Thanks, Gary > -----Original Message----- > From: Tay, Gary [mailto:[EMAIL PROTECTED] > Sent: Monday, September 05, 2005 5:24 AM > To: James Wilde > Subject: RE: Problem verifying self signed certificate > > > === > TLS certificate verification: depth: 1, err: 19, subject: > /C=SE/L=Stockholm/O=Glocalnet > AB/OU=Infrastructure/CN=Glocalnet Certificate > Authority/[EMAIL PROTECTED], issuer: > /C=SE/L=Stockholm/O=Glocalnet > AB/OU=Infrastructure/CN=Glocalnet Certificate > === > > Please use FQDN (Fully Qualified Domain Name), as the > "CommonName" in your CA cert and self-signed Server cert.
FQDN for the CA cert??? The ca cert is not used as a server cert. The server cert has a fqdn, log1.glocalnet.net but it is not self-signed. It is signed with the self-signed CA cert. > > Understand you have created self-signed cert. > The CN (CommonName) in your cert. subject is not a FQDN it > should be something like "ldap1.glocalnet.com", i.e. > > subject: /C=SE/L=Stockholm/O=Glocalnet > AB/OU=Infrastructure/CN=ldap1.glocalnet.com > > Make sure there is an entry for "ldap1.glocalnet.com" in > /etc/hosts of LDAP Client, on top of DNS. /etc/hosts included log1 for 127.0.0.1, and I have added log1.glocalnet.net and tested again. > > === > # openssl s_client -connect localhost:389 -showcerts -state > -CAfile /usr/share/ssl/certs/cacert.pem === I assume you > issue thie command at the LDAP Server as local (localhost) > SSL connection test, assume also the slapd was started with > BOTH "ldap:///"; and "ldaps:///", then the correct command should be: I normally start the ldap server simply with '/usr/sbin/slapd'. I have now tested with '/usr/sbin/slapd -h ldap:/// ldaps:///' and tested on both 389 and 636. 389 gave the standard response of 'handshake failure'. 636 gave 'Connection refused' since the server is not listening on 636. Woohoo! When I restarted with '/usr/sbin/slapd -h ldaps:/// ldap:///' it worked. Thanks! I now note that I should have "ldap:/// ldaps:///" in double quotes after the -h flag. In other words slapd has not been starting with tls enabled. I thought this was supposed to happen as a result of uncommenting the TLS lines in slapd.conf rather than being something which one fixes at the command line. Is there a way to build this into the slapd.conf file, maybe with 'uri="ldap:/// ldaps:///"' or 'starttls=critical'? > > # openssl s_client -connect localhost:636 -showcerts -state > -CAfile /usr/share/ssl/certs/cacert.pem > > You may find my HOWTOs useful, or not at all. > > http://web.singnet.com.sg/~garyttt/ Thanks, Gary. I'll take a look. If I can get my slaves running on Solaris, I'll owe you one! mvh/regards James
