[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS verify errors

Failure on just CAcert could be ownership/permission problems (file vs app). If
there is more than one CA in the "certificate chain", then a single CAcert might
not succeed. If OS X has "ktrace" (or equivalent), it might help to identify
what is being looked for when single CAcert directive is used.

Quanah Gibson-Mount wrote:
> --On Thursday, August 16, 2007 2:42 PM +0200 Hallvard B Furuseth
> <h.b.furuseth@usit.uio.no> wrote:
>> Quanah Gibson-Mount writes:
>>> TLS_CACERT /opt/zimbra/conf/ca/ca.pem
>>> (...)
>>> If I change it to TLS_CACERTDIR and adjust to a path, (...)
>> If I remember correctly TLS_CACERTDIR needs to be set up with some
>> OpenSSL magic, it's not just a directory into which you can drop
>> certificate files.  Maybe the reverse is true as well, and a cert
>> from a TLS_CACERTDIR does not work in TLS_CACERT.
> Thank you both for your responses.  Interestingly enough, slapd will
> start, and STARTTLS will work, if I create the hash and use TLSCACERTDIR.
> However, why won't it work if I use TLS_CACERT <file> ?  It should be
> perfectly valid, and that actually works for me on every other platform
> I use (Linux).  The only one where this doesn't work is on MAC OS X. 
> Must be a Mac specific bug I guess.