[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS verify errors

I've run into an interesting issue where if I set up a .ldaprc for the user running slapd with:

TLS_CACERT /opt/zimbra/conf/ca/ca.pem

slapd will fail to start with:

TLS: could not load client CA list (file:`/opt/zimbra/conf/ca/ca.pem',dir:`').
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:642

It is not an issue with being able to read the cert as:

cat /opt/zimbra/conf/ca/ca.pem

works just fine. If I change it to TLSCACERTDIR and adjust to a path, then slapd starts just fine, but I can't negotiate STARTTLS for the same reason.

Using openssl to verify the slapd cert (which is signed by this CA) shows everything is correct, as well:

/usr/bin/openssl verify -CAfile /opt/zimbra/conf/ca/ca.pem -purpose sslclient /opt/zimbra/conf/slapd.crt
/opt/zimbra/conf/slapd.crt: OK

I'm not really sure why defining a CA cert for the client to use stops slapd from working, either. Seems rather odd to me.

Thoughts appreciated. ;)



Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration