[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Self-signed CA certificates in 2.1.8

To: Jani Patokallio <jpatokal@iki.fi>
Subject: Re: Self-signed CA certificates in 2.1.8
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 08 Nov 2002 10:42:56 +0100
Cc: openldap-software@OpenLDAP.org
In-reply-to: <Pine.OSF.4.44.0211071428260.25151-100000@kosh.hut.fi>
References: <Pine.OSF.4.44.0211071428260.25151-100000@kosh.hut.fi>

tor, 2002-11-07 kl. 13:31 skrev Jani Patokallio:

> I'm getting strange errors about self-signed certificates in OpenLDAP 2.1.8
> with OpenSSL 0.9.6b-28.  ldapsearch -Z with debugging turned on complains:
> 
> TLS trace: SSL_connect:SSLv3 read server hello A
> [read certificate]
> TLS certificate verification: depth: 1, err: 19, subject: /C=FI/ST=Too Cold Place/L=Espoo/O=Espoo Kingdom/CN=Universal Super Deluxe CA Service, issuer: /C=FI/ST=Too Cold Place/L=Espoo/O=Espoo Kingdom/CN=Universal Super Deluxe CA Service
> TLS certificate verification: Error, self signed certificate in certificate chain
> tls_write: want=7, written=7
>   0000:  15 03 01 00 02 02 30                               ......0
> TLS trace: SSL3 alert write:fatal:unknown
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (91)
> 	additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

> However, the server certificate in question is *not* self-signed, it is
> signed by a CA known to both parties, just the way a good little certificate
> should.   The CA certificate is, of course, self-signed -- but all CA
> certificates are!  The certificate exchange also works quite nicely in 2.0.23,
> so the certificate file locations etc are configured correctly.  What on
> earth is the problem, and how do I fix it?

Don't know if this has been answered, since the mail server that gives
me my mailkicks is said to have been swamped by a super-attack of
dictionary based spam and all mail has been delayed.

Jani, I think, you'll find it's your server public cert that isn't being
accepted. TLS certificate verification: depth: 1, err: 19 is o.k.(18 and
19 are o.k.), that it's reported as self-signed means that there's no
signing hierarchy stemming from a recognized authority.

Look more closely at the barf and you'll find that it's the Server
Certificate that is being refused.

In solving this one, make doubly sure that the SUBJECT of the server
public key certificate agrees with the fully qualified name of your
server, which must refer back to the IP number of the machine the ldap
server is running on and agree with whatever method you use to resolve
that IP number (whether that be /etc/hosts or DNS.)

Best,

Tony


-- 

Tony Earnshaw

So mangt eit ord kunde vori usagt.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl

References:
- Self-signed CA certificates in 2.1.8
  - From: Jani Patokallio <jpatokal@iki.fi>

Prev by Date: Re: openldap schema for enabling Calendaring (support for free-busy times)
Next by Date: Schema migration utlity
Index(es):
- Chronological
- Thread