[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Error in certificate

Hi Howard,

> The openssl verify command doesn't fully validate a certificate;
> its result
> is relatively useless. Run both slapd and ldapsearch with "-d7"
> debug and see
> what error messages are shown. This error was generated by the OpenSSL
> library, not by OpenLDAP.

This is the log for ldapsearch -d 7 :

	TLS certificate verification: depth: 0, err: 6, subject: C=, ST=, L=, O=,
OU=, CN=debian-ldap.enatel.local/Email=, issuer: C=, ST=, L=, O=, OU=,
CN=Autorite Enatel/Email=
	TLS certificate verification: Error, Unknown error
	TLS: can't connect.
	ldap_start_tls: Connect error (91)
		additional info: Error in the certificate.

This is the one for slapd -d 7 :

	TLS certificate verification: depth: 0, err: -49, subject: -unknown-,
issuer: -unknown-
	TLS certificate verification: Error, Unknown error
	tls_write: want=181, written=181
	connection_read(12): unable to get TLS client DN error=49 id=0

The ldapsearch log is strange since my certificates should have dn like
dc=...,dc=...[,ou=...],cn=... as I see when I do a cat server-cert.pem, and
as I set up my openssl.cnf

The slapd log seems to point the problem : subject: -unknown-,
issuer: -unknown-
What does it mean ?

Also, this is what I get when I do
$ openssl s_client -connect debian-ldap.enatel.local:636 -showcerts

	depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
	verify error:num=20:unable to get local issuer certificate
	verify return:1
	depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
	verify error:num=27:certificate not trusted
	verify return:1
	depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
	verify error:num=21:unable to verify the first certificate
	verify return:1
	Certificate chain
	 0 s:/DC=local/DC=enatel/CN=debian-ldap.enatel.local
	   i:/DC=local/DC=enatel/CN=Autorite Enatel
	Server certificate
	issuer=/DC=local/DC=enatel/CN=Autorite Enatel
	No client certificate CA names sent
	Verify return code: 21 (unable to verify the first certificate)

François Beretti

Virus checked by G DATA AntiVirusKit
Version: AVK 12.0.575 from 10.09.2003
Virus news: www.antiviruslab.com