[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Error in certificate
Hi Brian,
> If you're running LDAPS on port 636, you can do ...
> openssl s_client -connect hostname:636 -showcerts
> where hostname is the hostname of your box (must be the FQDN that is
> listed in the certificate). Even if you're not running LDAPS, it'd be
> worth doing so just to debug it and then turn it off.
>
> If you're only doing STARTTLS, you can't use s_client to verify the
> certificate. You'd have to do what Howard suggested.
I started slapd with
slapd -d 7 -h ldaps://
I did
debian-ldap:/etc/ldap# openssl s_client -connect
debian-ldap.enatel.local:636 -showcerts
and I got :
debian-ldap:/etc/ldap# openssl s_client -connect
debian-ldap.enatel.local:636 -showcerts
CONNECTED(00000003)
depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
verify error:num=27:certificate not trusted
verify return:1
depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/DC=local/DC=enatel/CN=debian-ldap.enatel.local
i:/DC=local/DC=enatel/CN=Autorite Enatel
-----BEGIN CERTIFICATE-----
MIICCjCCAXMCAQEwDQYJKoZIhvcNAQEEBQAwSTEVMBMGCgmSJomT8ixkARkWBWxv
Y2FsMRYwFAYKCZImiZPyLGQBGRYGZW5hdGVsMRgwFgYDVQQDEw9BdXRvcml0ZSBF
bmF0ZWwwHhcNMDMwOTE1MTEwOTU2WhcNMDQwOTE0MTEwOTU2WjBSMRUwEwYKCZIm
iZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZlbmF0ZWwxITAfBgNVBAMT
GGRlYmlhbi1sZGFwLmVuYXRlbC5sb2NhbDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAw3uSQp1CPU/3GXzeAFpXwfhxkAweOH/KX9aCn5e5eIsTCNo/rVJb3Ztc
fpn76maonH3AGW4xbv3+CLSqC7qktftS0evDZVAOruEy/oJoQnF5xWtrOWhjEYwh
Ahc0RG+x4vfla3T0W9rxQz4xg1+Zk9mWs3VTBE9B8PQxE98woDsCAwEAATANBgkq
hkiG9w0BAQQFAAOBgQBwmznW5BPdl4cTwrDmkhVjDRMVtEl8PrxefP4mCQjemrA9
JeiYdf9TozXEzDIJFbM47WzklVLoIBW2j7aKg5IIQ4lgoFW+JAGoAjV14kJLYyyT
Toky4ic7rwpgW8UiwVuCUPrhA2mNUSOZ3EVpVSXmeOiJlldjstDOFJoGOgzsgg==
-----END CERTIFICATE-----
---
Server certificate
subject=/DC=local/DC=enatel/CN=debian-ldap.enatel.local
issuer=/DC=local/DC=enatel/CN=Autorite Enatel
---
No client certificate CA names sent
---
SSL handshake has read 1090 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
41888CEE9FFC6DC8A27C6D97964B3693D1BACCA3DCFE2D8B4B7EB64039E23085
Session-ID-ctx:
Master-Key:
206F1AA8C00665264C1C1F11107E75E3437ECB351CA44EE58E534389417791910BA3E1E87537
60C447E9B1DA0709B434
Key-Arg : None
Start Time: 1063699267
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
Why do I get all these errors ?
François Beretti
____________
Virus checked by G DATA AntiVirusKit
Version: AVK 12.0.575 from 10.09.2003
Virus news: www.antiviruslab.com