[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls doesn't work

To: Kuba Leszewski <k.leszewski@ce3.pl>
Subject: Re: tls doesn't work
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 04 Apr 2003 17:46:48 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <1049447842.2149.9.camel@kuba.ce3.pl>
Organization:
References: <1049447842.2149.9.camel@kuba.ce3.pl>

fre, 2003-04-04 kl. 11:17 skrev Kuba Leszewski:


> I thought this will be easy :-)
[...]
> Then I try to use ldapsearch with the -Z switch, and I get:
> ldap_initialize( <DEFAULT> )
> ldap_start_tls: Connect error (91)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> ldap_bind: Can't contact LDAP server (81)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[...]

> One thing I suspect is (from Admin Guide)
> "The DN of a server certificate must use the CN attribute to name the
> server, and the CN must carry the server's fully qualified domain name "
[...]
> Can somebody give an example of a correct certificate parameters ?
> I use OpenSSL to create them.

That's what I thought even before I got to the end of your mail.

Don't know what OS you have, whether you have DNS available etc.,
but go to your /pem-format cert/ server cert directory and do:

'openssl x509 -in certname.pem -noout -text'

and see if the Subject: CN name agrees with what your host thinks if is
(Linux 'hostname -f').

Then make sure your ldap clients can read the CA cert path, right up to
the cert itself.

Best,

Tony

-- 

Tony Earnshaw

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl

References:
- tls doesn't work
  - From: Kuba Leszewski <k.leszewski@ce3.pl>

Prev by Date: Newbie .... Please help sooon
Next by Date: Re: Newbie .... Please help sooon
Index(es):
- Chronological
- Thread