[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS Certificate Issue

To: openldap-software@openldap.org
Subject: TLS Certificate Issue
From: "Jon Fink" <jon.fink@gmail.com>
Date: Sun, 10 Feb 2008 13:50:28 -0500
Content-disposition: inline

After recently upgrading to a newer version of openldap I'm
experiencing problems with start_tls on a connection to the slapd
server.  I'm fairly certain that the certificate is setup correctly.
In fact the following command works properly from a remote client:

ldapsearch -ZZ -LLL -x -W -h ldapserver.domain -D "cn=nss,dc=group" -b
'ou=People,dc=group' '(objectClass=*)'

but when I run exactly the same command *on* the server I get the the
following error (with debug flags turned on):

TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject:
/CN=ldapserver.domain /ST=PA/C=US/O=GRP, issuer:
/CN=GROUP_CA/ST=PA/C=US/O=GROUP
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
ldap_err2string
ldap_start_tls: Connect error (-11)

I feel like this may be related somehow to the FQDN resolution on the
server, but I've tried a few permutations of hostname setup to no
avail (is there a way to confirm that this is the issue?)

Any thoughts?

Thanks,
Jon

Versions:
slapd 2.4.7
openldap 2.4.7
openssl 0.9.8

Follow-Ups:
- Re: TLS Certificate Issue
  - From: Howard Chu <hyc@symas.com>
- Re: TLS Certificate Issue
  - From: "Digambar Sawant" <digambar49@gmail.com>

Prev by Date: Mixing Alias and posixAccount object class
Next by Date: Re: TLS Certificate Issue
Index(es):
- Chronological
- Thread