[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [seeking help] unknown CA

Ben Kim wrote:

I have a php script authenticating user against an ldap server (not under
my control) which I know has no problem.
But when I use it on my newly compiled server, it cannot bind with ldaps
protocol. Packet traces show the following exchange.
- client: Client Hello
- server: Server Hello, Certificate, Server Hello Done
- client: Alert (Level: Fatal, Description: Unknown CA)

cced you, since this was a couple of days ago.

*Assuming Linux, since you do not say*. If you have linked libphp4.so against Openldap client libldap and liblber, your libphp4.so will be using /usr/local/etc/ldap.conf or /etc/openldap/ldap.conf, depending on your distro. NB, NOT /etc/ldap.conf. You get the ldap server admin to send you a copy of the CA certificate he uses (have him gzip it, if he uses email) and you put it in a directory readable by your Apache user (nobody, apache, whatever) and you put the following line in ldap.conf:

TLS_CACERTDIR /path/to/cacertdir. This is not literal! You have to substitute your own path. If you need more CA certs for different purposes, you can append them into the same cacert file in the cacertdir.

On google, it seems to be one of the standard error strings: " "CA"/"unknown CA"
A valid certificate chain or partial chain was received, but
the certificate was not accepted because the CA certificate could not be
located or couldn't be matched with a known, trusted CA. This message
is always fatal."

It is only "fatal" in the sense that it doesn't work at that moment. It will not be "fatal" if you do the above.



Tony Earnshaw

Millom kaksar eg litet kann trivast, millom jamningar helst er eg nøgd

Mail: tonni@billy.demon.nl