[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS Certificate Issue



Thanks for the reply - it turns out I was the victim of Debian's
package management deciding to install a version of ldapsearch that
suddenly looks in /usr/etc/openldap/ for configuration files.  I
didn't notice this on the server because it was defaulting to connect
to localhost.  Obviously, my CA certificate was not listed in this
default (blank) configuration file...

-Jon

On Feb 10, 2008 2:51 PM, Howard Chu <hyc@symas.com> wrote:
> Jon Fink wrote:
> > After recently upgrading to a newer version of openldap I'm
> > experiencing problems with start_tls on a connection to the slapd
> > server.  I'm fairly certain that the certificate is setup correctly.
>
> Which "the certificate" are you talking about? There are always at least two
> in a correctly configured TLS installation.
>
> > In fact the following command works properly from a remote client:
> >
> > ldapsearch -ZZ -LLL -x -W -h ldapserver.domain -D "cn=nss,dc=group" -b
> > 'ou=People,dc=group' '(objectClass=*)'
> >
> > but when I run exactly the same command *on* the server I get the the
> > following error (with debug flags turned on):
> >
> > TLS trace: SSL_connect:before/connect initialization
> > TLS trace: SSL_connect:SSLv2/v3 write client hello A
> > TLS trace: SSL_connect:SSLv3 read server hello A
> > TLS certificate verification: depth: 0, err: 20, subject:
> > /CN=ldapserver.domain /ST=PA/C=US/O=GRP, issuer:
> > /CN=GROUP_CA/ST=PA/C=US/O=GROUP
> > TLS certificate verification: Error, unable to get local issuer certificate
> > TLS trace: SSL3 alert write:fatal:unknown CA
> > TLS trace: SSL_connect:error in SSLv3 read server certificate B
> > TLS trace: SSL_connect:error in SSLv3 read server certificate B
> > TLS: can't connect: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
> > ldap_err2string
> > ldap_start_tls: Connect error (-11)
> >
> > I feel like this may be related somehow to the FQDN resolution on the
> > server, but I've tried a few permutations of hostname setup to no
> > avail (is there a way to confirm that this is the issue?)
>
> It's quite easy to confirm that it is NOT the issue. The error message clearly
> says that the CA is unknown. The client was unable to find the certificate
> corresponding to the CA that signed the server certificate.
>
>
> > Any thoughts?
> >
> > Thanks,
> > Jon
> >
> > Versions:
> > slapd 2.4.7
> > openldap 2.4.7
> > openssl 0.9.8
> >
>
>
> --
>    -- Howard Chu
>    Chief Architect, Symas Corp.  http://www.symas.com
>    Director, Highland Sun        http://highlandsun.com/hyc/
>    Chief Architect, OpenLDAP     http://www.openldap.org/project/
>