[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ubuntu Server 12.04: StartTLS

To: Philip Guenther <guenther+ldaptech@sendmail.com>
Subject: Re: Ubuntu Server 12.04: StartTLS
From: Admus <admus@op.pl>
Date: Mon, 05 Nov 2012 21:41:53 +0100
Cc: Dan White <dwhite@olp.net>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=op.pl; s=2011; t=1352148116; bh=G7Hfx2tstLaetKbcvy3HZNlBcF8hKUGRoKxVv2R9twU=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=Q3Gt/qSn5ggHdoGx/q3Ryz0yys8TrNyKb64uG6zF41orNnS+q7fKyqelOdXWn13jn n0Yu0vRYLaPGiTEc259+RrXwtQQDnw2mwAFAQZc4kffS6++Nav8ZD+5g6DlkYGnb51 n4pGenctO7HeTDu71AHQrpS9tkWNn9Fw48KWz/u8=
In-reply-to: <alpine.BSO.2.00.1211051216530.23727@morgaine.smi.sendmail.com>
References: <96080254-90c8db3d26b18778002f942d0fa5d4bb@pkn6.m5r2.onet> <20121104225942.GA20271@dan.olp.net> <50976AE9.5010208@op.pl> <20121105150532.GC6995@dan.olp.net> <50981B54.9030703@op.pl> <alpine.BSO.2.00.1211051216530.23727@morgaine.smi.sendmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121028 Thunderbird/16.0.2

On 11/05/2012 09:24 PM, Philip Guenther wrote:

On Mon, 5 Nov 2012, Admus wrote:
...

The output of `gnutls-cli --print-cert -p 636 ldap1.example.com` is:

- The hostname in the certificate matches 'ldap1.example.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted

In order to verify the server's certificate, root CA that's 'above' the
server's cert needs to be configured as a trusted CA for the client.

For OpenSSL, that's done by placing it in the file designated by the
TLS_CACERT ldap.conf option, or in the directory designated by the
TLS_CACERTDIR ldap.conf option with the correct hashed filename.

The ldap.conf(5) manpage indicates that the latter is ignored for GnuTLS,
so presumably you just have to place the trusted root certificate(s) in a
single file and point TLS_CACERT at that, in whatever format GnuTLS uses.


Philip Guenther


My cn=config looks as follow:

olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
olcTLSCertificateFile: /etc/ssl/certs/ldap1_slapd_cert.pem
olcTLSCertificateKeyFile: /etc/ssl/private/ldap1_slapd_key.pem

I tried also set TLS_CACERT in /etc/ldap/ldap.conf to:

TLS_CACERT      /etc/ssl/certs/cacert.pem

and

TLS_CACERT      /etc/ssl/certs/ldap1_slapd_cert.pem

but without success, the error has became same.

What should be TLS_CACERT value? Is /etc/ldap/ldap.conf respected at all?

My client and server is the same host.

References:
- Ubuntu Server 12.04: StartTLS
  - From: admus <admus@op.pl>
- Re: Ubuntu Server 12.04: StartTLS
  - From: Dan White <dwhite@olp.net>
- Re: Ubuntu Server 12.04: StartTLS
  - From: Admus <admus@op.pl>
- Re: Ubuntu Server 12.04: StartTLS
  - From: Dan White <dwhite@olp.net>
- Re: Ubuntu Server 12.04: StartTLS
  - From: Admus <admus@op.pl>
- Re: Ubuntu Server 12.04: StartTLS
  - From: Philip Guenther <guenther+ldaptech@sendmail.com>

Prev by Date: Re: Lastlogon attribute
Next by Date: RE: Lastlogon attribute
Index(es):
- Chronological
- Thread