[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Unknown CA error - replication

With regard to my problem below...

Can anyone answer: is it possible that OpenLDAP was not
configured/compiled with the correct options?  Should the defaults
suffice for replication with TLS/SSL?  For example, I'm pretty sure
'--with-tls' is default... are all the other necessary flags default

Thanks again,


-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of McMaster,
Sent: Thursday, September 30, 2004 4:40 PM
To: OpenLDAP-software@OpenLDAP.org
Subject: Unknown CA error - replication


I have searched the list archives *exhaustively*, and it seems like I'm
doing everything right... 

I am trying to set up replication between two LDAP servers.  Both use
OpenLDAP 2.2.15, compiled with TLS support.  Using the OpenLDAP TLS
howto as a guide, I created a self-signed CA certificate, and used it to
create both the server and client certs.  I was careful to put each
machine's FQDN in the subject field.  In my master's slapd.conf, I have:

TLSCertificateFile /etc/cert/newcert.pem
TLSCertificateKeyFile /etc/cert/newreq.pem
TLSCACertificateFile /etc/cert/demoCA/cacert.pem

In the client's /etc/ldap.conf, I included:
TLS_CACERT /etc/cert/demoCA/cacert.pem

I can execute ldap commands over ldaps:// just fine.  Testing the
connection with the command 'openssl s_client -connect myserver.com:636
-showcerts -state -CAfile /etc/demoCA/cacert.pem' works fine (results in
return code 0, just like in the howto), so I think the certs are okay...
When I try to execute slurpd, however, I get this:

TLS certificate verification: Error, self signed certificate in
certificate chain
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
Error: ldap_simple_bind_s for sys22m3.etrade.com:636 failed: Can't
contact LDAP server

My setup is basically default otherwise.  I feel like I am out of things
to try.  Does anyone have any suggestions on what this means and/or how
to fix it?  Just let me know if I can clarify or supply any additional
info.  I appreciate the help.