can't use godaddy SSL cert

Erik Norgaard norgaard at locolomo.org
Thu Nov 25 17:10:25 UTC 2010 

On 25/11/10 17.26, bluethundr wrote:

> I have setup the certificate chain in my slapd.conf like so:
>
> [root at LBSD2:/usr/home/bluethundr]#grep -i tls
> /usr/local/etc/openldap/slapd.conf## TLS options for slapd
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile  /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt
> TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem
> TLSCACertificateFile  /usr/local/etc/openldap/cacerts/sf_issuing.crt
>
> I have tried each of the following certs with no luck in getting my
> cert to talk to it's CA:
>
> -rw-r--r--  1 root  bluethundr  2604 Nov 25 11:37 ca_bundle.crt
> -r--r-----  1 root  ldap        4604 Nov 24 18:57 gd_bundle.crt
> -r--r-----  1 root  ldap        1537 Nov 25 02:00 sf_issuing.crt

As mentioned in my previous mail, there is no need to specify 
TLSCACertificateFile in slapd.conf unless your server will request 
client certificate for authentication. Nor is there any point in trying 
multiple files, you can concatenate the CA certificates into a single fiel.

Since these are certificates you can leave global read access.

> and I get the same result for each when I attempt to connect to SSL on
> the LDAP server:
>
> [root at LCENT01:/tmp/Foswiki-1.1.2]#openssl s_client -connect
> ldap.example.com:389 -showcerts -CAfile sf_issuing.crt
> 13730:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:122:fopen('sf_issuing.crt','r')
> 13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
> 13730:error:0B084002:x509 certificate
> routines:X509_load_cert_crl_file:system lib:by_file.c:279:
> CONNECTED(00000003)
> 13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:

Can't find sf_issuing.crt, well, from your CWD it appears that the 
certificate is not found in that path.

> ldapsearch -h ldap.example.com -d -1 -ZZ "dc=example,dc=com"
>
> TLS certificate verification: depth: 0, err: 20, subject:
> /O=LBSD2.summitnjhome.com/OU=Domain Control
> Validated/CN=LBSD2.summitnjhome.com, issuer:
> /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
> Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
> Certification Authority/serialNumber=07969287
> TLS certificate verification: Error, unable to get local issuer certificate
> tls_write: want=7, written=7
>    0000:  15 03 01 00 02 02 30                               ......0
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (-11)
> 	additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> It seems to indicate that it can't talk to it's CA...
>
> does anyone have any suggestions on how to make this work?

No. I assume that your hostname is the CN indicated above, so your -h is 
not the issue. When you do -ZZ then ldapsearch will fail if it cannot 
validate the certificate. You can try with a single -Z to see if it works.

You have not included your ldap.conf above, the ldapsearch reads 
ldap.conf, including where to find any ca certificates. Either you have 
not installed the godaddy CA certificate or not updated our ldap.conf 
accordingly.

BR, Erik

More information about the freebsd-questions mailing list