[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL3 alert read:warning:bad certificate



man, 26.07.2004 kl. 19.09 skrev Artur Kokoszka:
[...]

> Both  s_server  and slapd are run by root, and in both cases the client 
> in run by a common user.
> The permissions are (the /etc/ldap directory is rx for all)
> 
> -rw-r--r--    1 root     root         1237 Jul 24 14:19 cacert.pem
> -rw-r--r--    1 root     root          365 Jul 23 23:37 ldap.conf
> -rw-r--r--    1 root     root         3593 Jul 24 14:56 ldapcert.pem
> -r--------    1 root     root         1587 Jul 24 14:50 ldapkey.pem
> -rw-------    1 root     root         3747 Jul 24 14:33 slapd.conf
> 
> Ldap client configuration is not valid in the case of s_client, but I 
> put it below additionally.
> 
> The client configuration:
> 
> ~/.ldaprc
> 
> BINDDN cn=admin,dc=example,dc=com
> TLS_CACERT /etc/ldap/cacert.pem
> TLS_CERT /home/artur/cert/newcert.pem
> TLS_KEY /home/artur/cert/newreq.pem
> 
> ldap.conf
> 
> BASE    dc=example,dc=com
> URI     ldaps://ldap.example.com
> TLS_CACERT /etc/ldap/cacert.pem

O.k., the permissions would be o.k., if you're running slapd as root
(which is generally reckoned to be "a bad thing"). Then you're left with
the "bad certificate" bit, which should be taken at face value - i.e.
there's something wrong with your certificates. Making them with CA.pl
generally works  - Make cacert -> CA.cert, newcert -> public key and
newreq -> private key. Or follow Kent Soper's HOWTO:

http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html

--Tonni

-- 

Happiness is having your cat jump in through the window and
greet you, with the light summer dew yet a few seconds wet
on his coat.

mail: tonye@billy.demon.nl
http://www.billy.demon.nl