[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap 2.1.30 + gentoo +ssl [self signed problem again]

To: Florin Angelescu <fangelescu@caami-hziv.fgov.be>
Subject: Re: openldap 2.1.30 + gentoo +ssl [self signed problem again]
From: Jose Gonzalez Gomez <jgonzalez@opentechnet.com>
Date: Fri, 26 Nov 2004 09:37:46 +0100
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <200411251307.22587.fangelescu@caami-hziv.fgov.be>
References: <A04B6AE6ED3BD742B64D5B17093F64E2910610@IMSSGPX01.ims.mhm.mhc> <200411251040.47454.fangelescu@caami-hziv.fgov.be> <m3oehmdv0v.fsf@marin.l4b.de> <200411251307.22587.fangelescu@caami-hziv.fgov.be>
User-agent: Mozilla Thunderbird 0.9 (X11/20041120)

Florin Angelescu wrote:

On Thursday 25 November 2004 11:32, you wrote:
Hello,
Florin Angelescu <fangelescu@caami-hziv.fgov.be> writes:

On Thursday 25 November 2004 09:04, you wrote:

U must post your err msgs, debug output of slapd, ldap.conf and slapd.conf B4 anyone could help u.
[... 9
I read the openldap software faq and followed the instructions but it still got a self signed certificate error with ldapsearch .... [ yes i read the faq, and yes i adde the TLS_CACERT !!! ] Was there an issue whit that version ? Do i have to upgrade to 2.2 ?
oh sure
here are the logs
http://student.vub.ac.be/~fangeles/ldap/filelist.log http://student.vub.ac.be/~fangeles/ldap/sldaperror.log http://student.vub.ac.be/~fangeles/ldap/ldapsearch.log http://student.vub.ac.be/~fangeles/ldap/ldap.conf http://student.vub.ac.be/~fangeles/ldap/slapd.conf
These are the relevant log lines
,----[ slapd.log ]
| tls_read: want=2, got=2
|   0000:  02 30                                              .0
| TLS trace: SSL3 alert read:fatal:unknown CA
| TLS trace: SSL_accept:failed in SSLv3 read client certificate A
| TLS: can't accept.
| TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
| s3_pkt.c:1052 connection_read(12): TLS accept error error=-1 id=0,
| closing
| connection_closing: readying conn=0 sd=12 for close
| connection_close: conn=0 sd=12
`---
You must have signed a cert with the wrong ca, check all your
certificats with
openssl x509 -in certificate.pem -text
in particular check the keyid, which must be identical in the key
chain.
-Dieter
well, i have only 1 CA .... (i used CA.sh -newcert)
and the servercert is signed by my CA
openssl x509 -in servercert.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=BE, ST=BELGIUM, L=BRUSSELS, O=CAAMI_CA, OU=CCI, CN=CAAMI_CA/emailAddress=fangelescu@caami-hziv.fgov.be Validity Not Before: Nov 25 08:32:09 2004 GMT Not After : Nov 25 08:32:09 2005 GMT Subject: C=BE, ST=BELGIUM, L=BRUSSELS, O=CAAMI-HZIV, OU=CCI, CN=ldap.caami-hziv.fgov.be/emailAddress=ldapserver@caami-hziv.fgov.be Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit)

. . .

   Florin,

I'm using Gentoo + OpenLDAP 2.1.30-r2 + OpenSSL 0.9.7d-r1 without any problem, so it shouldn't be a version problem. Have you added your root certificate to /etc/ssl/certs/ and executed c_rehash?

   Best regards
   Jose

References:
- Re: openldap 2.1.30 + gentoo +ssl [self signed problem again]
  - From: Florin Angelescu <fangelescu@caami-hziv.fgov.be>
- Re: openldap 2.1.30 + gentoo +ssl [self signed problem again]
  - From: Dieter Kluenter <dieter@dkluenter.de>
- Re: openldap 2.1.30 + gentoo +ssl [self signed problem again]
  - From: Florin Angelescu <fangelescu@caami-hziv.fgov.be>

Prev by Date: Re: Is the Redhat's openldap distribution broken?
Next by Date: Where to see the log ?
Index(es):
- Chronological
- Thread