[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS certificates
Matthew, please stay on the mailing list (Cc:-ed) when answering so
others can answer and learn as well.
Matthew Edlefsen wrote:
> 2009/6/13 Michael Ströder <michael@stroeder.com>:
>> Matthew Edlefsen wrote:
>>> Hello, I'm trying to get TLS setup with openldap and am having some
>>> issues. I have a CA signed certificate (not self-signed) and have
>>> created a chain with my CA cert and the root CA cert. I've verified
>>> that it works with openssl verify -CAfile on both the client and
>>> server but then when I try to connect using ldaps I get the following
>>> error on the client:
>>>
>>> TLS certificate verification: depth: 2, err: 19, subject:
>>> /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
>>> External CA Root, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP
>>> Network/CN=AddTrust External CA Root
>>> TLS certificate verification: Error, self signed certificate in
>>> certificate chain
>>> TLS trace: SSL3 alert write:fatal:unknown CA
>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>>> TLS: can't connect.
>>>
>>> I assume it's saying that the root CA is self signed, but if I don't
>>> include it in the chain it says it can't trust the CA.
>> Could you please elaborate on how you configured TLS settings on your
>> LDAP client? I assume that your OpenLDAP build was linked to OpenSSL
>> libs. Is that right?
>
> I did not configure my client at all. I confirmed it is linked to
> OpenSSL though. I'm hoping to not have to do any client configuration
> (other than turning it on obviously) because we would like end users
> to be able to use ldaps without any hassle.
You have to configure each LDAP client to trust the CA cert.
For OpenLDAP command-line clients or derived clients you should consult
the man page ldap.conf(5) about how to place system-wide or specific
configuration files and the client-side (TLS-related) configuration options.
Ciao, Michael.