[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldap not finding internal CA?
- To: Kurt Yoder <ktyopenldap@yoderhome.com>
- Subject: Re: ldap not finding internal CA?
- From: Mathias Gug <mathiaz@ubuntu.com>
- Date: Wed, 17 Jun 2009 21:13:37 -0400
- Cc: openldap-technical@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=LlMPdWYqaA3nC6Q9+Bjzfv2D5lES3lT1/Grsl0S/7HY=; b=kLlh9iYr6Eng6mUrVI/p9Fzh+Ht78hMiRhhzJtAf5pA/XtN8hQQULDtH+xXY1Jj4+p /q0h2NR6nlL7/2UVGfGobToFUI1LVD8N0TtCGHCSZIVvz6CqGiw6iGQnfU/Sz6uh9JoW eVjnY8Yfi7klNVgIeA7cac+Zs0MovLnnCLMXE=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=XRT4UeoX4W6nX5iZ0RLKKlFNFy/R4hr1F5F4obPZdvtInIG2K7KgBbxvta4qChgvHw F2S40obijoKJp8ttyc6z8nlFaDwDo8XXztJEDjxwCagj4IyMuxlOT73JGWYmavSPCXUf HUz4Up4RIyyGruudlYs10Jv4S9E/KvPQh8eYk=
- In-reply-to: <49D444AA-F05A-4836-84C4-FA64FA0F68B7@yoderhome.com>
- References: <49D444AA-F05A-4836-84C4-FA64FA0F68B7@yoderhome.com>
Hi Kurt,
On Wed, Jun 17, 2009 at 7:26 PM, Kurt Yoder<ktyopenldap@yoderhome.com> wrote:
> Some background: I have set up my own CA and generated a certificate for it,
> which the LDAP server is using. Without specifying this CA, I get
> "self-signed certificate" errors when connecting:
>
> root@host:# openssl s_client -connect my.ldap.server:636 -showcerts
> CONNECTED(00000003)
> <... trimmed certificate information ...>
> verify error:num=19:self signed certificate in certificate chain
>
[...]
> My openldap is version 2.4.15 on Ubuntu Jaunty. Interestingly, I had the
> same message about self-signed certificates on previous Ubuntu versions, but
> querying ldap with "TLS_REQCERT demand" works fine.
As Howard mentioned this should have been fixed in 2.4.16. However
could you try to put both the CA certificate *and* the server
certificate in the cert.file used by the slapd server - (that way the
whole CA chain is sent to the client by gnutls) ?
--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com