[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS could not load verify location

agerardin@ariane-ingenierie.net wrote:
Pursuing my long journey on ldap tricky tracks, I've met another sphinx... maybe
someone could help find the right answer...

I've tried to setup TLS protocol on my OpenLdap 2.29 version (windows). At the
moment, I work on my own machine.
With OpenSSL, I've issued a CA certificate, and a certificate for my server too
(with the cn=localhost:389).

Then I've put the lines in my slapd.conf:
TLSVerifyClient never
TLSCACertificateFile "./../Openssl/bin/autre/cacert.pem"
TLSCertificateFile "./../Openssl/bin/autre/certs/ldapservercert.pem"
TLSCertificateKeyFile "./../Openssl/bin/autre/certs/ldapserverkey.pem"
TLS: could not load verify locations (file:`"./../Openssl/bin/autre/cacert.pem"'

and in my ldap.conf:
URI ldap://localhost:389
TLS_CACERT      "./../Openssl/bin/autre/cacert.pem"
TLS_REQCERT     demand

The thing is that when I run slapd, everything seems fine but when I try
something like:

ldapsearch -x -w admin -D "cn=admin,dc=ariane,dc=net"
-b "dc=ariane,dc=net" (uid=rdupont) -ZZ -d -1

I got a error:

TLS: error:02001003:system library:fopen:No such process bss_file.c:122
TLS: error:2006D080:BIO routines:BIO_new_file:no such file bss_file.c:125
TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
ldap_start_tls: Connect error (-11)

However this file exists (it is recognize by the slapd.conf). So I really don't
know what happend. I've tried to regenerate the CA and I've check path but it
didn't work. As far as I understand it, "the fully qualified domain name of the
server" is in my case the "cn=localhost:389" in the server certificate form.
So has someone a clue about what happend?

No, the file was NOT "recognized by slapd.conf" - you already got a specific error message telling you that slapd could not load those files. What makes you think "TLS: could not load verify locations" means it recognized anything?

You're on Windows. Windows uses a backslash as its directory separator, not a forward slash. Try fixing your pathnames, because it clearly *cannot find the files* using the pathnames you've specified at the moment.

 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/