[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Error in certificate



Hi Brian,

> If you're running LDAPS on port 636, you can do ...
> openssl s_client -connect hostname:636 -showcerts
> where hostname is the hostname of your box (must be the FQDN that is
> listed in the certificate).  Even if you're not running LDAPS, it'd be
> worth doing so just to debug it and then turn it off.
>
> If you're only doing STARTTLS, you can't use s_client to verify the
> certificate.  You'd have to do what Howard suggested.

I started slapd with
slapd -d 7 -h ldaps://

I did
debian-ldap:/etc/ldap# openssl s_client -connect
debian-ldap.enatel.local:636 -showcerts

and I got :
debian-ldap:/etc/ldap# openssl s_client -connect
debian-ldap.enatel.local:636 -showcerts
CONNECTED(00000003)
depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
verify error:num=27:certificate not trusted
verify return:1
depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/DC=local/DC=enatel/CN=debian-ldap.enatel.local
   i:/DC=local/DC=enatel/CN=Autorite Enatel
-----BEGIN CERTIFICATE-----
MIICCjCCAXMCAQEwDQYJKoZIhvcNAQEEBQAwSTEVMBMGCgmSJomT8ixkARkWBWxv
Y2FsMRYwFAYKCZImiZPyLGQBGRYGZW5hdGVsMRgwFgYDVQQDEw9BdXRvcml0ZSBF
bmF0ZWwwHhcNMDMwOTE1MTEwOTU2WhcNMDQwOTE0MTEwOTU2WjBSMRUwEwYKCZIm
iZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZlbmF0ZWwxITAfBgNVBAMT
GGRlYmlhbi1sZGFwLmVuYXRlbC5sb2NhbDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAw3uSQp1CPU/3GXzeAFpXwfhxkAweOH/KX9aCn5e5eIsTCNo/rVJb3Ztc
fpn76maonH3AGW4xbv3+CLSqC7qktftS0evDZVAOruEy/oJoQnF5xWtrOWhjEYwh
Ahc0RG+x4vfla3T0W9rxQz4xg1+Zk9mWs3VTBE9B8PQxE98woDsCAwEAATANBgkq
hkiG9w0BAQQFAAOBgQBwmznW5BPdl4cTwrDmkhVjDRMVtEl8PrxefP4mCQjemrA9
JeiYdf9TozXEzDIJFbM47WzklVLoIBW2j7aKg5IIQ4lgoFW+JAGoAjV14kJLYyyT
Toky4ic7rwpgW8UiwVuCUPrhA2mNUSOZ3EVpVSXmeOiJlldjstDOFJoGOgzsgg==
-----END CERTIFICATE-----
---
Server certificate
subject=/DC=local/DC=enatel/CN=debian-ldap.enatel.local
issuer=/DC=local/DC=enatel/CN=Autorite Enatel
---
No client certificate CA names sent
---
SSL handshake has read 1090 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
41888CEE9FFC6DC8A27C6D97964B3693D1BACCA3DCFE2D8B4B7EB64039E23085
    Session-ID-ctx:
    Master-Key:
206F1AA8C00665264C1C1F11107E75E3437ECB351CA44EE58E534389417791910BA3E1E87537
60C447E9B1DA0709B434
    Key-Arg   : None
    Start Time: 1063699267
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---


Why do I get all these errors ?

François Beretti


____________
Virus checked by G DATA AntiVirusKit
Version: AVK 12.0.575 from 10.09.2003
Virus news: www.antiviruslab.com