[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS certificate verification: Error, self signed certificate





--On Monday, November 10, 2003 9:52 PM -0800 David Highley <dhighley@highley-recommended.com> wrote:

I'm working with openldap 2.1.23 on Sparc Solaris 9 systems. I have
setup an LDAP server and replica. I have loaded the database using
PADL's scripts. Now I'm trying to get tls working. I have created
certificates and keys on the ldap server and verified them with openssl.
I copied them to the replica system as well. I have added the TLS lines
to the slapd.conf file and the ldap.conf file. When I test using
ldapsearch on the ldap server I get a get the following error:

/usr/local/bin/ldapsearch -d -1 -x -ZZ -b
'dc=highley-recommended,,dc=com' '(objectclass=*)'

TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
 TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

So can we use self signed certificates? Do we need to generate
certificates and keys for the replica? What about clients?

Search the archives... There are hundreds of messages telling how to make this work. There are even some from today!


--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html