Re: TLS/SSL and self-signed certificates

["Dieter Kluenter" <dieter@dkluenter.de>]

Hi,
please stay on the mailing list.

Rick Stevens <rps2@socal.rr.com> writes:

> Dieter Kluenter wrote:
>> Rick Stevens <rps2@socal.rr.com> writes:
>>
>>> I know this has been hashed over before, but I simply cannot get my
>>> LDAP clients to talk TLS/SSL to my LDAP server.  I keep getting
>>>
>>> 	TLS certificate verification: Error, self signed certificate in
>>> 	certificate chain
>> This error may not be the culprit, if the error (or warning) is
>> referring to the CA.
>> What is the CN of the server certificate and what is the host part of
>> your search string?
>
> The CN of the server certificate is:
>
> 	CN=bigdog.hci.com/emailAddress=ricks@nerd.com
>
> The host part of the search is "-h bigdog.hci.com"
>
>> In order to debug the TLS session run ldapsearch with -d3 option.
>
> I never see it try to pick up the server's certificate, just the CA's
> and I see a "TLS trace: SSL3 alert write:fatal:unknown CA" error before
> it dies.

OK, could you please provide the TLS related entries of slapd.conf and
ldap.conf? It seems that the server is not providing a server
certificate but a CA.

-Dieter



-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E