Several Problems.
#1 You said you have a self-signed ssl cert, and a self-signed (assumed)
CA cert
When you do ldapsearch (which is your SSL client), the directory server
(your SSL server) replies with the certificate chain which includes the
CA certificate, and the self-signed SSL certificate.
Then, the SSL client checks if the SSL certificate is signed by a
"trusted" CA.
Since you have a self-signed SSL certificate, you should have the SSL
certificate imported into your SSL client's security database, and it should
be marked as trusted (i.e -t "CT,CT,CT"). If this certificate is not marked
as trusted, the client (i.e Peer) will not "trust" the connection.
Another way to do this is to sign your SSL server certificate with your
self-signed CA certificate, and import your CA certificate into your SSL
client's security database. This approach is more generic and you dont
have to trust every single server certificate that is signed by the CA.
#2 You also have a self-signed client certificate
If your client certificate is self-signed, that mean you need to import the
client certificate into the server's security database, and mark it as
trusted. Otherwise, the server will not trust your client certificate and
the connection will not be established.
You may want to consider to sign your client certificate with your CA
certificate so that your client certificate will be trusted as long as you
have the CA certificate imported and trusted in the server's database.
thomas
Michael Montgomery wrote:
conn=31 op=-1 fd=67 closed - Peer does not recognize and trust the CA
that issued your certificate.
I've been trying to get client authentication via ssl working for
quite a while now. I've tried generating my own CA via openssl,
creating a self-signed ssl cert, importing CA cert via the interface,
converting the client ssl to pkcs12 format, importing it via the
interface, and trying to run a 'ldapsearch' using the cert (non-pkcs12
format) on the client machine but get the above error.
I've also tried clearing the whole DB, regenerating everything (CA
cert, and server client cert), and generating a client cert for a test
machine with this:
/serverRoot/shared/bin/certutil -S -n "hostname-Cert" -s
"cn=server-cert" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d . -z
noise.txt -f pwdfile.txt
then running this:
'../shared/bin/certutil -L -d /opt/fedora-ds/alias/ -n
"hostname-test-Cert"'
and putting that in a ssl cert file on the client, '/root/client.crt',
using this as an ldap.conf file:
host ***.***.***.***
base dc=test,dc=testdomain,dc=com
uri ldap://***.***.***.***
ldap_version 3
port 636
pam_filter objectclass=posixAccount
pam_login_attribute uid
ssl start_tls
ssl on
tls_cert /root/client.crt
pam_password md5
And testing again with ldapsearch.
But I still get the above error.
Does anyone have any ideas why this is happening, as I'm at a loss.
Thanks.
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
