[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ubuntu Server 12.04: StartTLS



On 11/05/2012 09:24 PM, Philip Guenther wrote:
On Mon, 5 Nov 2012, Admus wrote:
...
The output of `gnutls-cli --print-cert -p 636 ldap1.example.com` is:

- The hostname in the certificate matches 'ldap1.example.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
In order to verify the server's certificate, root CA that's 'above' the
server's cert needs to be configured as a trusted CA for the client.

For OpenSSL, that's done by placing it in the file designated by the
TLS_CACERT ldap.conf option, or in the directory designated by the
TLS_CACERTDIR ldap.conf option with the correct hashed filename.

The ldap.conf(5) manpage indicates that the latter is ignored for GnuTLS,
so presumably you just have to place the trusted root certificate(s) in a
single file and point TLS_CACERT at that, in whatever format GnuTLS uses.


Philip Guenther


My cn=config looks as follow:

olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
olcTLSCertificateFile: /etc/ssl/certs/ldap1_slapd_cert.pem
olcTLSCertificateKeyFile: /etc/ssl/private/ldap1_slapd_key.pem

I tried also set TLS_CACERT in /etc/ldap/ldap.conf to:

TLS_CACERT      /etc/ssl/certs/cacert.pem

and

TLS_CACERT      /etc/ssl/certs/ldap1_slapd_cert.pem

but without success, the error has became same.

What should be TLS_CACERT value? Is /etc/ldap/ldap.conf respected at all?

My client and server is the same host.