[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enabling TLS problem on openldap2-2.3.39

Keagle, Chuck skrev, on 22-11-2007 01:32:

I have yet to even change the error messages when trying:

# ldapsearch -x -Z -H ldap://testsvr.blv.boeing.com -b "" -s base
'objectclass=*' '+' '*'
ldap_start_tls: Connect error (-11)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldap_result: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Can anyone point out what I have missed here?

You've been trying to knock down a brick wall with your head since before Saturday last week and to now seemingly got nowhere but bruised and battered. I should try a different approach, I'll give an example.

I don't know SLES at all, I run Red Hat systems. To me the whole concept of multiple hashed certs without proper names in a common folder is horrible. The concept of operating with server certs without them being signed by (an albeit self-generated) common CA cert is horrible. You'll se why below.

On my 4 RHEL5 servers that need certs for OL 2.3 and have been installed as upgrades in August last, I have done the following:

Designated one server as being the master, on which the CA cert for all of them was made, using the CA.sh utility included with RH's openssl 0.9.8b and installed the cert (named CA.pem) in /etc/certs/CA.

Edited /etc/pki/tls/openssl.cnf to reflect my site's true details and created a single servercert.pem and serverkey.pem (using the CA cert/key I'd created and ensuring the CN in the server cert is actually that of the machine as given in /etc/hosts and DNS and CA.sh) which is to be used for all services on the master. Did 'openssl rsa -in serverkey.pem.orig -out serverkey.pem' to get a "passwordless" key. For slapd installed these in /etc/certs/slapd with owner:group ldap and appropriate permissions.

All other services (e.g http, Postfix etc.) use the same serverkey and servercert, but in different subfolders, with different owners and permissions.

In all files needing any of these (thus also in slapd.conf and ldap.conf) put the paths in. TLS and SSL work on the master for all LDAP-base things needing it ;)

scp -p the necessary subfolders of /etc/CA and /etc/pki/tls/openssl.cnf to each other server that has to run slapd, edit onenssl.cnf to reflect the true CN and generate new servercert.pem and serverkey.pem (using the CA cert and key from the master server), make serverkey.pem "passwordless", install to the same folders as on the master. TLS and SSL work ;)

Because the RHL5 openssl directories are located differently from the RHAS4 same and on my FC6 test machine it took me 1/2 hour to make the master server's certs. I'd had much experience from RHAS4 and had botched up the cert thing by making a CA cert and server certs with far too short validities (accepting the default) for each server. Using different CA certs for each server meant I had to append the CA cert for each in /etc/certs/CA and meant replacing these on each server at least once in the two years the site was running RHAS4 and gave too much work. I wanted to avoid this for the future, so certs have validities till 2012. Making the server certs and keys for each other server cost me 10 minutes per server and I shall have no more work on certs until the site upgrades to RHEL6, or whatever it happens to be.

HTH, you don't *have* to do everything SuSE's way, just as I don't have to RH's way.


Tony Earnshaw
Email: tonni at hetnet dot nl