[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL3 alert write:fatal:unknown CA


I suggest reading the OpenLDAP FAQ. It has a nice long detailed explanation of why you probably don't want to use self-signed certs, or if you do, you need to have a CA cert you can point both the server & clients at.


--On Wednesday, June 25, 2003 11:16 PM +0200 Pierre Burri <pierre@globeall.de> wrote:


I'm trying to setup a LDAP server over SSL (it works already very well
without  SSL)

I'm using Debian Sid, package slapd, version 2.1.17-3, LDAPv3

I made a certificate, the common name is the FQDN of the host:
sun.stars.priv the comand:

ldapsearch -H ldaps://sun.stars.priv -b "dc=stars,dc=priv" -d7

gives me the followin result:

TLS certificate verification: depth: 0, err: 18, subject:
il=certificate@sun.stars.priv,  issuer:
il=certificate@sun.stars.priv TLS certificate verification: Error, self
signed certificate
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

What can I do that clients from other hosts than "sun" recognize my self
made  certificate?

On the the server "sun", I put TLS_CACERT /etc/ldap/server.pem in file
/etc/ldap/ldap.conf which remove the problem, but of course only on the

-- Quanah Gibson-Mount Senior Systems Administrator ITSS/TSS/Computing Systems Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html