[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Error using TLS



On Tue, Jan 23, 2007 at 09:57:02PM +0100, Iñaki wrote:
> Hi, this is my first post to the list.
> 
> I get an error when trying to run slapd with TLS options. I've looked a lot 
> and sincerely don't know what I'm doing wrong.
> 
> I use Debian Sarge.
> 
> These are the steps I follow to create and configure the TLS certificate:
> 
> 
> 1) Create a directory ssl:
> #> mkdir /etc/ldap/ssl
> #> cd /etc/ldap/ssl
> 
> 
> 2) Generate a private/public key:
> #> /usr/lib/ssl/misc/CA.pl -newreq
> Generating a 1024 bit RSA private key
> .++++++
> ...................................++++++
> writing new private key to 'newreq.pem'
> Enter PEM pass phrase: *****
> Verifying - Enter PEM pass phrase: *****
> Country Name (2 letter code) [AU]:ES
> State or Province Name (full name) [Some-State]:Vizcaya
> Locality Name (eg, city) []:Barakaldo
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:domain.net
> Organizational Unit Name (eg, section) []:debian
> Common Name (eg, YOUR name) []:debian.domain.net
> Email Address []:ibc@domain.net
> 
> Please enter the following 'extra' attributes
> to be sent with your certificate request
> A challenge password []:
> An optional company name []:
> Request (and private key) is in newreq.pem
> 
> 
> 3) Remove the password from the unique "newreq.pem" created:
> #> openssl rsa -in newreq.pem -out key.pem
> Enter pass phrase for newreq.pem: *****
> writing RSA key
> 
> 
> 4) Edit the certificate to remove the key and rename:
> #> vi newreq.pem
> [...]
> #> mv newreq.pem cert.pem
> 

don't you need to sign it here ?

> 
> 5) Change permissions for the key:
> #> chmod 600 key.pem
> 
> 
> 6) Now I have the cetificate and the key:
> #> ls -l
> -rw-r--r--  1 root root 708 2007-01-23 21:35 cert.pem
> -rw-------  1 root root 887 2007-01-23 21:35 key.pem
> 
> 
> 7) Configure slapd.conf:
> ----------------
> TLSCipherSuite			HIGH
> TLSCertificateFile      /etc/ldap/ssl/cert.pem
> TLSCertificateKeyFile   /etc/ldap/ssl/key.pem
> ----------------
> 
> 
> 8) Save and restart slapd:
> #> /etc/init.d/slapd restart
> Stopping OpenLDAP: slurpd slapd.
> Starting OpenLDAP: running BDB recovery, slapd - failed.
> The operation failed but no output was produced. For hints on what went
> wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
> try running the daemon in Debug mode like via "slapd -d 16383" (warning:
> this will create copious output).
> 
> 
> 9) The syslog says:
> Jan 23 21:38:20 debian slapd[2339]: @(#) $OpenLDAP: slapd 2.2.23 (May 30 2005 
> 08:52:42) $ 
> ^I@pulsar:/home/torsten/packages/openldap/openldap2.2-2.2.23/debian/build/servers/slapd
> Jan 23 21:38:20 debian slapd[2339]: bdb_db_init: Initializing BDB database
> Jan 23 21:38:20 debian slapd[2339]: main: TLS init def ctx failed: -1
> Jan 23 21:38:20 debian slapd[2339]: slapd stopped.
> Jan 23 21:38:20 debian slapd[2339]: connections_destroy: nothing to destroy.
> 

can you tell me what happens when you run

openssl x509 -in /etc/ldap/ssl/cert.pem -noout -text

and if this works 

openssl rsa -in /etc/ldap/ssl/key.pem -noout -text 




> 
> 
> Could you tell me why this error occurs? I've read in many sites about those 
> exact steps to configure TLS in OpenLDAP but it doesnt' work for me.
> 
> Thanks in advance for any help.
> Regards.
> 
> 
> 
> 
> 
> 
> -- 
> Iñaki Baz Castillo
> 
> 

Attachment: signature.asc
Description: Digital signature