[Date Prev][Date Next] [Chronological] [Thread] [Top]

SSL - unknown ca/self signed certificate problem


I try to build a LDAPv3 enabled server using the hint at
http://www.bayour.com/LDAPv3-HOWTO.html . I managed to install all required
software (openssl, bdb, kerberos, sasl, openldap).

I am able to do a plain text ldap search using:

ldapsearch -h <fqdn> -x -b "" -s base -LLL supportedSASLMechanisms

This works fine. SASL connect seems to work ok, too. But when I try to
connect using SSL/TLS with

ldapsearch -H ldap://<fqdn>/ -x -b "" -s base -LLL -ZZ

it does not work.

Here is the relevant output of the server:

  0000:  15 03 01 00 02                                     .....
tls_read: want=2, got=2
  0000:  02 30                                              .0
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

The ldapsearch output is:

TLS certificate verification: depth: 1, err: 19, subject:
n@home.linux, issuer:
TLS certificate verification: Error, self signed certificate in certificate
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_start_tls: Connect error (91)
  additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

My slapd.conf contains the lines:

TLSCertificateFile  /etc/ssl/ldapcert.pem
TLSCertificateKeyFile /etc/ssl/private/ldapkey.pem
TLSCACertificateFile  /etc/ssl/cacert.pem

ldap.conf reads as follows:

ssl start_tls

I created the keys using the instructions in the 'Openssl-Handbuch' (German
language). Created a CA and signed my service key with my CA cert (do you
need the exact instuctions?).

I think the problem has something to do with the way I created the keys and
my self signed CA (I haven't filled up the ldap database so far, but this
shouldn't be the problem, should it?). I couldn't find a solution in google
or on the list.

Thanxs in advance for any help,