[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SSL3 alert write:fatal:unknown CA
Hi
thank you for your suggestion. I looked for a while on openldap.org and didn't
find the article you are mentioning. But, I found the article "How to use I
use TLS/SSL?" in the Faq-O-Matic which gave me some answers.
I'm just testing OpenLDAP to get the know how and that's why I'm not going to
buy a "real" certificate.
Nevertheless, I'm still curious about de document you are talking about...
Cheers, Pierre
Am Mittwoch, 25. Juni 2003 23:50 schrieb Quanah Gibson-Mount:
> Hello,
>
> I suggest reading the OpenLDAP FAQ. It has a nice long detailed
> explanation of why you probably don't want to use self-signed certs, or if
> you do, you need to have a CA cert you can point both the server & clients
> at.
>
> --Quanah
>
> --On Wednesday, June 25, 2003 11:16 PM +0200 Pierre Burri
>
> <pierre@globeall.de> wrote:
> > Hi,
> >
> > I'm trying to setup a LDAP server over SSL (it works already very well
> > without SSL)
> >
> > I'm using Debian Sid, package slapd, version 2.1.17-3, LDAPv3
> >
> > I made a certificate, the common name is the FQDN of the host:
> > sun.stars.priv the comand:
> >
> > ldapsearch -H ldaps://sun.stars.priv -b "dc=stars,dc=priv" -d7
> >
> > gives me the followin result:
> >
> > TLS certificate verification: depth: 0, err: 18, subject:
> > /C=DE/ST=Berlin/L=Berlin/O=linux-age/OU=LDAP-Server/CN=sun.stars.priv/Ema
> > il=certificate@sun.stars.priv, issuer:
> > /C=DE/ST=Berlin/L=Berlin/O=linux-age/OU=LDAP-Server/CN=sun.stars.priv/Ema
> > il=certificate@sun.stars.priv TLS certificate verification: Error, self
> > signed certificate
> > tls_write: want=7, written=7
> > 0000: 15 03 01 00 02 02 30 ......0
> > TLS trace: SSL3 alert write:fatal:unknown CA
> > TLS trace: SSL_connect:error in SSLv3 read server certificate B
> > TLS trace: SSL_connect:error in SSLv3 read server certificate B
> > TLS: can't connect.
> > ldap_perror
> > ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
> > additional info: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> >
> > What can I do that clients from other hosts than "sun" recognize my self
> > made certificate?
> >
> > On the the server "sun", I put TLS_CACERT /etc/ldap/server.pem in file
> > /etc/ldap/ldap.conf which remove the problem, but of course only on the
> > server.
>
> --
> Quanah Gibson-Mount
> Senior Systems Administrator
> ITSS/TSS/Computing Systems
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html