Hello FreeBSD,
I am trying to setup a Godaddy turbo SSL certificate with an openLDAP 2.4 server under FreeBSD 8.1.
I was attempting to use this guide:
OpenLDAP with a Go Daddy “Turbo SSL Secure Certificateâ€
I have setup the certificate chain in my slapd.conf like so:
I have tried each of the following certs with no luck in getting my cert to talk to it's CA:
and I get the same result for each when I attempt to connect to SSL on the LDAP server:
And this is the result of an anonymous ldapsearch on the server
It seems to indicate that it can't talk to it's CA...
does anyone have any suggestions on how to make this work?
thanks!
I am trying to setup a Godaddy turbo SSL certificate with an openLDAP 2.4 server under FreeBSD 8.1.
Code:
[root@LBSD2:/usr/home/bluethundr]#pkg_info | grep openldap
openldap-sasl-client-2.4.23 Open source LDAP client implementation with SASL2 support
openldap-sasl-server-2.4.23 Open source LDAP server implementation
I was attempting to use this guide:
OpenLDAP with a Go Daddy “Turbo SSL Secure Certificateâ€
I have setup the certificate chain in my slapd.conf like so:
Code:
[root@LBSD2:/usr/home/bluethundr]#grep -i tls /usr/local/etc/openldap/slapd.conf## TLS options for slapd
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/local/etc/openldap/cacerts/LBSD2.example.com.crt
TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem
TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt
I have tried each of the following certs with no luck in getting my cert to talk to it's CA:
Code:
-r--r----- 1 root ldap 2604 Nov 25 11:37 ca_bundle.crt
-r--r----- 1 root ldap 4604 Nov 24 18:57 gd_bundle.crt
-r--r----- 1 root ldap 1537 Nov 25 02:00 sf_issuing.crt
and I get the same result for each when I attempt to connect to SSL on the LDAP server:
Code:
[root@LCENT01:~]#openssl s_client -connect ldap.example.com:389 -showcerts -CAfile sf_issuing.crt
13730:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('sf_issuing.crt','r')
13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
13730:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:279:
CONNECTED(00000003)
13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
And this is the result of an anonymous ldapsearch on the server
Code:
ldapsearch -h ldap.example.com -d -1 -ZZ "dc=example,dc=com"
TLS certificate verification: depth: 0, err: 20, subject: /O=LBSD2.example.com/OU=Domain Control Validated/CN=LBSD2.example.com, issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
TLS certificate verification: Error, unable to get local issuer certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
It seems to indicate that it can't talk to it's CA...
does anyone have any suggestions on how to make this work?
thanks!