Several Problems. #1 You said you have a self-signed ssl cert, and a self-signed (assumed) CA cert When you do ldapsearch (which is your SSL client), the directory server (your SSL server) replies with the certificate chain which includes the CA certificate, and the self-signed SSL certificate. Then, the SSL client checks if the SSL certificate is signed by a "trusted" CA. Since you have a self-signed SSL certificate, you should have the SSL certificate imported into your SSL client's security database, and it should be marked as trusted (i.e -t "CT,CT,CT"). If this certificate is not marked as trusted, the client (i.e Peer) will not "trust" the connection. Another way to do this is to sign your SSL server certificate with your self-signed CA certificate, and import your CA certificate into your SSL client's security database. This approach is more generic and you dont have to trust every single server certificate that is signed by the CA. #2 You also have a self-signed client certificate If your client certificate is self-signed, that mean you need to import the client certificate into the server's security database, and mark it as trusted. Otherwise, the server will not trust your client certificate and the connection will not be established. You may want to consider to sign your client certificate with your CA certificate so that your client certificate will be trusted as long as you have the CA certificate imported and trusted in the server's database. thomas Michael Montgomery wrote: > conn=31 op=-1 fd=67 closed - Peer does not recognize and trust the CA > that issued your certificate. > > I've been trying to get client authentication via ssl working for > quite a while now. I've tried generating my own CA via openssl, > creating a self-signed ssl cert, importing CA cert via the interface, > converting the client ssl to pkcs12 format, importing it via the > interface, and trying to run a 'ldapsearch' using the cert (non-pkcs12 > format) on the client machine but get the above error. > > I've also tried clearing the whole DB, regenerating everything (CA > cert, and server client cert), and generating a client cert for a test > machine with this: > > /serverRoot/shared/bin/certutil -S -n "hostname-Cert" -s > "cn=server-cert" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d . -z > noise.txt -f pwdfile.txt > > then running this: > > '../shared/bin/certutil -L -d /opt/fedora-ds/alias/ -n > "hostname-test-Cert"' > > and putting that in a ssl cert file on the client, '/root/client.crt', > using this as an ldap.conf file: > > host ***.***.***.*** > base dc=test,dc=testdomain,dc=com > uri ldap://***.***.***.*** > ldap_version 3 > port 636 > pam_filter objectclass=posixAccount > pam_login_attribute uid > ssl start_tls > ssl on > tls_cert /root/client.crt > pam_password md5 > > And testing again with ldapsearch. > > But I still get the above error. > > Does anyone have any ideas why this is happening, as I'm at a loss. > > Thanks. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
