[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS certificate verification: Error, unable to get local issuer certificate
- To: "OpenLDAP Software List" <OpenLDAP-software@OpenLDAP.org>
- Subject: TLS certificate verification: Error, unable to get local issuer certificate
- From: "Jeremiah Martell" <inlovewithgod@gmail.com>
- Date: Tue, 12 Sep 2006 09:19:51 -0400
- Content-disposition: inline
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=gdUH15qBcyPj1rCe4AGLC8cNusk5mZDd4mX6a2r31Jqbl42IENyGN2M6xYyPp956ZcchPzZOlRnA2z5eoX6gtLNaRBDD8GyNzRV5QbmOz68BNN1lOP9LNmaS974XMExt3VW0asZfSgI4kgkDW4g6b4bluvcR2AxqJoO8+Y8eVSE=
Hello,
Anybody know what this error means? I was guessing it means that it
couldnt verify the authenticity of a cert because it couldnt find the
CA of the cert. However, it happens if I put "demand" or "never" for
the TLS_REQCERT.
If I don't try to use SSL everything works fine.
Here's the ldap debug output:
--------------------
ldap_create
ldap_url_parse_ext(ldaps://example.com:3269/??sub)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP example.com:3269
ldap_new_socket: 47
ldap_prepare_socket: 47
ldap_connect_to_host: Trying 127.0.0.1:3269
ldap_connect_timeout: fd: 47 tm: -1 async: 0
ldap_ndelay_on: 47
ldap_is_sock_ready: 47
ldap_ndelay_off: 47
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject:
/CN=example.com, issuer: /DC=com/DC=example/CN=Xyz
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_err2string
--------------------
any ideas?
Thanks,
- Jeremiah