[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SSL - unknown ca/self signed certificate problem
Hello,
I try to build a LDAPv3 enabled server using the hint at
http://www.bayour.com/LDAPv3-HOWTO.html . I managed to install all required
software (openssl, bdb, kerberos, sasl, openldap).
I am able to do a plain text ldap search using:
ldapsearch -h <fqdn> -x -b "" -s base -LLL supportedSASLMechanisms
This works fine. SASL connect seems to work ok, too. But when I try to
connect using SSL/TLS with
ldapsearch -H ldap://<fqdn>/ -x -b "" -s base -LLL -ZZ
supportedSASLMechanisms
it does not work.
Here is the relevant output of the server:
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 30 .0
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:1031
The ldapsearch output is:
TLS certificate verification: depth: 1, err: 19, subject:
/C=DE/ST=Bayern/L=Muenchen/O=HOMELINUX/OU=IT/CN=server.home.linux/Email=admi
n@home.linux, issuer:
/C=DE/ST=Bayern/L=Muenchen/O=HOMELINUX/OU=IT/CN=server.home.linux/Email=admi
n@home.linux
TLS certificate verification: Error, self signed certificate in certificate
chain
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
My slapd.conf contains the lines:
TLSCertificateFile /etc/ssl/ldapcert.pem
TLSCertificateKeyFile /etc/ssl/private/ldapkey.pem
TLSCACertificateFile /etc/ssl/cacert.pem
ldap.conf reads as follows:
ssl start_tls
I created the keys using the instructions in the 'Openssl-Handbuch' (German
language). Created a CA and signed my service key with my CA cert (do you
need the exact instuctions?).
I think the problem has something to do with the way I created the keys and
my self signed CA (I haven't filled up the ldap database so far, but this
shouldn't be the problem, should it?). I couldn't find a solution in google
or on the list.
Thanxs in advance for any help,
Dieter