[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problem verifying self signed certificate



Thanks, Gary

> -----Original Message-----
> From: Tay, Gary [mailto:Gary_Tay@platts.com] 
> Sent: Monday, September 05, 2005 5:24 AM
> To: James Wilde
> Subject: RE: Problem verifying self signed certificate
> 
> 
> ===
> TLS certificate verification: depth: 1, err: 19, subject: 
> /C=SE/L=Stockholm/O=Glocalnet 
> AB/OU=Infrastructure/CN=Glocalnet Certificate 
> Authority/emailAddress=inoc@glocalnet.com, issuer: 
> /C=SE/L=Stockholm/O=Glocalnet 
> AB/OU=Infrastructure/CN=Glocalnet Certificate 
> ===
> 
> Please use FQDN (Fully Qualified Domain Name), as the 
> "CommonName" in your CA cert and self-signed Server cert.

FQDN for the CA cert???  The ca cert is not used as a server cert.

The server cert has a fqdn, log1.glocalnet.net but it is not
self-signed.  It is signed with the self-signed CA cert.

> 
> Understand you have created self-signed cert.
> The CN (CommonName) in your cert. subject is not a FQDN  it 
> should be something like "ldap1.glocalnet.com", i.e.
> 
> subject: /C=SE/L=Stockholm/O=Glocalnet 
> AB/OU=Infrastructure/CN=ldap1.glocalnet.com
> 
> Make sure there is an entry for "ldap1.glocalnet.com" in 
> /etc/hosts of LDAP Client, on top of DNS. 

/etc/hosts included log1 for 127.0.0.1, and I have added
log1.glocalnet.net and tested again.
> 
> ===
> # openssl s_client -connect localhost:389 -showcerts -state 
> -CAfile /usr/share/ssl/certs/cacert.pem === I assume you 
> issue thie command at the LDAP Server as local (localhost) 
> SSL connection test, assume also the slapd was started with 
> BOTH "ldap:///"; and "ldaps:///", then the correct command should be:

I normally start the ldap server simply with '/usr/sbin/slapd'.  I have
now tested with '/usr/sbin/slapd -h ldap:/// ldaps:///' and tested on
both 389 and 636.  389 gave the standard response of 'handshake
failure'.  636 gave 'Connection refused' since the server is not
listening on 636.

Woohoo!  When I restarted with '/usr/sbin/slapd -h ldaps:/// ldap:///'
it worked.  Thanks!  I now note that I should have "ldap:/// ldaps:///"
in double quotes after the -h flag.

In other words slapd has not been starting with tls enabled.  I thought
this was supposed to happen as a result of uncommenting the TLS lines in
slapd.conf rather than being something which one fixes at the command
line.  Is there a way to build this into the slapd.conf file, maybe with
'uri="ldap:/// ldaps:///"' or 'starttls=critical'?
> 
> # openssl s_client -connect localhost:636 -showcerts -state 
> -CAfile /usr/share/ssl/certs/cacert.pem
> 
> You may find my HOWTOs useful, or not at all.
> 
> http://web.singnet.com.sg/~garyttt/

Thanks, Gary.  I'll take a look.  If I can get my slaves running on
Solaris, I'll owe you one!

mvh/regards

James