[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: can't use godaddy SSL cert

On Thursday, 25 November 2010 17:26:56 bluethundr wrote:

> 
> [root@LBSD2:/usr/home/bluethundr]#grep -i tls
> /usr/local/etc/openldap/slapd.conf## TLS options for slapd
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile 
> /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt
> TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem
> TLSCACertificateFile  /usr/local/etc/openldap/cacerts/sf_issuing.crt
> 
> I have tried each of the following certs with no luck in getting my
> cert to talk to it's CA:
> 
> -rw-r--r--  1 root  bluethundr  2604 Nov 25 11:37 ca_bundle.crt
> -r--r-----  1 root  ldap        4604 Nov 24 18:57 gd_bundle.crt
> -r--r-----  1 root  ldap        1537 Nov 25 02:00 sf_issuing.crt
> 
> 
> and I get the same result for each when I attempt to connect to SSL on
> the LDAP server:
> 
> [root@LCENT01:/tmp/Foswiki-1.1.2]#openssl s_client -connect
> ldap.example.com:389 -showcerts -CAfile sf_issuing.crt

I doubt your hostname is ldap.example.com, it looks like it is 
LBSD2.summitnjhome.com. Since hostname <=> certificate subjectCN is important, 
you may prefer to provide *accurate* information while asking for help ...

> 13730:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:122:fopen('sf_issuing.crt','r')

Please read the error message above carefully.

Your working directory of /tmp/Foswiki-1.1.2 most likely doesn't contain your 
certificate sf_issuing.crt. Maybe you should try:

openssl s_client -connect LBSD2.summitnjhome.com:636 -showcerts -CAfile 
/usr/local/etc/openldap/cacerts/sf_issuing.crt

(note, I don't think s_client can test LDAP+start_tls, only ldaps ... so this 
test assumes you have slapd started with a -h option that includes ldaps:///)

> 13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
> 13730:error:0B084002:x509 certificate
> routines:X509_load_cert_crl_file:system lib:by_file.c:279:
> CONNECTED(00000003)
> 13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:


> ldapsearch -h ldap.example.com -d -1 -ZZ "dc=example,dc=com"


ldapsearch doesn't read slapd.conf, did you supply the correct TLS_CACERT 
value in /usr/local/etc/openldap/ldap.conf ? Of course, you should use the 
hostname for which the cert is issued, or the next failure will be due to 
hostname/certificate subject mismatch.

Please see 'man ldap.conf'

> TLS certificate verification: depth: 0, err: 20, subject:
> /O=LBSD2.summitnjhome.com/OU=Domain Control
> Validated/CN=LBSD2.summitnjhome.com, issuer:
> /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
> Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
> Certification Authority/serialNumber=07969287
> TLS certificate verification: Error, unable to get local issuer certificate
> tls_write: want=7, written=7
>   0000:  15 03 01 00 02 02 30                               ......0
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (-11)
> 	additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> 
> It seems to indicate that it can't talk to it's CA...

No, seems it doesn't know where to look for the CA certificate ...

> does anyone have any suggestions on how to make this work?

echo "TLS_CACERT /usr/local/etc/openldap/cacerts/sf_issuing.crt" >> 
/usr/local/etc/openldap/ldap.conf
?

Regards,
Buchan