Re: TLS certificate verification: Error, self signed certificate

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Monday, November 10, 2003 9:52 PM -0800 David Highley 
<dhighley@highley-recommended.com> wrote:

> I'm working with openldap 2.1.23 on Sparc Solaris 9 systems. I have
> setup an LDAP server and replica. I have loaded the database using
> PADL's scripts. Now I'm trying to get tls working. I have created
> certificates and keys on the ldap server and verified them with openssl.
> I copied them to the replica system as well. I have added the TLS lines
> to the slapd.conf file and the ldap.conf file. When I test using
> ldapsearch on the ldap server I get a get the following error:
>
> /usr/local/bin/ldapsearch -d -1 -x -ZZ -b
> 'dc=highley-recommended,,dc=com' '(objectclass=*)'
>
> TLS certificate verification: Error, self signed certificate
> tls_write: want=7, written=7
>   0000:  15 03 01 00 02 02 30                               ......0
>  TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (91)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> So can we use self signed certificates? Do we need to generate
> certificates and keys for the replica? What about clients?

Search the archives... There are hundreds of messages telling how to make 
this work.  There are even some from today!

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html