[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
can't use godaddy SSL cert
- To: openldap-technical@openldap.org
- Subject: can't use godaddy SSL cert
- From: bluethundr <bluethundr@gmail.com>
- Date: Thu, 25 Nov 2010 11:26:56 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=r3QylNl3NimTzS28k0DlqxsYId1KdYMkuXbI2uG+BvI=; b=Kmn4ECjvjaIAG0es8DA8pSFwy7KpN0j871HnHS4/SSbASi1/9cM8IuoiZXPC2BQxLt Bl5yd3Y1+vBUViB3ut86spcqzdW57+jZjjJFsXDjIG9wBbNwHhbHqlo0TdhGjyzWPanL KpYmlGrt3ouO6mRjJKXpX6gd/ayEcNAODiy50=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=kwrFZQGJgNKS7tljvLvKp/oG88EMofd+xVOJK16ZV+nZry9mt/+dYVAqNNLeGLG/tO 9yKUX4yy1twchdMbR8LBFHGKeDr3jf4vawsAxDHi6fGeH5g5lFsvQfc7FheInUFEst0A 9iAlcnUCPgT8zUF5UM2tMIFGYLgLlMzh4oVr4=
Hey list,
I was having a similar SSL/openLDAP problem to this last week. I had
a chance to look at this again today and it still appears to not be
working. I called godaddy and had the last cert cancelled and reissued
as I had mis-typed the name of the CN on the last one.
I am trying to setup a Godaddy turbo SSL certificate with an openLDAP
2.4 server under FreeBSD 8.1.
[root@LBSD2:/usr/home/bluethundr]#pkg_info | grep openldap
openldap-sasl-client-2.4.23 Open source LDAP client implementation
with SASL2 support
openldap-sasl-server-2.4.23 Open source LDAP server implementation
I have setup the certificate chain in my slapd.conf like so:
[root@LBSD2:/usr/home/bluethundr]#grep -i tls
/usr/local/etc/openldap/slapd.conf## TLS options for slapd
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt
TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem
TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt
I have tried each of the following certs with no luck in getting my
cert to talk to it's CA:
-rw-r--r-- 1 root bluethundr 2604 Nov 25 11:37 ca_bundle.crt
-r--r----- 1 root ldap 4604 Nov 24 18:57 gd_bundle.crt
-r--r----- 1 root ldap 1537 Nov 25 02:00 sf_issuing.crt
and I get the same result for each when I attempt to connect to SSL on
the LDAP server:
[root@LCENT01:/tmp/Foswiki-1.1.2]#openssl s_client -connect
ldap.example.com:389 -showcerts -CAfile sf_issuing.crt
13730:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('sf_issuing.crt','r')
13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
13730:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:279:
CONNECTED(00000003)
13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
ldapsearch -h ldap.example.com -d -1 -ZZ "dc=example,dc=com"
TLS certificate verification: depth: 0, err: 20, subject:
/O=LBSD2.summitnjhome.com/OU=Domain Control
Validated/CN=LBSD2.summitnjhome.com, issuer:
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
Certification Authority/serialNumber=07969287
TLS certificate verification: Error, unable to get local issuer certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
It seems to indicate that it can't talk to it's CA...
does anyone have any suggestions on how to make this work?
thanks!
--
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3