Re: Trying to get TLS Working

[David Wheeler <david@kineticode.com>]

Thank you for your reply, Howard.

On Sep 27, 2004, at 4:25 PM, Howard Chu wrote:

> Run ldapsearch with debugging enabled. There are a variety of reasons 
> this may be failing, but without the debug info it's impossible to 
> say.

Quite so. This seems to be the important part:

TLS certificate verification: depth: 1, err: 19, subject: 
/C=US/ST=Oregon/L=Portland/O=Example, Inc./OU=Example/CN=Example 
CA/emailAddress=www@example.com, issuer: 
/C=US/ST=Oregon/L=Portland/O=Example, Inc./OU=Example/CN=Example 
CA/emailAddress=www@example.com
TLS certificate verification: Error, self signed certificate in 
certificate chain
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.

If I'm reading this right, it thinks that the server and CA certs have 
the same CN, though I could have sworn I created them with different 
CNs...

> Also, you didn't mention whether you've configured your ldap.conf 
> properly. I will assume since you didn't mention it that you haven't 
> configured it, and this obviously must be done first.

Quite so. I hadn't even noticed it. I only saw instructions for editing 
an ldap.conf used by pam and nis, neither of which I'm using at this 
point. I'll take a look at its man page and see what it says.

Thanks,

David