[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: mis-identified self-signed cert



Chuck Theobald wrote:
Built openldap 2.4.40 from source, trying to replicate the directory
structure used by RHEL, but using openssl instead of nss. Various
dir-placement options to configure got me to a standard RHEL (and
typical Linux) structure.

I am now trying to start using the /etc/init.d/slapd script from a
mostly-working (sans TLS) RHEL installation, but startup fails.
Silently. This may be because slapd cannot read the private server key
file, but should this not be read before changing the effective running
user to ldap? I would like my slapd to be running as something other
than user 0.

Anyway, I managed to prop up a server from the command line:

slapd -F ./slapd.d

but now cannot talk to it with TLS enabled:

TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 3, err: 19, subject:
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP
Network/CN=AddTrust External CA Root
TLS certificate verification: Error, self signed certificate in
certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
signed certificate in certificate chain).
ldap_err2string
ldap_start_tls: Connect error (-11)
     additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
signed certificate in certificate chain)
Enter LDAP Password:

The server cert and ca certs I am using are not self-signed, at least by
me, and were obtained through Internet2 via our University's central IS
department. The same certs are working fine with the web server on my
machine. I think the key clue is the "unknown CA" in the messages above.

But, how to solve?

You need to configure your LDAP client to trust that particular CA.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/