[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Client says Can't contact LDAP server, but it can!



On Thu, Jul 24, 2008 at 04:20:02PM -0700, Quanah Gibson-Mount wrote:
> --On Thursday, July 24, 2008 4:13 PM -0700 John Oliver 
> <joliver@john-oliver.net> wrote:
> 
> >On Thu, Jul 24, 2008 at 04:04:10PM -0700, Quanah Gibson-Mount wrote:
> >>
> >>Any client will need to know about the CA that signed your self-signed
> >>cert.
> >
> >I created my certificate with:
> >
> >openssl req -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout
> >/etc/openldap/ssl/ldap.pem -days 3650
> >
> >In slapd.conf I have:
> >
> >TLSCertificateFile /etc/ssl/ldap.pem
> >TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
> >TLSCACertificateFile /etc/ssl/ldap.pem
> >
> >What do I need to do differently?
> 
> Create your own CA first?  Then sign your own certs with it.
> 
> <http://www.tc.umn.edu/~brams006/selfsign.html>

I don't understand why I must handle certs one way on one server, and
another way on the other.  The self-signed cert works just fine on the
other, and I foresee problems if one is self-signed and the other
isn't... one day, there's going to be some bizzare SSL issue that'll
have me tearing my hair out for a week, until someone finally discovers
what's going on and says "You fscking dummy, why the hell are you doing
this?"

And I'm not particularly keen to break the working server so it can be
in the same state of borkenness as the one I'm fighting now.

It would be absolutely fantastic if someone could tell me why one
self-signed cert works and the other doesn't.

-- 
***********************************************************************
* John Oliver                             http://www.john-oliver.net/ *
*                                                                     *
***********************************************************************