Keagle, Chuck skrev, on 22-11-2007 01:32:
I have yet to even change the error messages when trying:
# ldapsearch -x -Z -H ldap://testsvr.blv.boeing.com -b "" -s base
'objectclass=*' '+' '*'
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldap_result: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Can anyone point out what I have missed here?
You've been trying to knock down a brick wall with your head since
before Saturday last week and to now seemingly got nowhere but bruised
and battered. I should try a different approach, I'll give an example.
I don't know SLES at all, I run Red Hat systems. To me the whole concept
of multiple hashed certs without proper names in a common folder is
horrible. The concept of operating with server certs without them being
signed by (an albeit self-generated) common CA cert is horrible. You'll
se why below.
On my 4 RHEL5 servers that need certs for OL 2.3 and have been installed
as upgrades in August last, I have done the following:
Designated one server as being the master, on which the CA cert for all
of them was made, using the CA.sh utility included with RH's openssl
0.9.8b and installed the cert (named CA.pem) in /etc/certs/CA.
Edited /etc/pki/tls/openssl.cnf to reflect my site's true details and
created a single servercert.pem and serverkey.pem (using the CA cert/key
I'd created and ensuring the CN in the server cert is actually that of
the machine as given in /etc/hosts and DNS and CA.sh) which is to be
used for all services on the master. Did 'openssl rsa -in
serverkey.pem.orig -out serverkey.pem' to get a "passwordless" key. For
slapd installed these in /etc/certs/slapd with owner:group ldap and
appropriate permissions.
All other services (e.g http, Postfix etc.) use the same serverkey and
servercert, but in different subfolders, with different owners and
permissions.
In all files needing any of these (thus also in slapd.conf and
ldap.conf) put the paths in. TLS and SSL work on the master for all
LDAP-base things needing it ;)
scp -p the necessary subfolders of /etc/CA and /etc/pki/tls/openssl.cnf
to each other server that has to run slapd, edit onenssl.cnf to reflect
the true CN and generate new servercert.pem and serverkey.pem (using the
CA cert and key from the master server), make serverkey.pem
"passwordless", install to the same folders as on the master. TLS and
SSL work ;)
Because the RHL5 openssl directories are located differently from the
RHAS4 same and on my FC6 test machine it took me 1/2 hour to make the
master server's certs. I'd had much experience from RHAS4 and had
botched up the cert thing by making a CA cert and server certs with far
too short validities (accepting the default) for each server. Using
different CA certs for each server meant I had to append the CA cert for
each in /etc/certs/CA and meant replacing these on each server at least
once in the two years the site was running RHAS4 and gave too much work.
I wanted to avoid this for the future, so certs have validities till
2012. Making the server certs and keys for each other server cost me 10
minutes per server and I shall have no more work on certs until the site
upgrades to RHEL6, or whatever it happens to be.
HTH, you don't *have* to do everything SuSE's way, just as I don't have
to RH's way.
--Tonni
--
Tony Earnshaw
Email: tonni at hetnet dot nl
