[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SSL3 alert read:warning:bad certificate
man, 26.07.2004 kl. 19.09 skrev Artur Kokoszka:
[...]
> Both s_server and slapd are run by root, and in both cases the client
> in run by a common user.
> The permissions are (the /etc/ldap directory is rx for all)
>
> -rw-r--r-- 1 root root 1237 Jul 24 14:19 cacert.pem
> -rw-r--r-- 1 root root 365 Jul 23 23:37 ldap.conf
> -rw-r--r-- 1 root root 3593 Jul 24 14:56 ldapcert.pem
> -r-------- 1 root root 1587 Jul 24 14:50 ldapkey.pem
> -rw------- 1 root root 3747 Jul 24 14:33 slapd.conf
>
> Ldap client configuration is not valid in the case of s_client, but I
> put it below additionally.
>
> The client configuration:
>
> ~/.ldaprc
>
> BINDDN cn=admin,dc=example,dc=com
> TLS_CACERT /etc/ldap/cacert.pem
> TLS_CERT /home/artur/cert/newcert.pem
> TLS_KEY /home/artur/cert/newreq.pem
>
> ldap.conf
>
> BASE dc=example,dc=com
> URI ldaps://ldap.example.com
> TLS_CACERT /etc/ldap/cacert.pem
O.k., the permissions would be o.k., if you're running slapd as root
(which is generally reckoned to be "a bad thing"). Then you're left with
the "bad certificate" bit, which should be taken at face value - i.e.
there's something wrong with your certificates. Making them with CA.pl
generally works - Make cacert -> CA.cert, newcert -> public key and
newreq -> private key. Or follow Kent Soper's HOWTO:
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
--Tonni
--
Happiness is having your cat jump in through the window and
greet you, with the light summer dew yet a few seconds wet
on his coat.
mail: tonye@billy.demon.nl
http://www.billy.demon.nl