[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS verify errors
I've run into an interesting issue where if I set up a .ldaprc for the user
running slapd with:
BASE ""
TLS_CACERT /opt/zimbra/conf/ca/ca.pem
slapd will fail to start with:
TLS: could not load client CA list
(file:`/opt/zimbra/conf/ca/ca.pem',dir:`').
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:642
It is not an issue with being able to read the cert as:
cat /opt/zimbra/conf/ca/ca.pem
-----BEGIN TRUSTED CERTIFICATE-----
.....
-----END TRUSTED CERTIFICATE-----
works just fine. If I change it to TLSCACERTDIR and adjust to a path, then
slapd starts just fine, but I can't negotiate STARTTLS for the same reason.
Using openssl to verify the slapd cert (which is signed by this CA) shows
everything is correct, as well:
/usr/bin/openssl verify -CAfile /opt/zimbra/conf/ca/ca.pem -purpose
sslclient /opt/zimbra/conf/slapd.crt
/opt/zimbra/conf/slapd.crt: OK
I'm not really sure why defining a CA cert for the client to use stops
slapd from working, either. Seems rather odd to me.
Thoughts appreciated. ;)
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration