[Date Prev][Date Next] [Chronological] [Thread] [Top]

mis-identified self-signed cert

To: openldap-technical@openldap.org
Subject: mis-identified self-signed cert
From: Chuck Theobald <chuckt@uoregon.edu>
Date: Thu, 23 Apr 2015 11:05:15 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.5.0

Built openldap 2.4.40 from source, trying to replicate the directorystructure used by RHEL, but using openssl instead of nss. Variousdir-placement options to configure got me to a standard RHEL (andtypical Linux) structure.

I am now trying to start using the /etc/init.d/slapd script from amostly-working (sans TLS) RHEL installation, but startup fails.Silently. This may be because slapd cannot read the private server keyfile, but should this not be read before changing the effective runninguser to ldap? I would like my slapd to be running as something otherthan user 0.


Anyway, I managed to prop up a server from the command line:

slapd -F ./slapd.d

but now cannot talk to it with TLS enabled:

TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A

TLS certificate verification: depth: 3, err: 19, subject:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrustExternal CA Root, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTPNetwork/CN=AddTrust External CA RootTLS certificate verification: Error, self signed certificate incertificate chain

TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B

TLS: can't connect: error:14090086:SSLroutines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (selfsigned certificate in certificate chain).

ldap_err2string
ldap_start_tls: Connect error (-11)

additional info: error:14090086:SSLroutines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (selfsigned certificate in certificate chain)

Enter LDAP Password:

The server cert and ca certs I am using are not self-signed, at least byme, and were obtained through Internet2 via our University's central ISdepartment. The same certs are working fine with the web server on mymachine. I think the key clue is the "unknown CA" in the messages above.


But, how to solve?

--
Chuck Theobald
System Administrator
The Robert and Beverly Lewis Center for Neuroimaging
University of Oregon
P: 541-346-0343
F: 541-346-0345

Follow-Ups:
- Re: mis-identified self-signed cert
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Antw: Re: Slapd running very slow
Next by Date: Re: LMDB usage with long or variable length keys
Index(es):
- Chronological
- Thread