Hello Aleksander, I have done a stupid mistake - I don't read carefully ... So my server.cnf and client.cnf are not ok (to much from openssl.cnf inside - I just added the lines ...) so now I can execute succesfully all commands last one is: oracle:/usr/share/ssl/myca # openssl x509 -in cacert.pem -out /etc/openldap/cacert.pem I hope I have done this the right way - like the servercert.pem file
But when starting openldap again and connecting with openssl -s_client I get again the error messages: oracle:/etc/openldap # openssl s_client -connect localhost:636 -pause -CAfile /etc/openldap/cacert.pem -showcerts CONNECTED(00000003) 19110:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: oracle:/etc/openldap # No difference if I use pause or not. I dare to ask again: any hints ? .... Aleksandar Milivojevic schrieb: >> Hello Aleksandar, >> I followed your hints. >> I generated the ca with CA:True, but I run into an error >> when coming to the following command >> >> I replaced hostname by oracle and ../server.cnf by /etc/ssl/server.cnf >> because I put the files there. >> >> oracle:/usr/share/ssl/myca # openssl ca -policy policy_anything -days 365 >> -extfile /etc/ssl/server.cnf -infiles reqs/oracle-ldap.req >> Using configuration from /etc/ssl/openssl.cnf >> Enter pass phrase for /usr/share/ssl/myca/private/cakey.pem: >> Check that the request matches the signature >> Signature ok >> ERROR: adding extensions in section default >> 11768:error:22097082:X509 V3 routines:DO_EXT_NCONF:unknown extension >> name:v3_conf.c:124: >> 11768:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in >> extension:v3_conf.c:93:name=HOME, value=. >> >> Sorry, but I'm not able to interpret this messages, I know to less about >> certifikates. > > It could be we are using different versions of openssl. Just remove (or > comment) HOME and RANDFILE lines from the beggining of the openssl.cnf > file. If you run into trouble with the second RANDFILE definition in myca > section, you could comment out that one too. On Linux /dev/random and > /dev/urandom are used anyhow. > > --- > You are currently subscribed to [email protected] as: [EMAIL PROTECTED] > To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as > the SUBJECT of the message. > --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
