After getting my ACL right (thanks Dieter!), I have problems installing an official certificate. I bought a certificate at RapidSSL. Starting slapd gives me the following error.
TLS init def ctx failed: -69
This error is thrown in openldap 2.4.17. Since I am on debian, slapd is compiled against GnuTLS. When I was using 2.4.11 I had another error:
TLS init def ctx failed: -207
When I had a self-signed certificate I had no trouble. What could be wrong?
It could be that you need to configure the CA certificate or the complete certificate chain, too.
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Frederik Bosch Sent: Dienstag, 31. August 2010 11:05 To: openldap-technical@openldap.org Subject: TLS fails
After getting my ACL right (thanks Dieter!), I have problems installing an official certificate. I bought a certificate at RapidSSL. Starting slapd gives me the following error.
TLS init def ctx failed: -69
This error is thrown in openldap 2.4.17. Since I am on debian, slapd is compiled against GnuTLS. When I was using 2.4.11 I had another error:
TLS init def ctx failed: -207
When I had a self-signed certificate I had no trouble. What could be wrong?
Frederik Bosch frederik.bosch@gmail.com writes:
After getting my ACL right (thanks Dieter!), I have problems installing an official certificate. I bought a certificate at RapidSSL. Starting slapd gives me the following error.
TLS init def ctx failed: -69
GnuTLS cannot read the certificate, error -69 is ASN1_DER_ERROR.
This error is thrown in openldap 2.4.17. Since I am on debian, slapd is compiled against GnuTLS. When I was using 2.4.11 I had another error:
TLS init def ctx failed: -207
-207 is UNEXPECTED_HEADER_ERROR
When I had a self-signed certificate I had no trouble. What could be wrong?
either create certificates with GnuTLS or don't use it :-)
-Dieter
In that case. I'd go for recompiling with openssl. I already tried, but that gave me following error.
Could not locate TLS/SSL package.
Of course, I also googled that. I think I need to point where to find the OpenSSL library.
dpkg -L openssl says
/usr/lib/ssl /usr/lib/ssl/misc /usr/lib/ssl/misc/c_info /usr/lib/ssl/misc/CA.sh /usr/lib/ssl/misc/c_hash /usr/lib/ssl/misc/c_name /usr/lib/ssl/misc/c_issuer /usr/lib/ssl/misc/CA.pl
So I tried to do
env CPPFLAGS="-I/usr/lib/ssl" LDFLAGS="-L/usr/lib/ssl"
before configure but no success. By the way, this is first time I try to compile something and I do it with debuild -us -uc.
On 08/31/2010 11:05 AM, Frederik Bosch wrote:
After getting my ACL right (thanks Dieter!), I have problems installing an official certificate. I bought a certificate at RapidSSL. Starting slapd gives me the following error.
TLS init def ctx failed: -69
This error is thrown in openldap 2.4.17. Since I am on debian, slapd is compiled against GnuTLS. When I was using 2.4.11 I had another error:
TLS init def ctx failed: -207
When I had a self-signed certificate I had no trouble. What could be wrong?
Frederik Bosch frederik.bosch@gmail.com writes:
In that case. I'd go for recompiling with openssl. I already tried, but that gave me following error.
Could not locate TLS/SSL package.
Of course, I also googled that. I think I need to point where to find the OpenSSL library.
dpkg -L openssl says
/usr/lib/ssl /usr/lib/ssl/misc /usr/lib/ssl/misc/c_info /usr/lib/ssl/misc/CA.sh /usr/lib/ssl/misc/c_hash /usr/lib/ssl/misc/c_name /usr/lib/ssl/misc/c_issuer /usr/lib/ssl/misc/CA.pl
So I tried to do
env CPPFLAGS="-I/usr/lib/ssl" LDFLAGS="-L/usr/lib/ssl"
before configure but no success. By the way, this is first time I try to compile something and I do it with debuild -us -uc.
Did you install the openssl header files? Presumably in /usr/include/openssl, and is there a link to /usr/include/ssl? compiler preprocessor include flags should point to include files, thus CPPFLAGS="-I/usr/include/openssl"
-Dieter
Compiling 2.4.17 with OpenSSL was more succesful than on 2.4.11. I think that's a Debian issue. Anyway, I have my server up and running! Thanks a lot Dieter for answering all my questions.
But I have a minor question left. Each time I restart slapd I have to enter the PEM pass phrase. Is there a way to remember or not prompt for the passphrase?
On 08/31/2010 12:15 PM, Frederik Bosch wrote:
In that case. I'd go for recompiling with openssl. I already tried, but that gave me following error.
Could not locate TLS/SSL package.
