Re: SSL3 alert write:fatal:unknown CA

[Quanah Gibson-Mount <quanah@stanford.edu>]

Hello,

I suggest reading the OpenLDAP FAQ.  It has a nice long detailed 
explanation of why you probably don't want to use self-signed certs, or if 
you do, you need to have a CA cert you can point both the server & clients 
at.

--Quanah

--On Wednesday, June 25, 2003 11:16 PM +0200 Pierre Burri 
<pierre@globeall.de> wrote:

> Hi,
>
> I'm trying to setup a LDAP server over SSL (it works already very well
> without  SSL)
>
> I'm using Debian Sid, package slapd, version 2.1.17-3, LDAPv3
>
> I made a certificate, the common name is the FQDN of the host:
> sun.stars.priv the comand:
>
> ldapsearch -H ldaps://sun.stars.priv -b "dc=stars,dc=priv" -d7
>
> gives me the followin result:
>
> TLS certificate verification: depth: 0, err: 18, subject:
> /C=DE/ST=Berlin/L=Berlin/O=linux-age/OU=LDAP-Server/CN=sun.stars.priv/Ema
> il=certificate@sun.stars.priv,  issuer:
> /C=DE/ST=Berlin/L=Berlin/O=linux-age/OU=LDAP-Server/CN=sun.stars.priv/Ema
> il=certificate@sun.stars.priv TLS certificate verification: Error, self
> signed certificate
> tls_write: want=7, written=7
>   0000:  15 03 01 00 02 02 30                               ......0
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> What can I do that clients from other hosts than "sun" recognize my self
> made  certificate?
>
> On the the server "sun", I put TLS_CACERT /etc/ldap/server.pem in file
> /etc/ldap/ldap.conf which remove the problem, but of course only on the
> server.



--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html