[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS CA Chain Problem



Quanah Gibson-Mount wrote:
--On Monday, October 12, 2009 10:36 PM +0200 Iruwen<iruwen@gmx.net>  wrote:

---
Certificate chain
  0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de
    i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA
Limited/CN=PositiveSSL CA

I don't get it :(

Comodo's cert is signed by someone else, you have to add that issuer to the
CA chain.  And it changes periodically too, in my experience from using
their certs.  So you need to examine their CA cert, and find who signed it,
and then add that to the chain.

For example, the one I was using at one time, was signed by the GTE
CyberTrust CA, so I needed to have that cert in the chain in addition to
comodo's.

Judging from his debug output, that's not the issue here. The first question you should have asked is - what OS, OpenLDAP version, and TLS library?

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/