[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
openldap failing to launch if SSL/TLS enabled. error "main: TLS init def ctx failed: -1" ?
- To: openldap-software@openldap.org
- Subject: openldap failing to launch if SSL/TLS enabled. error "main: TLS init def ctx failed: -1" ?
- From: "Ben Wailea, openldap-software" <bwailea+10@gmail.com>
- Date: Fri, 15 Aug 2008 10:28:18 -0700
- Content-disposition: inline
i've installed openldap. starts fine without SSL/TLS.
if SSL/TLS is enabled, slapd fails to launch @ error: "main: TLS init
def ctx failed: -1".
googling the issue, suggestions are cert problems. mine, i believe are OK.
any ideas as to what the problem is?
here's what i've done/checks so far:
i've installed openldap from rpm's,
rpm -qa | grep openldap
openldap2-back-perl-2.4.11-5.1
openldap2-client-2.4.11-6.1
openldap2-2.4.11-5.1
openldap2-back-meta-2.4.11-5.1
without TLS/SSL, the service starts,
service ldap start
Starting ldap-server done
ps ax | grep slapd
6062 ? S<sl 0:00 /usr/lib/openldap/slapd -h ldap:// -f
/etc/openldap/slapd.conf -u ldap -g ldap -4 -o slp=on
if i add TLS/SSL config to /etc/openldap/slapd.conf,
...
TLSCertificateFile /etc/apache2/ssl.crt/svr.crt
TLSCertificateKeyFile /etc/apache2/ssl.key/svr.key
TLSCACertificateFile /etc/apache2/ssl.crt/ca.crt
TLSCipherSuite TLSv1+HIGH:!aNULL:@STRENGTH
TLSVerifyClient never
...
service fails to start,
service ldap start
Starting ldap-server failed
and log reports,
Aug 15 10:02:01 auth slapd[6139]: main: TLS init def ctx failed: -1
Aug 15 10:02:01 auth slapd[6139]: slapd destroy: freeing system resources.
Aug 15 10:02:01 auth slapd[6139]: slapd stopped.
Aug 15 10:02:01 auth slapd[6139]: connections_destroy: nothing to destroy.
Aug 15 10:02:01 auth slapd[6139]: daemon: SLPDereg(ldap://) failed
with -20, cookie = 0
the certs/keys i'm, using are used in my apache server,
SSLCertificateFile /etc/apache2/ssl.crt/svr.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/svr.key
SSLCACertificateFile /etc/apache2/ssl.crt/ca.crt
SSLCipherSuite TLSv1+HIGH:!aNULL:@STRENGTH
SSLVerifyClient none
SSLVerifyDepth 1
and SSL works there without problem.
the keys & certs check out ok,
------
openssl rsa -noout -text -in "/etc/apache2/ssl.key/svr.key"
Private-Key: (2048 bit)
modulus:
00:d2:3e:45:1c:09:10:d2:a1:c6:61:c2:fa:ad:35:
...
23:97
publicExponent: 65537 (0x10001)
privateExponent:
00:b0:82:00:e9:69:9f:0b:07:30:93:30:eb:dd:f1:
...
48:01
prime1:
00:ea:8e:ea:13:2c:71:be:3c:68:8b:5e:7a:c8:1e:
...
cf:ea:b4:92:2a:e5:14:1c:01
prime2:
00:e5:76:57:25:91:72:eb:ac:19:74:9a:2d:85:65:
...
a9:81:b0:7f:b4:f3:f1:9f:97
exponent1:
06:2b:94:44:c4:da:89:22:95:ad:74:e2:cd:f8:dd:
...
62:95:35:73:23:6b:90:01
exponent2:
1a:a4:1f:c0:1b:e0:04:de:c9:61:d1:58:c1:a9:2c:
...
44:e6:72:1d:57:49:51:67
coefficient:
12:11:93:09:34:3e:ae:41:2d:dc:78:f3:11:e0:da:
...
73:80:99:ec:78:b3:4c:90
openssl x509 -noout -text -in "/etc/apache2/ssl.crt/ca.crt"
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 12...21 (0x...5d)
Signature Algorithm: sha512WithRSAEncryption
Issuer: C=US, ST=ST, L=CITY, O=TEST, OU=TEST, CN=TEST_CA
Validity
Not Before: Aug 15 02:43:41 2008 GMT
Not After : Aug 15 02:43:41 2009 GMT
Subject: C=US, ST=ST, L=CITY, O=TEST, OU=TEST, CN=TEST_CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
00:f3:ee:cf:21:bc:49:59:1a:e0:62:5b:df:87:9e:
...
9b:fb:1d
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Comment:
SS ROOT CA CERT
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
Netscape Cert Type:
SSL CA, S/MIME CA
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
3B:...:32
X509v3 Authority Key Identifier:
keyid:3B:...:32
DirName:/C=US/ST=ST/L=CITY/O=TEST/OU=TEST/CN=TEST_CA
serial:48:...:5D
Signature Algorithm: sha512WithRSAEncryption
da:02:bb:96:3a:72:83:73:15:8c:c9:1d:1d:41:47:2c:9e:7b:
...
70:d0:ac:96:09:7d:28:e2
openssl x509 -noout -text -in "/etc/apache2/ssl.crt/svr.crt"
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha512WithRSAEncryption
Issuer: C=US, ST=ST, L=CITY, O=TEST, OU=TEST, CN=TEST_CA
Validity
Not Before: Aug 15 02:49:19 2008 GMT
Not After : Aug 15 02:49:19 2009 GMT
Subject: C=US, ST=ST, L=CITY, O=TEST, OU=TEST,
CN=*.testdomain.net/emailAddress=postmaster@testdomain.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:d2:3e:45:1c:09:10:d2:a1:c6:61:c2:fa:ad:35:
...
23:97
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME, Object Signing
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment,
Data Encipherment, Key Agreement
X509v3 Extended Key Usage: critical
Code Signing, Time Stamping, TLS Web Server
Authentication, TLS Web Client Authentication
X509v3 Subject Key Identifier:
00:...:1B
X509v3 Authority Key Identifier:
keyid:3B:...:32
Signature Algorithm: sha512WithRSAEncryption
5b:56:cb:38:40:62:ae:13:9a:e7:c3:d8:a9:2f:e6:04:fc:32:
...
ff:29:74:52:73:28:fa:ca
------