[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Problem verifying self signed certificate
Thanks, Gary
> -----Original Message-----
> From: Tay, Gary [mailto:Gary_Tay@platts.com]
> Sent: Monday, September 05, 2005 5:24 AM
> To: James Wilde
> Subject: RE: Problem verifying self signed certificate
>
>
> ===
> TLS certificate verification: depth: 1, err: 19, subject:
> /C=SE/L=Stockholm/O=Glocalnet
> AB/OU=Infrastructure/CN=Glocalnet Certificate
> Authority/emailAddress=inoc@glocalnet.com, issuer:
> /C=SE/L=Stockholm/O=Glocalnet
> AB/OU=Infrastructure/CN=Glocalnet Certificate
> ===
>
> Please use FQDN (Fully Qualified Domain Name), as the
> "CommonName" in your CA cert and self-signed Server cert.
FQDN for the CA cert??? The ca cert is not used as a server cert.
The server cert has a fqdn, log1.glocalnet.net but it is not
self-signed. It is signed with the self-signed CA cert.
>
> Understand you have created self-signed cert.
> The CN (CommonName) in your cert. subject is not a FQDN it
> should be something like "ldap1.glocalnet.com", i.e.
>
> subject: /C=SE/L=Stockholm/O=Glocalnet
> AB/OU=Infrastructure/CN=ldap1.glocalnet.com
>
> Make sure there is an entry for "ldap1.glocalnet.com" in
> /etc/hosts of LDAP Client, on top of DNS.
/etc/hosts included log1 for 127.0.0.1, and I have added
log1.glocalnet.net and tested again.
>
> ===
> # openssl s_client -connect localhost:389 -showcerts -state
> -CAfile /usr/share/ssl/certs/cacert.pem === I assume you
> issue thie command at the LDAP Server as local (localhost)
> SSL connection test, assume also the slapd was started with
> BOTH "ldap:///" and "ldaps:///", then the correct command should be:
I normally start the ldap server simply with '/usr/sbin/slapd'. I have
now tested with '/usr/sbin/slapd -h ldap:/// ldaps:///' and tested on
both 389 and 636. 389 gave the standard response of 'handshake
failure'. 636 gave 'Connection refused' since the server is not
listening on 636.
Woohoo! When I restarted with '/usr/sbin/slapd -h ldaps:/// ldap:///'
it worked. Thanks! I now note that I should have "ldap:/// ldaps:///"
in double quotes after the -h flag.
In other words slapd has not been starting with tls enabled. I thought
this was supposed to happen as a result of uncommenting the TLS lines in
slapd.conf rather than being something which one fixes at the command
line. Is there a way to build this into the slapd.conf file, maybe with
'uri="ldap:/// ldaps:///"' or 'starttls=critical'?
>
> # openssl s_client -connect localhost:636 -showcerts -state
> -CAfile /usr/share/ssl/certs/cacert.pem
>
> You may find my HOWTOs useful, or not at all.
>
> http://web.singnet.com.sg/~garyttt/
Thanks, Gary. I'll take a look. If I can get my slaves running on
Solaris, I'll owe you one!
mvh/regards
James