[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS Certificate Issue



Jon Fink wrote:
After recently upgrading to a newer version of openldap I'm
experiencing problems with start_tls on a connection to the slapd
server.  I'm fairly certain that the certificate is setup correctly.

Which "the certificate" are you talking about? There are always at least two in a correctly configured TLS installation.


In fact the following command works properly from a remote client:

ldapsearch -ZZ -LLL -x -W -h ldapserver.domain -D "cn=nss,dc=group" -b
'ou=People,dc=group' '(objectClass=*)'

but when I run exactly the same command *on* the server I get the the
following error (with debug flags turned on):

TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject:
/CN=ldapserver.domain /ST=PA/C=US/O=GRP, issuer:
/CN=GROUP_CA/ST=PA/C=US/O=GROUP
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
ldap_err2string
ldap_start_tls: Connect error (-11)

I feel like this may be related somehow to the FQDN resolution on the
server, but I've tried a few permutations of hostname setup to no
avail (is there a way to confirm that this is the issue?)

It's quite easy to confirm that it is NOT the issue. The error message clearly says that the CA is unknown. The client was unable to find the certificate corresponding to the CA that signed the server certificate.


Any thoughts?

Thanks,
Jon

Versions:
slapd 2.4.7
openldap 2.4.7
openssl 0.9.8



--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/