From owner-freebsd-questions@FreeBSD.ORG Thu Nov 25 17:10:25 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 589731065674 for ; Thu, 25 Nov 2010 17:10:25 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 634858FC26 for ; Thu, 25 Nov 2010 17:10:24 +0000 (UTC) Received: from beta.1-16-172-dyn.locolomo.org (unknown [172.16.1.127]) by mail.locolomo.org (Postfix) with ESMTPSA id 2125F1C0852 for ; Thu, 25 Nov 2010 18:10:22 +0100 (CET) Message-ID: <4CEE987D.9040008@locolomo.org> Date: Thu, 25 Nov 2010 18:10:21 +0100 From: Erik Norgaard User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: can't use godaddy SSL cert X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Nov 2010 17:10:25 -0000 On 25/11/10 17.26, bluethundr wrote: > I have setup the certificate chain in my slapd.conf like so: > > [root@LBSD2:/usr/home/bluethundr]#grep -i tls > /usr/local/etc/openldap/slapd.conf## TLS options for slapd > TLSCipherSuite HIGH:MEDIUM:+SSLv2 > TLSCertificateFile /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt > TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem > TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt > > I have tried each of the following certs with no luck in getting my > cert to talk to it's CA: > > -rw-r--r-- 1 root bluethundr 2604 Nov 25 11:37 ca_bundle.crt > -r--r----- 1 root ldap 4604 Nov 24 18:57 gd_bundle.crt > -r--r----- 1 root ldap 1537 Nov 25 02:00 sf_issuing.crt As mentioned in my previous mail, there is no need to specify TLSCACertificateFile in slapd.conf unless your server will request client certificate for authentication. Nor is there any point in trying multiple files, you can concatenate the CA certificates into a single fiel. Since these are certificates you can leave global read access. > and I get the same result for each when I attempt to connect to SSL on > the LDAP server: > > [root@LCENT01:/tmp/Foswiki-1.1.2]#openssl s_client -connect > ldap.example.com:389 -showcerts -CAfile sf_issuing.crt > 13730:error:02001002:system library:fopen:No such file or > directory:bss_file.c:122:fopen('sf_issuing.crt','r') > 13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: > 13730:error:0B084002:x509 certificate > routines:X509_load_cert_crl_file:system lib:by_file.c:279: > CONNECTED(00000003) > 13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: Can't find sf_issuing.crt, well, from your CWD it appears that the certificate is not found in that path. > ldapsearch -h ldap.example.com -d -1 -ZZ "dc=example,dc=com" > > TLS certificate verification: depth: 0, err: 20, subject: > /O=LBSD2.summitnjhome.com/OU=Domain Control > Validated/CN=LBSD2.summitnjhome.com, issuer: > /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, > Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure > Certification Authority/serialNumber=07969287 > TLS certificate verification: Error, unable to get local issuer certificate > tls_write: want=7, written=7 > 0000: 15 03 01 00 02 02 30 ......0 > TLS trace: SSL3 alert write:fatal:unknown CA > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS: can't connect. > ldap_perror > ldap_start_tls: Connect error (-11) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > It seems to indicate that it can't talk to it's CA... > > does anyone have any suggestions on how to make this work? No. I assume that your hostname is the CN indicated above, so your -h is not the issue. When you do -ZZ then ldapsearch will fail if it cannot validate the certificate. You can try with a single -Z to see if it works. You have not included your ldap.conf above, the ldapsearch reads ldap.conf, including where to find any ca certificates. Either you have not installed the godaddy CA certificate or not updated our ldap.conf accordingly. BR, Erik