Of course, I also googled that. I think I need to point where to find the OpenSSL library.
dpkg -L openssl says
/usr/lib/ssl /usr/lib/ssl/misc /usr/lib/ssl/misc/c_info /usr/lib/ssl/misc/CA.sh /usr/lib/ssl/misc/c_hash /usr/lib/ssl/misc/c_name /usr/lib/ssl/misc/c_issuer /usr/lib/ssl/misc/CA.pl
So I tried to do
env CPPFLAGS="-I/usr/lib/ssl" LDFLAGS="-L/usr/lib/ssl"
before configure but no success. By the way, this is first time I try to compile something and I do it with debuild -us -uc.
On 08/31/2010 11:05 AM, Frederik Bosch wrote:
After getting my ACL right (thanks Dieter!), I have problems installing an official certificate. I bought a certificate at RapidSSL. Starting slapd gives me the following error.
TLS init def ctx failed: -69
This error is thrown in openldap 2.4.17. Since I am on debian, slapd is compiled against GnuTLS. When I was using 2.4.11 I had another error:
TLS init def ctx failed: -207
When I had a self-signed certificate I had no trouble. What could be wrong?
Frederik Bosch frederik.bosch@gmail.com writes:
Compiling 2.4.17 with OpenSSL was more succesful than on 2.4.11. I think that's a Debian issue. Anyway, I have my server up and running! Thanks a lot Dieter for answering all my questions.
But I have a minor question left. Each time I restart slapd I have to enter the PEM pass phrase. Is there a way to remember or not prompt for the passphrase?
extract the password from the certificate openssl rsa -in certificate.pem -out some-key.pem
-Dieter
On 08/31/2010 12:15 PM, Frederik Bosch wrote:
In that case. I'd go for recompiling with openssl. I already tried, but that gave me following error.
Could not locate TLS/SSL package.
Of course, I also googled that. I think I need to point where to find the OpenSSL library.
dpkg -L openssl says
/usr/lib/ssl /usr/lib/ssl/misc /usr/lib/ssl/misc/c_info /usr/lib/ssl/misc/CA.sh /usr/lib/ssl/misc/c_hash /usr/lib/ssl/misc/c_name /usr/lib/ssl/misc/c_issuer /usr/lib/ssl/misc/CA.pl
So I tried to do
env CPPFLAGS="-I/usr/lib/ssl" LDFLAGS="-L/usr/lib/ssl"
before configure but no success. By the way, this is first time I try to compile something and I do it with debuild -us -uc.
On 08/31/2010 11:05 AM, Frederik Bosch wrote:
After getting my ACL right (thanks Dieter!), I have problems installing an official certificate. I bought a certificate at RapidSSL. Starting slapd gives me the following error.
TLS init def ctx failed: -69
This error is thrown in openldap 2.4.17. Since I am on debian, slapd is compiled against GnuTLS. When I was using 2.4.11 I had another error:
TLS init def ctx failed: -207
When I had a self-signed certificate I had no trouble. What could be wrong?
ti, 2010-08-31 kello 11:05 +0200, Frederik Bosch kirjoitti:
After getting my ACL right (thanks Dieter!), I have problems installing an official certificate. I bought a certificate at RapidSSL. Starting slapd gives me the following error.
TLS init def ctx failed: -69
This error is thrown in openldap 2.4.17. Since I am on debian, slapd is compiled against GnuTLS. When I was using 2.4.11 I had another error:
Do you have the complete certificate chain installed? If that is installed, it could be that the certificate bundle provided by RapidSSL doesn't have the certificates in order that GnuTLS expects them to be.
I haven't used commercial certificates with OpenSSL, but self-signed roots with intermediate-CA's. In this setting GnuTLS requires that the certificates are in specific order - first rootca, then the certificates below it so that always the one following has to be signed by the previous one. OpenSSL doesn't have this restriction if I've understood correctly.
I've used setup like this with Ubuntu's slapd package where ca-bundle.pem is created with OpenSSL and contains multiple certificates: rootca, subca, subsubca. slapd-server.crt is signed with subsubca.
olcTLSCACertificateFile: /path/to/ca-bundle.pem olcTLSCertificateFile: /path/to/slapd-server.crt olcTLSCertificateKeyFile: /path/to/slapd-server.key
This blog posting was helpful when I first encountered this issue:
http://www.sapphirepaw.org/blog/index.php?/archives/172-GNU-TLS-is-braindead...
Veli-Matti
openldap-technical@openldap.org
-
Dieter Kluenter -
Frederik Bosch -
Veli-Matti Lintu -
Wallus, Harald Dr.