Re: TLS/SSL and self-signed certificates

[Harry Jede <walk2sun@arcor.de>]

Am Donnerstag, 9. Juli 2009 schrieb Rick Stevens:
> I know this has been hashed over before, but I simply cannot get my
> LDAP clients to talk TLS/SSL to my LDAP server.  I keep getting
>
> 	TLS certificate verification: Error, self signed certificate in
> 	certificate chain
>
> errors.  A standard "openssl s_client" test works fine, but a client
> such as ldapsearch simply refuses to cooperate.  I have the
> "tls_cacertdir" set to point at a directory that has a copy of every
> certificate I've created and it still won't work.
>
> The certificates were created based on the instructions at:
>
> 	http://www.openldap.org/faq/data/cache/185.html
>
> as specified in the admin manual.  I'm the first to admin I'm not an
> SSL guy, but this has got me stumped!  I'll be happy to provide
> whatever bits of the various config files you need.
So, you have created your certs with openssl. Are your ldap binaries 
linked against openssl or gnutls libraries?

ldd $(which ldapsearch)
	libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7e34000)

This openldap installation is linked against gnutls!

If your openldap installation also uses gnutls, then you MUST reorder 
the certificates.

Openssl certs begins with the top-level cert (normaly the ca), gnutls 
certs ends with the ca-cert :-( .

>
> Help me Obi-Wan Kenobi!
> ---------------------------------------------------------------------
>- - Rick Stevens, Unix Geek                          rps2@socal.rr.com
> - -                                                                  
>  - - Treat each day as if it's your last...a lot of crying and
> whining  - -      usually gets you what you want!              -- Sam
> Sledge    -
> ---------------------------------------------------------------------
>-



-- 

Gruss
	Harry Jede