[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5997) slapo-chain TLS issues



I take this ITS number since it seems you filed the same issue four
times. AFAICS the others (ITS#5993, ITS#5995 and ITS#5996) should be
ignored by everyone responding.

duramaxlb7@gmail.com wrote:
> Master log file when slapo-chain runs
> ---------------
> TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca.
> 
> Slave log file when slapo-chain runs
> -----------------
> TLS: can't connect: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.

To me both messages look like the trusted CA cert (directory) is not
properly configured.

> I had the same problem with LUMA and that problem went away when I put the
> starttls=critical in the chain-idassert-bind

Hmm, are you sure you didn't add "tls_cacertdir=/etc/openldap/cacerts"
to chain-idassert-bind at the same time when testing?

Ciao, Michael.