Re: [seeking help] unknown CA

[Tony Earnshaw <tonni@billy.demon.nl>]

Ben Kim wrote:

> I have a php script authenticating user against an ldap server (not under
> my control) which I know has no problem.
> But when I use it on my newly compiled server, it cannot bind with ldaps
> protocol. Packet traces show the following exchange.
> - client: Client Hello
> - server: Server Hello, Certificate, Server Hello Done
> - client: Alert (Level: Fatal, Description: Unknown CA)

cced you, since this was a couple of days ago.

*Assuming Linux, since you do not say*. If you have linked libphp4.so 
against Openldap client libldap and liblber, your libphp4.so will be 
using /usr/local/etc/ldap.conf or /etc/openldap/ldap.conf, depending on 
your distro. NB, NOT /etc/ldap.conf. You get the ldap server admin to 
send you a copy of the CA certificate he uses (have him gzip it, if he 
uses email) and you put it in a directory readable by your Apache user 
(nobody, apache, whatever) and you put the following line in ldap.conf:

TLS_CACERTDIR  /path/to/cacertdir. This is not literal! You have to 
substitute your own path. If you need more CA certs for different 
purposes, you can append them into the same cacert file in the cacertdir.

> On google, it seems to be one of the standard error strings: 
> "   "CA"/"unknown CA"
>           A valid certificate chain or partial chain was received, but
> the certificate was not accepted because the CA certificate could not be
> located or couldn't be matched with a known, trusted CA. This message
> is always fatal."

It is only "fatal" in the sense that it doesn't work at that moment. It 
will not be "fatal" if you do the above.

Best,

--Tonni

--
Tony Earnshaw

Millom kaksar eg litet kann trivast, millom jamningar helst er eg nøgd

http://www.billy.demon.nl
Mail: tonni@billy.demon.nl