
I bet you better check filenames, and permissions of cacert, client cert,
and key file. And certification chain. using openssl s_client provide full
path to certificate file. CA Certificate, certification chain, keyfile and
client certificate are, as you know, different things, also check default
client cert location in /etc/ldap/ldap.conf and server cert in slapd.conf,
etc. ( man 5 ldap.conf ). Also investigate TLS_REQCERT option, subject of
certificate's key file's password. And probably, if interested, CRL usage
and purpose..
I must admit I didn't read your post with appropriate attention, but,
regarding mis-type you mentioned, I bet it's permissions and default
file locations related.
Regards,
DT
1:22 a.m.
On Thursday, 25 November 2010 17:26:56 bluethundr wrote:
[root@LBSD2:/usr/home/bluethundr]#grep -i tls
/usr/local/etc/openldap/slapd.conf## TLS options for slapd
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile
/usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt
TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem
TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt
I have tried each of the following certs with no luck in getting my
cert to talk to it's CA:
-rw-r--r-- 1 root bluethundr 2604 Nov 25 11:37 ca_bundle.crt
-r--r----- 1 root ldap 4604 Nov 24 18:57 gd_bundle.crt
-r--r----- 1 root ldap 1537 Nov 25 02:00 sf_issuing.crt
and I get the same result for each when I attempt to connect to SSL on
the LDAP server:
[root@LCENT01:/tmp/Foswiki-1.1.2]#openssl s_client -connect
ldap.example.com:389 -showcerts -CAfile sf_issuing.crt
I doubt your hostname is ldap.example.com, it looks like it is
LBSD2.summitnjhome.com. Since hostname <=> certificate subjectCN is important,
you may prefer to provide *accurate* information while asking for help ...
13730:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('sf_issuing.crt','r')
Please read the error message above carefully.
Your working directory of /tmp/Foswiki-1.1.2 most likely doesn't contain your
certificate sf_issuing.crt. Maybe you should try:
openssl s_client -connect LBSD2.summitnjhome.com:636 -showcerts -CAfile
/usr/local/etc/openldap/cacerts/sf_issuing.crt
(note, I don't think s_client can test LDAP+start_tls, only ldaps ... so this
test assumes you have slapd started with a -h option that includes ldaps:///)
13730:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:125:
13730:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:279:
CONNECTED(00000003)
13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
ldapsearch -h ldap.example.com -d -1 -ZZ
"dc=example,dc=com"
ldapsearch doesn't read slapd.conf, did you supply the correct TLS_CACERT
value in /usr/local/etc/openldap/ldap.conf ? Of course, you should use the
hostname for which the cert is issued, or the next failure will be due to
hostname/certificate subject mismatch.
Please see 'man ldap.conf'
TLS certificate verification: depth: 0, err: 20, subject:
/O=LBSD2.summitnjhome.com/OU=Domain Control
Validated/CN=LBSD2.summitnjhome.com, issuer:
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
Certification Authority/serialNumber=07969287
TLS certificate verification: Error, unable to get local issuer certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
It seems to indicate that it can't talk to it's CA...
No, seems it doesn't know where to look for the CA certificate ...
does anyone have any suggestions on how to make this work?
echo "TLS_CACERT /usr/local/etc/openldap/cacerts/sf_issuing.crt" >>
/usr/local/etc/openldap/ldap.conf
?
Regards,
Buchan
4567
days inactive
4568
days old
openldap-technical@openldap.org
2 comments
3 participants
participants (3)
-
bluethundr -
Buchan Milne -
DT Piotr Wadas