[Date Prev][Date Next] [Chronological] [Thread] [Top]

openldap failing to launch if SSL/TLS enabled. error "main: TLS init def ctx failed: -1" ?



i've installed openldap.  starts fine without SSL/TLS.

if SSL/TLS is enabled, slapd fails to launch @ error: "main: TLS init
def ctx failed: -1".

googling the issue, suggestions are cert problems.  mine, i believe are OK.

any ideas as to what the problem is?

here's what i've done/checks so far:

i've installed openldap from rpm's,

 rpm -qa | grep openldap
  openldap2-back-perl-2.4.11-5.1
  openldap2-client-2.4.11-6.1
  openldap2-2.4.11-5.1
  openldap2-back-meta-2.4.11-5.1

without TLS/SSL, the service starts,

 service ldap start
  Starting ldap-server                                                  done

 ps ax | grep slapd
  6062 ?        S<sl   0:00 /usr/lib/openldap/slapd -h ldap://   -f
/etc/openldap/slapd.conf -u ldap -g ldap -4 -o slp=on

if i add TLS/SSL config to /etc/openldap/slapd.conf,

 ...
 TLSCertificateFile    /etc/apache2/ssl.crt/svr.crt
 TLSCertificateKeyFile /etc/apache2/ssl.key/svr.key
 TLSCACertificateFile  /etc/apache2/ssl.crt/ca.crt
 TLSCipherSuite        TLSv1+HIGH:!aNULL:@STRENGTH
 TLSVerifyClient       never
 ...

service fails to start,

 service ldap start
  Starting ldap-server                                                  failed

and log reports,

 Aug 15 10:02:01 auth slapd[6139]: main: TLS init def ctx failed: -1
 Aug 15 10:02:01 auth slapd[6139]: slapd destroy: freeing system resources.
 Aug 15 10:02:01 auth slapd[6139]: slapd stopped.
 Aug 15 10:02:01 auth slapd[6139]: connections_destroy: nothing to destroy.
 Aug 15 10:02:01 auth slapd[6139]: daemon: SLPDereg(ldap://) failed
with -20, cookie = 0

the certs/keys i'm, using are used in my apache server,

 SSLCertificateFile    /etc/apache2/ssl.crt/svr.crt
 SSLCertificateKeyFile /etc/apache2/ssl.key/svr.key
 SSLCACertificateFile  /etc/apache2/ssl.crt/ca.crt
 SSLCipherSuite        TLSv1+HIGH:!aNULL:@STRENGTH
 SSLVerifyClient       none
 SSLVerifyDepth        1

and SSL works there without problem.

the keys & certs check out ok,

------
openssl rsa -noout -text -in "/etc/apache2/ssl.key/svr.key"
Private-Key: (2048 bit)
modulus:
    00:d2:3e:45:1c:09:10:d2:a1:c6:61:c2:fa:ad:35:
    ...
    23:97
publicExponent: 65537 (0x10001)
privateExponent:
    00:b0:82:00:e9:69:9f:0b:07:30:93:30:eb:dd:f1:
    ...
    48:01
prime1:
    00:ea:8e:ea:13:2c:71:be:3c:68:8b:5e:7a:c8:1e:
    ...
    cf:ea:b4:92:2a:e5:14:1c:01
prime2:
    00:e5:76:57:25:91:72:eb:ac:19:74:9a:2d:85:65:
    ...
    a9:81:b0:7f:b4:f3:f1:9f:97
exponent1:
    06:2b:94:44:c4:da:89:22:95:ad:74:e2:cd:f8:dd:
    ...
    62:95:35:73:23:6b:90:01
exponent2:
    1a:a4:1f:c0:1b:e0:04:de:c9:61:d1:58:c1:a9:2c:
    ...
    44:e6:72:1d:57:49:51:67
coefficient:
    12:11:93:09:34:3e:ae:41:2d:dc:78:f3:11:e0:da:
    ...
    73:80:99:ec:78:b3:4c:90

openssl x509 -noout -text -in "/etc/apache2/ssl.crt/ca.crt"
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12...21 (0x...5d)
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=US, ST=ST, L=CITY, O=TEST, OU=TEST, CN=TEST_CA
        Validity
            Not Before: Aug 15 02:43:41 2008 GMT
            Not After : Aug 15 02:43:41 2009 GMT
        Subject: C=US, ST=ST, L=CITY, O=TEST, OU=TEST, CN=TEST_CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:f3:ee:cf:21:bc:49:59:1a:e0:62:5b:df:87:9e:
                    ...
                    9b:fb:1d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Comment:
                SS ROOT CA CERT
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            Netscape Cert Type:
                SSL CA, S/MIME CA
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                3B:...:32
            X509v3 Authority Key Identifier:
                keyid:3B:...:32
                DirName:/C=US/ST=ST/L=CITY/O=TEST/OU=TEST/CN=TEST_CA
                serial:48:...:5D

    Signature Algorithm: sha512WithRSAEncryption
        da:02:bb:96:3a:72:83:73:15:8c:c9:1d:1d:41:47:2c:9e:7b:
        ...
        70:d0:ac:96:09:7d:28:e2

openssl x509 -noout -text -in "/etc/apache2/ssl.crt/svr.crt"
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=US, ST=ST, L=CITY, O=TEST, OU=TEST, CN=TEST_CA
        Validity
            Not Before: Aug 15 02:49:19 2008 GMT
            Not After : Aug 15 02:49:19 2009 GMT
        Subject: C=US, ST=ST, L=CITY, O=TEST, OU=TEST,
CN=*.testdomain.net/emailAddress=postmaster@testdomain.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:d2:3e:45:1c:09:10:d2:a1:c6:61:c2:fa:ad:35:
                    ...
                    23:97
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Client, S/MIME, Object Signing
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment,
Data Encipherment, Key Agreement
            X509v3 Extended Key Usage: critical
                Code Signing, Time Stamping, TLS Web Server
Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier:
                00:...:1B
            X509v3 Authority Key Identifier:
                keyid:3B:...:32

    Signature Algorithm: sha512WithRSAEncryption
        5b:56:cb:38:40:62:ae:13:9a:e7:c3:d8:a9:2f:e6:04:fc:32:
        ...
        ff:29:74:52:73:28:fa:ca
------