[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Error in certificate

To: <openldap-software@OpenLDAP.org>
Subject: RE: Error in certificate
From: François Beretti <francois.beretti@enatel.com>
Date: Tue, 16 Sep 2003 09:13:53 +0200
Importance: Normal
In-reply-to: <002701c37bc9$58183410$1801a8c0@CELLO>

Hi Howard,

> The openssl verify command doesn't fully validate a certificate;
> its result
> is relatively useless. Run both slapd and ldapsearch with "-d7"
> debug and see
> what error messages are shown. This error was generated by the OpenSSL
> library, not by OpenLDAP.

This is the log for ldapsearch -d 7 :

	[...]
	TLS certificate verification: depth: 0, err: 6, subject: C=, ST=, L=, O=,
OU=, CN=debian-ldap.enatel.local/Email=, issuer: C=, ST=, L=, O=, OU=,
CN=Autorite Enatel/Email=
	TLS certificate verification: Error, Unknown error
	TLS: can't connect.
	ldap_perror
	ldap_start_tls: Connect error (91)
		additional info: Error in the certificate.
	[...]


This is the one for slapd -d 7 :

	[...]
	TLS certificate verification: depth: 0, err: -49, subject: -unknown-,
issuer: -unknown-
	TLS certificate verification: Error, Unknown error
	tls_write: want=181, written=181
	[...]
	connection_read(12): unable to get TLS client DN error=49 id=0
	[...]

The ldapsearch log is strange since my certificates should have dn like
dc=...,dc=...[,ou=...],cn=... as I see when I do a cat server-cert.pem, and
as I set up my openssl.cnf

The slapd log seems to point the problem : subject: -unknown-,
issuer: -unknown-
What does it mean ?

Also, this is what I get when I do
$ openssl s_client -connect debian-ldap.enatel.local:636 -showcerts

	CONNECTED(00000003)
	depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
	verify error:num=20:unable to get local issuer certificate
	verify return:1
	depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
	verify error:num=27:certificate not trusted
	verify return:1
	depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
	verify error:num=21:unable to verify the first certificate
	verify return:1
	---
	Certificate chain
	 0 s:/DC=local/DC=enatel/CN=debian-ldap.enatel.local
	   i:/DC=local/DC=enatel/CN=Autorite Enatel
	[...]
	Server certificate
	subject=/DC=local/DC=enatel/CN=debian-ldap.enatel.local
	issuer=/DC=local/DC=enatel/CN=Autorite Enatel
	---
	No client certificate CA names sent
	[...]
	Verify return code: 21 (unable to verify the first certificate)



François Beretti


____________
Virus checked by G DATA AntiVirusKit
Version: AVK 12.0.575 from 10.09.2003
Virus news: www.antiviruslab.com

Follow-Ups:
- Outlook+OpenLDAP ...
  - From: Eoin Verling <eoin.verling@transas.com>

References:
- RE: Error in certificate
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: Error in certificate
Next by Date: RE: Error in certificate
Index(es):
- Chronological
- Thread