[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap 2.1.30 + gentoo +ssl [self signed problem again]



Hello,

Florin Angelescu <fangelescu@caami-hziv.fgov.be> writes:

> On Thursday 25 November 2004 09:04, you wrote:
>> U must post your err msgs, debug output of slapd, ldap.conf and
>> slapd.conf B4 anyone could help u.
[... 9
>> I read the openldap software faq
>> and followed the instructions but it still got a self signed certificate
>> error
>> with ldapsearch ....
>> [ yes i read the faq, and yes i adde the TLS_CACERT !!! ]
>> Was there an issue whit that version ? Do i have to upgrade to 2.2   ?
>
> oh sure
> here are the logs
>
> http://student.vub.ac.be/~fangeles/ldap/filelist.log
> http://student.vub.ac.be/~fangeles/ldap/sldaperror.log
> http://student.vub.ac.be/~fangeles/ldap/ldapsearch.log
> http://student.vub.ac.be/~fangeles/ldap/ldap.conf
> http://student.vub.ac.be/~fangeles/ldap/slapd.conf

These are the relevant log lines

,----[ slapd.log ]
| tls_read: want=2, got=2
|   0000:  02 30                                              .0
| TLS trace: SSL3 alert read:fatal:unknown CA
| TLS trace: SSL_accept:failed in SSLv3 read client certificate A
| TLS: can't accept.
| TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1052
| connection_read(12): TLS accept error error=-1 id=0, closing
| connection_closing: readying conn=0 sd=12 for close
| connection_close: conn=0 sd=12
`---

You must have signed a cert with the wrong ca, check all your
certificats with

openssl x509 -in certificate.pem -text

in particular check the keyid, which must be identical in the key
chain.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:01443B53