[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: openldap proxy giving TLS certificate error
On Mon, Nov 12 2018 at 20:02:05 -0500, vadud3@gmail.com scribbled
in "openldap proxy giving TLS certificate error":
> I am failing to authenticate through ldap proxy and I am seeing this error
> coming in continuously
>
> *TLS certificate verification: Error, self signed certificate in
> certificate chain*
>
> *TLS: can't connect: error:14090086:SSL
> routines:ssl3_get_server_certificate:certificate verify failed (self signed
> certificate in certificate chain).*
>
> Any suggestions how to resolve this?
>
> Here is my slapd.conf.
<SNIP>
> > TLSCACertificateFile /root/data/certs/ldap.crt
> > TLSCertificateFile /root/data/certs/ldap.crt
> > TLSCertificateKeyFile /root/data/certs/ldap.key
<SNIP>
>
> I generate the certificate using this command
>
> *openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout
> /root/data/certs/ldap.key -out /root/data/certs/ldap.crt -subj
> "/CN=host.example.net/OU=Example/O=Example/L=City/ST=ST/C=US
> <http://host.example.net/OU=Example/O=Example/L=City/ST=ST/C=US>"*
>
> So I recreated against the same IT ldap server, so I do have the new
> cert and keys produced same way as before.
I think the issue is that you've generated, and are using, a
self-signed certificate, rather than one signed by a trusted
Certificate Authority. As the error messages state, the file
referenced by the "TLSCACertificateFile" option contains that cert.
The purpose of the option is to specify the intermediate chain between
the certificate and the trusted Root CA chain.
I note that you're using the same ldap.crt file for both
"TLSCACertificateFile" and "TLSCACertificateFile" -- have you tried
removing the latter entirely, as with a self-signed cert it's a little
redundant?
Cheers.
Dameon.
--
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
Dr. Dameon Wagner, Unix Platform Services
IT Services, University of Oxford
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><