[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap 2.1.30 + gentoo +ssl [self signed problem again]



On Thursday 25 November 2004 11:32, you wrote:
> Hello,
>
> Florin Angelescu <fangelescu@caami-hziv.fgov.be> writes:
> > On Thursday 25 November 2004 09:04, you wrote:
> >> U must post your err msgs, debug output of slapd, ldap.conf and
> >> slapd.conf B4 anyone could help u.
>
> [... 9
>
> >> I read the openldap software faq
> >> and followed the instructions but it still got a self signed certificate
> >> error
> >> with ldapsearch ....
> >> [ yes i read the faq, and yes i adde the TLS_CACERT !!! ]
> >> Was there an issue whit that version ? Do i have to upgrade to 2.2   ?
> >
> > oh sure
> > here are the logs
> >
> > http://student.vub.ac.be/~fangeles/ldap/filelist.log
> > http://student.vub.ac.be/~fangeles/ldap/sldaperror.log
> > http://student.vub.ac.be/~fangeles/ldap/ldapsearch.log
> > http://student.vub.ac.be/~fangeles/ldap/ldap.conf
> > http://student.vub.ac.be/~fangeles/ldap/slapd.conf
>
> These are the relevant log lines
>
> ,----[ slapd.log ]
>
> | tls_read: want=2, got=2
> |   0000:  02 30                                              .0
> | TLS trace: SSL3 alert read:fatal:unknown CA
> | TLS trace: SSL_accept:failed in SSLv3 read client certificate A
> | TLS: can't accept.
> | TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> | s3_pkt.c:1052 connection_read(12): TLS accept error error=-1 id=0,
> | closing
> | connection_closing: readying conn=0 sd=12 for close
> | connection_close: conn=0 sd=12
>
> `---
>
> You must have signed a cert with the wrong ca, check all your
> certificats with
>
> openssl x509 -in certificate.pem -text
>
> in particular check the keyid, which must be identical in the key
> chain.
>
> -Dieter

well, i have only 1 CA .... (i used CA.sh -newcert)
and the servercert is signed by my CA

openssl x509 -in servercert.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=BE, ST=BELGIUM, L=BRUSSELS, O=CAAMI_CA, OU=CCI, 
CN=CAAMI_CA/emailAddress=fangelescu@caami-hziv.fgov.be
        Validity
            Not Before: Nov 25 08:32:09 2004 GMT
            Not After : Nov 25 08:32:09 2005 GMT
        Subject: C=BE, ST=BELGIUM, L=BRUSSELS, O=CAAMI-HZIV, OU=CCI, 
CN=ldap.caami-hziv.fgov.be/emailAddress=ldapserver@caami-hziv.fgov.be
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)

.
.
.