[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS could not load verify location



Selon Howard Chu <hyc@symas.com>:

> agerardin@ariane-ingenierie.net wrote:
> > hello!
> > Pursuing my long journey on ldap tricky tracks, I've met another sphinx...
> maybe
> > someone could help find the right answer...
> >
> > I've tried to setup TLS protocol on my OpenLdap 2.29 version (windows). At
> the
> > moment, I work on my own machine.
> > With OpenSSL, I've issued a CA certificate, and a certificate for my server
> too
> > (with the cn=localhost:389).
> >
> > Then I've put the lines in my slapd.conf:
> > TLSVerifyClient never
> > TLSCACertificateFile "./../Openssl/bin/autre/cacert.pem"
> > TLSCertificateFile "./../Openssl/bin/autre/certs/ldapservercert.pem"
> > TLSCertificateKeyFile "./../Openssl/bin/autre/certs/ldapserverkey.pem"
> > TLS: could not load verify locations
> (file:`"./../Openssl/bin/autre/cacert.pem"'
> > ,dir:`').
> >
> > and in my ldap.conf:
> > URI ldap://localhost:389
> > TLS_CACERT      "./../Openssl/bin/autre/cacert.pem"
> > TLS_REQCERT     demand
> >
> > The thing is that when I run slapd, everything seems fine but when I try
> > something like:
> >
> > ldapsearch -x -w admin -D "cn=admin,dc=ariane,dc=net"
> > -b "dc=ariane,dc=net" (uid=rdupont) -ZZ -d -1
> >
> > I got a error:
> >
> > TLS: error:02001003:system library:fopen:No such process bss_file.c:122
> > TLS: error:2006D080:BIO routines:BIO_new_file:no such file bss_file.c:125
> > TLS: error:0B084002:x509 certificate
> routines:X509_load_cert_crl_file:system lib
> >  by_file.c:274
> > ldap_perror
> > ldap_start_tls: Connect error (-11)
> >
> > However this file exists (it is recognize by the slapd.conf). So I really
> don't
> > know what happend. I've tried to regenerate the CA and I've check path but
> it
> > didn't work. As far as I understand it, "the fully qualified domain name of
> the
> > server" is in my case the "cn=localhost:389" in the server certificate
> form.
> > So has someone a clue about what happend?
> >
>
> No, the file was NOT "recognized by slapd.conf" - you already got a
> specific error message telling you that slapd could not load those
> files. What makes you think "TLS: could not load verify locations" means
> it recognized anything?
>
> You're on Windows. Windows uses a backslash as its directory separator,
> not a forward slash. Try fixing your pathnames, because it clearly
> *cannot find the files* using the pathnames you've specified at the moment.
>
> --
>   -- Howard Chu
>   Chief Architect, Symas Corp.  http://www.symas.com
>   Director, Highland Sun        http://highlandsun.com/hyc
>   OpenLDAP Core Team            http://www.openldap.org/project/
>
>

Hi.
I verify my pathnames as you suggest but the forward slash seems to be to be the
proper way to define path (actually the use of backslash produce an error on
slapd.conf as you mentionned- could not load the files). The weird thing is
still that slapd seems not to have any problem whereas ldap.conf cannot find
the file.

TLS: could not load verify locations (file:`"./cacert.pem"',dir:`').
TLS: error:0200107B:system library:fopen:Unknown error bss_file.c:122
TLS: error:2006D002:BIO routines:BIO_new_file:system lib bss_file.c:127
TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
 by_file.c:274
ldap_perror
ldap_start_tls: Connect error (-11)


the error: X509_load_cert_crl_file:system lib by_file.c:274 make me dig around
it and I have produce a crl.pem file but it didn't help.
Again, if the certificate is correct, I can't figure out where lies the problem.

Is there maybe a problem of compatibility between openssl 0.98b and openldap
2.29? I will soon put everything on a Linux redhat maybe it will fix the bug,
but I wish I could fix the problem before.
If anyone could help digging further, I would appreciated... Thanks in advance.