[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS issue



I ran into this problem about a year ago.
It took me about 3 months to resolve.
The code isn't broken, it works.
All these guys are telling you the detail, and detail is important.
But.... My problem was resolved, when I understood the concept:
Ca-self signed certificate [ or just a certificate ]
Read through how that is supposed to work logically: I sat down with another
sys admin and I explained it to him, and then looked at what I had done
[actually that forced me to look at what I had done].
I had not done, what I had explained had to be done.
Well that was stupid, but it was easy to fix.

The self signed certificate doc is at
WWW.openladap.org/faq/data/cache/185.html
You might want to review it from a logical stand point, and understand what
the objective is. Then it's easy to setup.

Sometimes it's not the razor,
Sometimes it's your face.

Hope that clears up [well, not your face, just...] the problem.
I am sure your face was excellent to begin with.

tob


On 10/15/12 1:11 PM, "Aaron Richton" <richton@nbcs.rutgers.edu> wrote:

> On Mon, 15 Oct 2012, Darouichi, Aziz wrote:
> 
>> This is the link I followed to create the CA and sigh it
>> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#7.0
> 
> Did you read the "Note" at the top of that paper? Worth considering...
> 
>> if I run cert check from client using  the following
>> openssl s_client -connect ldap-ssl.curry.edu:636 -CApath
>> /opt/local/etc/openldap/caert.pem
> 
> 1. Again, did you really make a directory named "caert.pem"? Because if
> that's a file, I believe that should be -CAfile instead. (Same as I said
> that your TLS_CACERTDIR should probably be a TLS_CACERT ldap.conf
> directive.)
> 
> 2. In your previous example it was "cacert.pem" but now I see "caert.pem".
> Whatever's actually on your filesystem -- make sure that you're using it,
> typo-free. It's unlikely that they're both correct.
> 
> 
> Providing us the output of:
> 
> "ls -ld /opt/local/etc/openldap/caert.pem /opt/local/etc/openldap/cacert.pem"
> 
> might be helpful if this isn't clear.
>