[Date Prev][Date Next] [Chronological] [Thread] [Top]

getting ca/ca subordinate cert to work with openldap

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: getting ca/ca subordinate cert to work with openldap
From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
Date: Mon, 8 Mar 2010 13:55:51 -0700
Accept-language: en-US
Acceptlanguage: en-US
Content-language: en-US
Thread-index: Acq/ADDdPa+amXaSR4OBH1XWnl/a0Q==
Thread-topic: getting ca/ca subordinate cert to work with openldap

Hello,

I'm having a heck of a time getting certs to function correctly.  This server is being setup with another server in mirrormode - and currently they cannot talk to each other (or themselves when using ldapsearch).

We have a root CA, with a subordinate CA used to sign the cert our ldap server is using.

I have both appended to the /etc/pki/tls/certs/ca-bundle.crt file (CentOS5) - root first, sub second.

I have both (also in the same order) in the cacert.pem used by slapd.conf.  TLS directives:
TLSCACertificateFile    /etc/openldap/cacerts/cacert.pem
TLSCertificateFile      /etc/openldap/cacerts/ldapcrt.pem
TLSCertificateKeyFile   /etc/openldap/cacerts/ldapkey.pem

When I test the cacert.pem file or the ldapcrt.pem file using "openssl verify [cert]", everything comes back with OK (I tested removing those from the ca-bundle.crt file and they fail - those are below too).  I have those certs available separately and tested them too.

------ Test with CA and Sub-CA in ca-bundle.crt ------
# openssl verify cacert.pem
cacert.pem: OK
#  openssl verify ldapcrt.pem
ldapcrt.pem: OK
# openssl verify carootcrt.pem
carootcrt.pem: OK
# openssl verify casubcrt.pem
casubcrt.pem: OK

------ Test without CA and Sub-CA in ca-bundle.crt ------
# openssl verify cacert.pem
cacert.pem: /DC=edu/DC=apollogrp/CN=Apollo Group Enterprise CA
error 18 at 0 depth lookup:self signed certificate
OK
# openssl verify ldapcrt.pem
corp-ldapcrt.pem: [verify specific cert subject snipped]
error 20 at 0 depth lookup:unable to get local issuer certificate
# openssl verify carootcrt.pem
carootcrt.pem: /DC=edu/DC=apollogrp/CN=Apollo Group Enterprise CA
error 18 at 0 depth lookup:self signed certificate
OK
# openssl verify casubcrt.pem
casubcrt.pem: /DC=edu/DC=apollogrp/CN=Apollo Group Subordinate CA
error 20 at 0 depth lookup:unable to get local issuer certificate

I'm using OpenLDAP build: 2.4.21 built with the following options:
./configure --with-tls=openssl \
            --enable-crypt \
            --enable-dynamic \
            --enable-ldap \
            --enable-lmpasswd \
            --enable-modules \
            --enable-overlays \
            --enable-spasswd \
            --sysconfdir=/etc

After loading ldif data from our older 2.2 openldap servers, I verified the data was there using Apache Directory Studio (even got some work done on removing/re-adding/comparing ldifs).

Ldapsearch though is another beast all together though.

# ldapsearch -H ldaps://localhost/
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)

If you're interested in more details:

# ldapsearch -H ldaps://localhost/ -d5
ldap_url_parse_ext(ldaps://localhost/)
ldap_create
ldap_url_parse_ext(ldaps://localhost:636/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS: supportedSASLMechanisms
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 19, subject: /DC=edu/DC=apollogrp/CN=Apollo Group Enterprise CA, issuer: /DC=edu/DC=apollogrp/CN=Apollo Group Enterprise CA
TLS certificate verification: Error, self signed certificate in certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain).
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)

Help?
- chris

This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

Follow-Ups:
- Re: getting ca/ca subordinate cert to work with openldap
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: DNS discovery for OpenLDAP?
Next by Date: LDAP_MOD_BVALUES / "Binary option"
Index(es):
- Chronological
- Thread