All, My set up consists of three servers each syncing with each other. The host names are: 1) mm-server1.example.ldap 2) mm-server2.example.ldap 3) mm-server3.example.ldap Utilizing TLSv1, on all three I have: olcTLSCertificateFile: /usr/local/openldap/etc/openldap/CA/cacert.pem olcTLSCertificateKeyFile: /usr/local/openldap/etc/openldap/CA/private/cakey.pem olcTLSCipherSuite: HIGH:MEDIUM+TLSv1+SSLv3 Configured with self-signed wild-card certs, originally configured (using openssl 0.9.8) on mm-server2 and exported to the other servers. When running ldapmodify, ldapsearch, etc with a “-Z”, and openssl s_client on mm-server1 or mm-server3 or any client pointing back to mm-server1 or 3, I receive the following error: TLS certificate verification: Error, self signed certificate TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate). ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate) Running any of those to mm-server2, it works with no such error. I am guessing, that since the certs were created on mm-server2, originally, that is why it works this way. Also, guessing I missed a step somewhere. I read online a post from 2005 with a good explanation of self-signed from Howard Chu about a similar problem. What is the best procedure for creating wild-card certs and sharing those out to other servers? The procedure that was used was from openssl.org so it was not a fly-by-night weblog. What did I miss (besides: a lot)? Thanks in advance, John D. Borresen (Dave) Linux/Unix Systems Administrator MIT Lincoln Laboratory Surveillance Systems Group 244 Wood St Lexington, MA 02420 Ph: (781) 981-1609 Email: john.borresen@ll.mit.edu |
Attachment:
smime.p7s
Description: S/MIME cryptographic signature