[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS unknown CA
I hope someone could help me out.
SuSE Enterprise Linux Server 8
OpenLDAP 2.2.14
I have built two identical machines for LDAP client /server testings,
and compile OpenLDAP 2.2.14 from source as follows :-
env CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" \
./configure --enable-wrpappers --enable-crypt --enable-slurpd --with-tls
I created two certificates using my self-signed CA, and passed the
server testing from client as stated in OpenLDAP SSL/TLS How-To :-
openssl s_client -connect server.exmaple.com:636 -showcerts -state -CA
/usr/share/ssl/cacert.pem
Client config. file /usr/local/etc/openldap/ldap.conf has the line :-
tls_cacertfile /usr/share/ssl/cacert.pem
Server config. file /usr/local/etc/openldap/slapd.conf has these lines :-
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /etc/local/server-cert.pem
TLSCertificateKeyFile /etc/local/server-key.pem
TLSCACertificateFile /usr/share/ssl/cacert.pem
It works fine with SSL, but it failed with TLS with the following error :-
TLS certificate verification: Error, self signed certificate in
certificate chain
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30
......0 TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
It seems that the client could not locate the CA certitificate
tls_cacertfile, and I have copied the ldap.conf to different locations
/etc/ldap.conf, /usr/local/etc/ldap.conf and
/etc/local/etc/openldap/ldap.conf, but the errors are the same. I have
tried the steps on O'Reilly LDAP book and those on the newsgroup, but it
does not work.
Is there anything I have done wrong?
Thanks a lot.
John