[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unknown CA error - replication

To: Openldap list <openldap-software@OpenLDAP.org>
Subject: Re: Unknown CA error - replication
From: Tony Earnshaw <tonye@billy.demon.nl>
Date: Fri, 01 Oct 2004 07:47:46 +0200
In-reply-to: <C619BCB44DE4A540BFE40412B3AAC5D40239D1D9@atl1ex2.corp.etradegrp.com>
Organization: Billy
References: <C619BCB44DE4A540BFE40412B3AAC5D40239D1D9@atl1ex2.corp.etradegrp.com>

fre, 01.10.2004 kl. 01.39 skrev McMaster, Michael:
[...]

> TLSCertificateFile /etc/cert/newcert.pem
> TLSCertificateKeyFile /etc/cert/newreq.pem
> TLSCACertificateFile /etc/cert/demoCA/cacert.pem
> 
> In the client's /etc/ldap.conf, I included:
> TLS_CACERT /etc/cert/demoCA/cacert.pem
> 
> I can execute ldap commands over ldaps:// just fine.  Testing the
> connection with the command 'openssl s_client -connect myserver.com:636
> -showcerts -state -CAfile /etc/demoCA/cacert.pem' works fine (results in
> return code 0, just like in the howto), so I think the certs are okay...

Are "you" doing this as root?

> When I try to execute slurpd, however, I get this:
> 
> TLS certificate verification: Error, self signed certificate in
> certificate chain
> tls_write: want=7, written=7
>   0000:  15 03 01 00 02 02 30                               ......0
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_err2string
> Error: ldap_simple_bind_s for sys22m3.etrade.com:636 failed: Can't
> contact LDAP server
> ldap_unbind

Can the user that slurpd is running as read the whole path to the CA
cert?
[...]

--Tonni

-- 
«Livet er ein gamp», sa øyken.
I can confirm this.

mail: tonye@billy.demon.nl
http://www.billy.demon.nl

They love us, don't they, They feed us, won't they

Prev by Date: Re: How can I import huge amount of data as quickly as possible?
Next by Date: Re: rootdn and sasl-regexp
Index(es):
- Chronological
- Thread