Date: Thu, 25 Nov 2010 11:55:39 -0500 From: John Almberg <jalmberg@identry.com> To: bluethundr <bluethundr@gmail.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: can't use godaddy SSL cert Message-ID: <2A647C97-7567-4606-8076-5D2D565DD2BE@identry.com> In-Reply-To: <AANLkTi=N7Q-dYV5=kmzeSMHgJBuXWMLp7rvLnJMd_n-a@mail.gmail.com> References: <AANLkTi=N7Q-dYV5=kmzeSMHgJBuXWMLp7rvLnJMd_n-a@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Don't know if this applies, but I had to install the intermediate cert to ge=
t the godaddy Certs to work. You can download it from the gd website.
-- John
Sent from my iPhone, so may be a bit brief.
On Nov 25, 2010, at 11:26, bluethundr <bluethundr@gmail.com> wrote:
> Hey list,
>=20
> I was having a similar SSL/openLDAP problem to this last week. I had
> a chance to look at this again today and it still appears to not be
> working. I called godaddy and had the last cert cancelled and reissued
> as I had mis-typed the name of the CN on the last one.
>=20
> I am trying to setup a Godaddy turbo SSL certificate with an openLDAP
> 2.4 server under FreeBSD 8.1.
>=20
> [root@LBSD2:/usr/home/bluethundr]#pkg_info | grep openldap
> openldap-sasl-client-2.4.23 Open source LDAP client implementation
> with SASL2 support
> openldap-sasl-server-2.4.23 Open source LDAP server implementation
>=20
>=20
>=20
> I have setup the certificate chain in my slapd.conf like so:
>=20
> [root@LBSD2:/usr/home/bluethundr]#grep -i tls
> /usr/local/etc/openldap/slapd.conf## TLS options for slapd
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com=
.crt
> TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem
> TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt
>=20
> I have tried each of the following certs with no luck in getting my
> cert to talk to it's CA:
>=20
> -rw-r--r-- 1 root bluethundr 2604 Nov 25 11:37 ca_bundle.crt
> -r--r----- 1 root ldap 4604 Nov 24 18:57 gd_bundle.crt
> -r--r----- 1 root ldap 1537 Nov 25 02:00 sf_issuing.crt
>=20
>=20
> and I get the same result for each when I attempt to connect to SSL on
> the LDAP server:
>=20
> [root@LCENT01:/tmp/Foswiki-1.1.2]#openssl s_client -connect
> ldap.example.com:389 -showcerts -CAfile sf_issuing.crt
> 13730:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:122:fopen('sf_issuing.crt','r')
> 13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125=
:
> 13730:error:0B084002:x509 certificate
> routines:X509_load_cert_crl_file:system lib:by_file.c:279:
> CONNECTED(00000003)
> 13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:
>=20
>=20
> ldapsearch -h ldap.example.com -d -1 -ZZ "dc=3Dexample,dc=3Dcom"
>=20
> TLS certificate verification: depth: 0, err: 20, subject:
> /O=3DLBSD2.summitnjhome.com/OU=3DDomain Control
> Validated/CN=3DLBSD2.summitnjhome.com, issuer:
> /C=3DUS/ST=3DArizona/L=3DScottsdale/O=3DGoDaddy.com,
> Inc./OU=3Dhttp://certificates.godaddy.com/repository/CN=3DGo Daddy Secure
> Certification Authority/serialNumber=3D07969287
> TLS certificate verification: Error, unable to get local issuer certificat=
e
> tls_write: want=3D7, written=3D7
> 0000: 15 03 01 00 02 02 30 ......0
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (-11)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>=20
> It seems to indicate that it can't talk to it's CA...
>=20
> does anyone have any suggestions on how to make this work?
>=20
> thanks!
>=20
>=20
> --=20
> Here's my RSA Public key:
> gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.or=
g"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2A647C97-7567-4606-8076-5D2D565DD2BE>