[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS fails

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: TLS fails
From: Veli-Matti Lintu <veli-matti.lintu@opinsys.fi>
Date: Tue, 31 Aug 2010 14:02:57 +0300
In-reply-to: <4C7CC5CC.3030200@gmail.com>
References: <4C7CC5CC.3030200@gmail.com>

ti, 2010-08-31 kello 11:05 +0200, Frederik Bosch kirjoitti:
> After getting my ACL right (thanks Dieter!), I have problems installing 
> an official certificate. I bought a certificate at RapidSSL. Starting 
> slapd gives me the following error.
> 
> TLS init def ctx failed: -69

> This error is thrown in openldap 2.4.17. Since I am on debian, slapd is 
> compiled against GnuTLS. When I was using 2.4.11 I had another error:

Do you have the complete certificate chain installed? If that is
installed, it could be that the certificate bundle provided by RapidSSL
doesn't have the certificates in order that GnuTLS expects them to be.

I haven't used commercial certificates with OpenSSL, but self-signed
roots with intermediate-CA's. In this setting GnuTLS requires that the
certificates are in specific order - first rootca, then the certificates
below it so that always the one following has to be signed by the
previous one. OpenSSL doesn't have this restriction if I've understood
correctly.

I've used setup like this with Ubuntu's slapd package where
ca-bundle.pem is created with OpenSSL and contains multiple
certificates: rootca, subca, subsubca. slapd-server.crt is signed with
subsubca.

olcTLSCACertificateFile: /path/to/ca-bundle.pem
olcTLSCertificateFile: /path/to/slapd-server.crt
olcTLSCertificateKeyFile: /path/to/slapd-server.key

This blog posting was helpful when I first encountered this issue:

http://www.sapphirepaw.org/blog/index.php?/archives/172-GNU-TLS-is-braindead.html

Veli-Matti

References:
- TLS fails
  - From: Frederik Bosch <frederik.bosch@gmail.com>

Prev by Date: Re: TLS fails
Next by Date: Re: TLS fails
Index(es):
- Chronological
- Thread