[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS issues when setting olcTLSCACertificateFile to the CA bundle



Patrick Hemmer wrote:
Whenever I set olcTLSCACertificateFile to /etc/pki/tls/certs/ca-bundle.crt
LDAP clients get cert errors connecting to the server. But it works fine when
I point olcTLSCACertificateFile at the actual server cert instead of the CA
bundle.

With olcTLSCACertificateFile pointed at /etc/pki/tls/certs/ca-bundle.crt:
CLIENT:
# LDAPTLS_CACERT=/etc/pki/tls/certs/ca-bundle.crt ldapsearch -H
'ldap://fqdn.to.my.server' -ZZ -x -b '' -s base '+'
ldap_start_tls: Connect error (-11)
     additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get
local issuer certificate)
SERVER (from "slapd -d conns"):
TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca.


Why is this happening. olcTLSCACertificateFile is supposed to control the
certificates that OpenLDAP will recognize, not affect the certificate it gives
to clients (right?).

This is OpenLDAP 2.4.31

Use the debug flag and provide more information. Nobody can answer this post with the details you've provided.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/