RE: SSL/TLS issue

[Aaron Richton <richton@nbcs.rutgers.edu>]

On Mon, 15 Oct 2012, Darouichi, Aziz wrote:

> This is the link I followed to create the CA and sigh it
> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#7.0

Did you read the "Note" at the top of that paper? Worth considering...

> if I run cert check from client using  the following
> openssl s_client -connect ldap-ssl.curry.edu:636 -CApath /opt/local/etc/openldap/caert.pem

1. Again, did you really make a directory named "caert.pem"? Because if 
that's a file, I believe that should be -CAfile instead. (Same as I said 
that your TLS_CACERTDIR should probably be a TLS_CACERT ldap.conf 
directive.)

2. In your previous example it was "cacert.pem" but now I see "caert.pem". 
Whatever's actually on your filesystem -- make sure that you're using it, 
typo-free. It's unlikely that they're both correct.


Providing us the output of:

"ls -ld /opt/local/etc/openldap/caert.pem /opt/local/etc/openldap/cacert.pem"

might be helpful if this isn't clear.