Fixed: I did: -recreate /etc/openldap/certs moznss database -chown root:ldap -R /etc/openldap/certs/ -chmod 640 /etc/openldap/certs/* -recreate /etc/openldap/slap.d/ now it works like a charm I was missing either file permission to read the database, or there was mismatch between pkcs12 key and pem certificate. either way - now it works. Best regards. Augustyn
On 8 August 2013 07:38, Augustin Wolf <augustynw...@gmail.com> wrote: > Hi List, > I have a Centos 6.4, fresh install, and I'm trying to configure > OpenLDAP with moznss. For now, self signed certificate is sufficient > for my needs. But when I try to search using secure connection (-Z > option), I got error: > > ldap_start_tls: Connect error (-11) > additional info: TLS error -5938:Encountered end of file > In openLdap logs: > connection_read(14): checking for input on id=1000 > TLS: certdb config: configDir='/etc/openldap/certs/' > tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly > TLS: cannot open certdb '/etc/openldap/certs/', error -8018:Unknown > PKCS #11 error. > TLS: skipping 'cert8.db' - filename does not have expected format > (certificate hash with numeric suffix) > TLS: skipping 'key3.db' - filename does not have expected format > (certificate hash with numeric suffix) > TLS: skipping 'secmod.db' - filename does not have expected format > (certificate hash with numeric suffix) > TLS: error: the certificate 'LDAPServer' could not be found in the > database - error -8187:security library: invalid arguments.. > TLS: could not read certificate file LDAPServer - error -5950:File not found. > TLS: error: could not initialize moznss security context - error > -5950:File not found > TLS: can't create ssl handle. > connection_read(14): TLS accept failure error=-1 id=1000, closing > connection_close: conn=1000 sd=14 > > I cannot resign from using moznss, as it is in default with openldap > package in CentOS 6.4. I created TLS certificates like this: > > [root@ldap ~]# openssl req -new -x509 -extensions v3_ca -keyout > /etc/pki/CA/private/CAss.key -out /etc/pki/CA/certs/CAss.pem -days 200 > #got rid of certificate password: > [root@ldap ~]# openssl rsa -in /etc/pki/CA/private/CAss.key -out > /etc/pki/CA/private/CAssNOpass.key > #created pkcs12 key+cert > [root@ldap ~]# openssl pkcs12 -export -inkey > /etc/pki/CA/private/CAssNOpass.key -in /etc/pki/CA/certs/CAss.pem -out > /etc/pki/ldap.example.com.p12 -nodes -name 'LDAPServer' > #import p12 certificate to openldap keybase: > [root@ldap ~]# pk12util -i /etc/pki/ldap.example.com.p12 -d > /etc/openldap/certs > #import CA, as CA to certificate keybase: > [root@ldap ~]# certutil -A -d /etc/openldap/certs -n "LDAPServer" -t > CT,, -i /etc/pki/CA/certs/CAss.pem > # verify: > [root@ldap ~]# certutil -d /etc/openldap/certs -L > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > LDAPServer CTu,u,u > # keybase has ldap permission, and ldap is able to read from it: > [root@ldap ~]# chown root:ldap /etc/openldap/certs/* > [root@ldap ~]# chmod 0640 /etc/openldap/certs/* > #openldap uses this keystore: > [root@ldap ~]# cat /etc/openldap/slapd.conf |grep -i tls > TLSCipherSuite HIGH:MEDIUM:+SSLv3 > TLSCACertificatePath /etc/openldap/certs > TLSCertificateFile LDAPServer > TLSVerifyClient allow > > What I did wrong? > Best regards, > Augustin -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto