[Date Prev][Date Next] [Chronological] [Thread] [Top]

Error in certificate

To: <openldap-software@OpenLDAP.org>
Subject: Error in certificate
From: François Beretti <francois.beretti@enatel.com>
Date: Mon, 15 Sep 2003 17:30:06 +0200
Importance: Normal

Hello

Today I installed a new server (under debian 3.0r1) with :
 - openldap 2.1.22
 - cyrus sasl 2.1.15 (libsasl2 package)
 - openssl 0.9.7b

I want to use TLS, so I made a new CA with openssl,
then I created and signed a certificate for the slapd server, with an
unencrypted key file

I put these directives in slapd.conf :

	TLSCertificateFile      /etc/ldap/ssl/server-cert.pem
	TLSCertificateKeyFile   /etc/ldap/ssl/server-key.pem
	TLSCACertificateFile    /etc/ldap/ssl/ca-cert.pem
	TLSVerifyClient         never

Here my ldap.conf (the openldap's one) :

	HOST            debian-ldap.enatel.local
	BASE            dc=enatel,dc=local

	TLS_CACERT      /etc/ldap/ssl/ca-cert.pem


when I try a clear text search it works :

	debian-ldap:/etc/ldap# ldapsearch -x
	# extended LDIF
	#
	# LDAPv3
	# base <> with scope sub
	# filter: (objectclass=*)
	# requesting: ALL
	#

	# enatel.local
	dn: dc=enatel,dc=local
	dc: enatel
	objectClass: top
	objectClass: domain
	objectClass: enatelDomain

	....

but when I put the "-Z" option it doesn't work any more :

	debian-ldap:/etc/ldap# ldapsearch -Z -x
	ldap_start_tls: Connect error (91)
	        additional info: Error in the certificate.
	ldap_bind: Can't contact LDAP server (81)
	        additional info: Error in the certificate.

My server certificate is valid :
	debian-ldap:/etc/ldap# openssl verify -CAfile /etc/ldap/ssl/ca-cert.pem
etc/ldap/ssl/server-cert.pem
	/etc/ldap/ssl/server-cert.pem: OK

And I don't have a .ldaprc file

Where is the error ?

Thank you very much


Francois Beretti


PS: here is my log on the server :

	conn=0 fd=12 ACCEPT from IP=10.10.50.6:1423 (IP=0.0.0.0:389)
	TLS certificate verification: Error, Unknown error
	conn=0 fd=12 closed


and on the client :

	debian-ldap:/etc/ldap# ldapsearch -Z -x -d 256
	request 1 done
	TLS certificate verification: Error, Unknown error
	TLS: can't connect.
	ldap_start_tls: Connect error (91)
	        additional info: Error in the certificate.
	ldap_bind: Can't contact LDAP server (81)
	        additional info: Error in the certificate.


____________
Virus checked by G DATA AntiVirusKit
Version: AVK 12.0.575 from 10.09.2003
Virus news: www.antiviruslab.com

Follow-Ups:
- Re: Error in certificate
  - From: Dieter Kluenter <dieter@dkluenter.de>
- RE: Error in certificate
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: The speed of adding an entry is too slow.
Next by Date: Re: The speed of adding an entry is too slow.
Index(es):
- Chronological
- Thread