[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS verify errors



I've run into an interesting issue where if I set up a .ldaprc for the user running slapd with:

BASE ""
TLS_CACERT /opt/zimbra/conf/ca/ca.pem


slapd will fail to start with:

TLS: could not load client CA list (file:`/opt/zimbra/conf/ca/ca.pem',dir:`').
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:642



It is not an issue with being able to read the cert as:

cat /opt/zimbra/conf/ca/ca.pem
-----BEGIN TRUSTED CERTIFICATE-----
.....
-----END TRUSTED CERTIFICATE-----

works just fine. If I change it to TLSCACERTDIR and adjust to a path, then slapd starts just fine, but I can't negotiate STARTTLS for the same reason.

Using openssl to verify the slapd cert (which is signed by this CA) shows everything is correct, as well:

/usr/bin/openssl verify -CAfile /opt/zimbra/conf/ca/ca.pem -purpose sslclient /opt/zimbra/conf/slapd.crt
/opt/zimbra/conf/slapd.crt: OK


I'm not really sure why defining a CA cert for the client to use stops slapd from working, either. Seems rather odd to me.


Thoughts appreciated. ;)

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration