ldap_start_tls: Can't contact LDAP server (81)

[Francois Beretti <francois.beretti@enatel.com>]

Hello all

I'm trying to use TLS, but I got error when testing by
[root@linux-integ /]# ldapsearch -ZZ
ldap_start_tls: Can't contact LDAP server (81)


I have generated, with openssl, a CA environment, and a
server certificate signed by the CA,
with the following commands (linux rh 8.0) :
$ cd /
$ /usr/share/ssl/misc/CA -newca
$ openssl req -new > new.cert.csr
$ openssl rsa -in privkey.pem -out new.cert.key
$ cat privkey.pem > newreq.pem
$ cat new.cert.csr >> newreq.pem
$ /usr/share/ssl/misc/CA -signreq

The server certificate is valid :
$ openssl verify -CAfile /demoCA/cacert.pem /newcert.pem
/newcert.pem: OK

I put these lines in slapd.conf :
TLSCertificateFile      /newcert.pem
TLSCertificateKeyFile   /new.cert.key
TLSCACertificateFile    /demoCA/cacert.pem
TLSVerifyClient         never

I put in ldap.conf these lines :
HOST linux-integ.enatel.local
(I did use this hostname when I created the server certificate)
ssl start tls
TLS hard
TLS CACERT /demoCA/cacert.pem

but when I try to test the communication :
[root@linux-integ /]# ldapsearch -ZZ
ldap_start_tls: Can't contact LDAP server (81)

and if I put "TLS never" instead of "TLS hard" in ldap.conf I get :
[root@linux-integ /]# ldapsearch -ZZ
ldap_start_tls: Connect error (91)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


I think this is not an openssl pb since my certificate is valid and the
key isn't encrypted

What is wrong ?

Any help would be very useful for me

Thx

Francois Beretti

PS: I use openldap 2.1.12 RPMs made by jehan procaccia, on a linux
redhat 8.0 station, with openssl 0.9.6b-29 (default redhat RPM)