[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS - Help Please



Hi,

you said: "The error is below that line (two lines down) and says that the CA is unknown....
           You have to add the certificate to the list of trusted CAs."

This error is strange because i already had done that in my slapd.conf.

--> TLSCACertificateFile  /root/certificados/cacert.pem

I'm going to do some more tests

Best Regards

Alberto Tablado wrote:
Literally, the log says that your certificate is self signed, i.e., the
issuer and the subject are the same. This, per se, is not an error. In
fact, CAs have self-signed certificates.

The error is below that line (two lines down) and says that the CA is
unknown. Normally, certificates are signed by well-known CAs (like
VeriSign), but your certificate is signed by the not-known yourself.
Normally, when a certificate signed by unknow CA is received, the
programs asks you for acceptance. In servers, this is not possible. You
have to add the certificate to the list of trusted CAs.

Regards.

Alberto.

El mié, 04-02-2004 a las 19:06, Miguel Baptista escribió:
  
Hi,

I' ve tried to solve my the problem without bother you again. But no luck.

My computer's FQDN is now estagio.ccom.uminho.pt.   As in the previous 
attempt, i follow this page's guide: 
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html

I created new certificates (CA, server and client).  They are all in the 
same (testing) computer. So, the CN in those certificates is 
estagio.ccom.uminho.pt
I've made the necessary changes in this files: slapd.conf, ldap.conf and 
.ldaprc

I run my server with this command:   /usr/local/libexec/slapd -d -1 -h 
"ldap:///estagio.ccom.uminho.pt ldaps:///estagio.ccom.uminho.pt"

I executed this command:
ldapsearch -x -d -1 -b 'dc=uminho,dc=pt' -D "cn=Manager,dc=uminho,dc=pt" 
'(uid=a22)' -H ldaps://estagio.ccom.uminho.pt  -W -ZZ

and this is the client's trace with the -d -1 option (i removed some 
parts that didn't look important)

  ldap_url_parse_ext(ldaps://estagio.ccom.uminho.pt:636)
  ldap_connect_to_host: TCP estagio.ccom.uminho.pt:636
  ldap_connect_to_host: Trying 192.168.1.210:636
  ldap_connect_timeout: fd: 3 tm: -1 async: 0
  ldap_int_sasl_open: host=estagio.ccom.uminho.pt
  TLS trace: SSL_connect:before/connect initialization
  tls_write: want=148, written=148
  TLS trace: SSL_connect:SSLv2/v3 write client hello A
  tls_read: want=7, got=7
  tls_read: want=72, got=72
  TLS trace: SSL_connect:SSLv3 read server hello A
  tls_read: want=5, got=5
  tls_read: want=1683, got=1683
  TLS certificate verification: depth: 1, err: 19, subject: 
/C=pt/ST=pt/L=braga/O=braga/OU=certificador/CN=estagio.ccom.uminho.pt, 
issuer: > 
 /C=pt/ST=pt/L=braga/O=braga/OU=certificador/CN=estagio.ccom.uminho.pt
  TLS certificate verification: ------------------->  Error, self signed 
certificate in certificate chain  <--------------------------
  tls_write: want=7, written=7
  TLS trace: SSL3 alert write:fatal:unknown CA
  TLS trace: SSL_connect:error in SSLv3 read server certificate B
  TLS trace: SSL_connect:error in SSLv3 read server certificate B
  TLS: can't connect.
  ldap_perror
  ldap_start_tls: Can't contact LDAP server (81)
         additional info: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


Does this problem arrise because i have the client, CA and server in the 
same machine? I follow the tutorial but i didn't the use self signed 
certificate, why is this happening? Any Ideas?