Hello, I'm trying to get TLS setup with openldap and am having some issues. I have a CA signed certificate (not self-signed) and have created a chain with my CA cert and the root CA cert. I've verified that it works with openssl verify -CAfile on both the client and server but then when I try to connect using ldaps I get the following error on the client:
TLS certificate verification: depth: 2, err: 19, subject: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect.
I assume it's saying that the root CA is self signed, but if I don't include it in the chain it says it can't trust the CA.
Anybody have any ideas?
Thanks, Matt Edlefsen Earlham Computing Services
Matthew Edlefsen wrote:
Hello, I'm trying to get TLS setup with openldap and am having some issues. I have a CA signed certificate (not self-signed) and have created a chain with my CA cert and the root CA cert. I've verified that it works with openssl verify -CAfile on both the client and server but then when I try to connect using ldaps I get the following error on the client:
TLS certificate verification: depth: 2, err: 19, subject: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect.
I assume it's saying that the root CA is self signed, but if I don't include it in the chain it says it can't trust the CA.
Could you please elaborate on how you configured TLS settings on your LDAP client? I assume that your OpenLDAP build was linked to OpenSSL libs. Is that right?
Ciao, Michael.
openldap-technical@openldap.org