[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Unknown CA error - replication

At 01:56 PM 10/4/2004, McMaster, Michael wrote:
>With regard to my problem below...
>Can anyone answer: is it possible that OpenLDAP was not
>configured/compiled with the correct options?  Should the defaults
>suffice for replication with TLS/SSL?  For example, I'm pretty sure
>'--with-tls' is default... are all the other necessary flags default

That is the only configure flag needed to build OpenLDAP
Software with TLS support (assuming one's environment is
setup so configure can find OpenSSL).

Once installed, however, you will have to configure both
the server and the clients for TLS.  Until you do, TLS
will not work.  See the Admin Guide, slapd.conf(5) and
ldap.conf(5) for assistance (as well as other materials
on the website).

It seems you have failed to (properly) configure clients
with knowledge of the CA.  I'd guess you didn't put the
TLS_CACERT in the OpenLDAP ldap.conf(5) (not to be
confused with other files named ldap.conf which might
be present on your system).


>Thanks again,
>-----Original Message-----
>From: owner-openldap-software@OpenLDAP.org
>[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of McMaster,
>Sent: Thursday, September 30, 2004 4:40 PM
>To: OpenLDAP-software@OpenLDAP.org
>Subject: Unknown CA error - replication
>I have searched the list archives *exhaustively*, and it seems like I'm
>doing everything right... 
>I am trying to set up replication between two LDAP servers.  Both use
>OpenLDAP 2.2.15, compiled with TLS support.  Using the OpenLDAP TLS
>howto as a guide, I created a self-signed CA certificate, and used it to
>create both the server and client certs.  I was careful to put each
>machine's FQDN in the subject field.  In my master's slapd.conf, I have:
>TLSCertificateFile /etc/cert/newcert.pem
>TLSCertificateKeyFile /etc/cert/newreq.pem
>TLSCACertificateFile /etc/cert/demoCA/cacert.pem
>In the client's /etc/ldap.conf, I included:
>TLS_CACERT /etc/cert/demoCA/cacert.pem
>I can execute ldap commands over ldaps:// just fine.  Testing the
>connection with the command 'openssl s_client -connect myserver.com:636
>-showcerts -state -CAfile /etc/demoCA/cacert.pem' works fine (results in
>return code 0, just like in the howto), so I think the certs are okay...
>When I try to execute slurpd, however, I get this:
>TLS certificate verification: Error, self signed certificate in
>certificate chain
>tls_write: want=7, written=7
>  0000:  15 03 01 00 02 02 30                               ......0
>TLS trace: SSL3 alert write:fatal:unknown CA
>TLS trace: SSL_connect:error in SSLv3 read server certificate B
>TLS trace: SSL_connect:error in SSLv3 read server certificate B
>TLS: can't connect.
>Error: ldap_simple_bind_s for sys22m3.etrade.com:636 failed: Can't
>contact LDAP server
>My setup is basically default otherwise.  I feel like I am out of things
>to try.  Does anyone have any suggestions on what this means and/or how
>to fix it?  Just let me know if I can clarify or supply any additional
>info.  I appreciate the help.