can't use godaddy SSL cert
Erik Norgaard
norgaard at locolomo.org
Thu Nov 25 17:10:25 UTC 2010
On 25/11/10 17.26, bluethundr wrote:
> I have setup the certificate chain in my slapd.conf like so:
>
> [root at LBSD2:/usr/home/bluethundr]#grep -i tls
> /usr/local/etc/openldap/slapd.conf## TLS options for slapd
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt
> TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem
> TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt
>
> I have tried each of the following certs with no luck in getting my
> cert to talk to it's CA:
>
> -rw-r--r-- 1 root bluethundr 2604 Nov 25 11:37 ca_bundle.crt
> -r--r----- 1 root ldap 4604 Nov 24 18:57 gd_bundle.crt
> -r--r----- 1 root ldap 1537 Nov 25 02:00 sf_issuing.crt
As mentioned in my previous mail, there is no need to specify
TLSCACertificateFile in slapd.conf unless your server will request
client certificate for authentication. Nor is there any point in trying
multiple files, you can concatenate the CA certificates into a single fiel.
Since these are certificates you can leave global read access.
> and I get the same result for each when I attempt to connect to SSL on
> the LDAP server:
>
> [root at LCENT01:/tmp/Foswiki-1.1.2]#openssl s_client -connect
> ldap.example.com:389 -showcerts -CAfile sf_issuing.crt
> 13730:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:122:fopen('sf_issuing.crt','r')
> 13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
> 13730:error:0B084002:x509 certificate
> routines:X509_load_cert_crl_file:system lib:by_file.c:279:
> CONNECTED(00000003)
> 13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:
Can't find sf_issuing.crt, well, from your CWD it appears that the
certificate is not found in that path.
> ldapsearch -h ldap.example.com -d -1 -ZZ "dc=example,dc=com"
>
> TLS certificate verification: depth: 0, err: 20, subject:
> /O=LBSD2.summitnjhome.com/OU=Domain Control
> Validated/CN=LBSD2.summitnjhome.com, issuer:
> /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
> Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
> Certification Authority/serialNumber=07969287
> TLS certificate verification: Error, unable to get local issuer certificate
> tls_write: want=7, written=7
> 0000: 15 03 01 00 02 02 30 ......0
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (-11)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> It seems to indicate that it can't talk to it's CA...
>
> does anyone have any suggestions on how to make this work?
No. I assume that your hostname is the CN indicated above, so your -h is
not the issue. When you do -ZZ then ldapsearch will fail if it cannot
validate the certificate. You can try with a single -Z to see if it works.
You have not included your ldap.conf above, the ldapsearch reads
ldap.conf, including where to find any ca certificates. Either you have
not installed the godaddy CA certificate or not updated our ldap.conf
accordingly.
BR, Erik
More information about the freebsd-questions
mailing list