From owner-freebsd-questions@FreeBSD.ORG Thu Nov 25 18:17:15 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2493D106566C for ; Thu, 25 Nov 2010 18:17:15 +0000 (UTC) (envelope-from jalmberg@identry.com) Received: from out3d.electric.net (out3d.electric.net [72.35.12.39]) by mx1.freebsd.org (Postfix) with ESMTP id F10418FC0A for ; Thu, 25 Nov 2010 18:17:14 +0000 (UTC) Received: from 1PLf69-0002R6-V3 by out3d.electric.net with emc1-ok (Exim 4.69) (envelope-from ) id 1PLf6A-0002RL-TD; Thu, 25 Nov 2010 08:55:06 -0800 Received: by emcmailer; Thu, 25 Nov 2010 08:55:06 -0800 Received: from [208.70.132.28] (helo=smtp-gw54.mailanyone.net) by out3d.electric.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1PLf69-0002R6-V3; Thu, 25 Nov 2010 08:55:05 -0800 Received: from mailanyone.net by smtp-gw54.mailanyone.net with esmtpa (MailAnyone extSMTP jalmberg@identry.com) id 1PLf7i-0003BY-7b; Thu, 25 Nov 2010 10:56:44 -0600 References: In-Reply-To: Mime-Version: 1.0 (iPhone Mail 8B117) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: <2A647C97-7567-4606-8076-5D2D565DD2BE@identry.com> X-Mailer: iPhone Mail (8B117) From: John Almberg Date: Thu, 25 Nov 2010 11:55:39 -0500 To: bluethundr X-Outbound-IP: 208.70.132.28 X-Env-From: jalmberg@identry.com X-PolicySMART: 1184787 X-Virus-Status: Scanned by VirusSMART (c) Cc: freebsd-questions Subject: Re: can't use godaddy SSL cert X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Nov 2010 18:17:15 -0000 Don't know if this applies, but I had to install the intermediate cert to ge= t the godaddy Certs to work. You can download it from the gd website. -- John Sent from my iPhone, so may be a bit brief. On Nov 25, 2010, at 11:26, bluethundr wrote: > Hey list, >=20 > I was having a similar SSL/openLDAP problem to this last week. I had > a chance to look at this again today and it still appears to not be > working. I called godaddy and had the last cert cancelled and reissued > as I had mis-typed the name of the CN on the last one. >=20 > I am trying to setup a Godaddy turbo SSL certificate with an openLDAP > 2.4 server under FreeBSD 8.1. >=20 > [root@LBSD2:/usr/home/bluethundr]#pkg_info | grep openldap > openldap-sasl-client-2.4.23 Open source LDAP client implementation > with SASL2 support > openldap-sasl-server-2.4.23 Open source LDAP server implementation >=20 >=20 >=20 > I have setup the certificate chain in my slapd.conf like so: >=20 > [root@LBSD2:/usr/home/bluethundr]#grep -i tls > /usr/local/etc/openldap/slapd.conf## TLS options for slapd > TLSCipherSuite HIGH:MEDIUM:+SSLv2 > TLSCertificateFile /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com= .crt > TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem > TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt >=20 > I have tried each of the following certs with no luck in getting my > cert to talk to it's CA: >=20 > -rw-r--r-- 1 root bluethundr 2604 Nov 25 11:37 ca_bundle.crt > -r--r----- 1 root ldap 4604 Nov 24 18:57 gd_bundle.crt > -r--r----- 1 root ldap 1537 Nov 25 02:00 sf_issuing.crt >=20 >=20 > and I get the same result for each when I attempt to connect to SSL on > the LDAP server: >=20 > [root@LCENT01:/tmp/Foswiki-1.1.2]#openssl s_client -connect > ldap.example.com:389 -showcerts -CAfile sf_issuing.crt > 13730:error:02001002:system library:fopen:No such file or > directory:bss_file.c:122:fopen('sf_issuing.crt','r') > 13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125= : > 13730:error:0B084002:x509 certificate > routines:X509_load_cert_crl_file:system lib:by_file.c:279: > CONNECTED(00000003) > 13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: >=20 >=20 > ldapsearch -h ldap.example.com -d -1 -ZZ "dc=3Dexample,dc=3Dcom" >=20 > TLS certificate verification: depth: 0, err: 20, subject: > /O=3DLBSD2.summitnjhome.com/OU=3DDomain Control > Validated/CN=3DLBSD2.summitnjhome.com, issuer: > /C=3DUS/ST=3DArizona/L=3DScottsdale/O=3DGoDaddy.com, > Inc./OU=3Dhttp://certificates.godaddy.com/repository/CN=3DGo Daddy Secure > Certification Authority/serialNumber=3D07969287 > TLS certificate verification: Error, unable to get local issuer certificat= e > tls_write: want=3D7, written=3D7 > 0000: 15 03 01 00 02 02 30 ......0 > TLS trace: SSL3 alert write:fatal:unknown CA > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS: can't connect. > ldap_perror > ldap_start_tls: Connect error (-11) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >=20 > It seems to indicate that it can't talk to it's CA... >=20 > does anyone have any suggestions on how to make this work? >=20 > thanks! >=20 >=20 > --=20 > Here's my RSA Public key: > gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.or= g"