Am Mon, 10 Mar 2014 11:18:14 -0400 schrieb "Borresen, John - 0442 - MITLL" <[email protected]>:
> All, > > > > My set up consists of three servers each syncing with each other. > The host names are: > > 1) mm-server1.example.ldap > > 2) mm-server2.example.ldap > > 3) mm-server3.example.ldap > > > > Utilizing TLSv1, on all three I have: > > olcTLSCertificateFile: /usr/local/openldap/etc/openldap/CA/cacert.pem this should be opcTLSCAcertificateFile > > olcTLSCertificateKeyFile: > /usr/local/openldap/etc/openldap/CA/private/cakey.pem you are misssing the host certificate, something like olcTLSCertificateFile /usr/local/openldap/etc/openldap/CA/host.pem > > olcTLSCipherSuite: HIGH:MEDIUM+TLSv1+SSLv3 > > > > Configured with self-signed wild-card certs, originally configured > (using openssl 0.9.8) on mm-server2 and exported to the other servers. > > > > When running ldapmodify, ldapsearch, etc with a "-Z", and openssl > s_client on mm-server1 or mm-server3 or any client pointing back to > mm-server1 or 3, I receive the following error: > > > > TLS certificate verification: Error, self signed certificate > > TLS: can't connect: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self > signed certificate). > > ldap_start_tls: Connect error (-11) > > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self > signed certificate) > > > > Running any of those to mm-server2, it works with no such error. > > > > I am guessing, that since the certs were created on mm-server2, > originally, that is why it works this way. Also, guessing I missed a > step somewhere. > > > > I read online a post from 2005 with a good explanation of self-signed > from Howard Chu about a similar problem. > > > > What is the best procedure for creating wild-card certs and sharing > those out to other servers? The procedure that was used was from > openssl.org so it was not a fly-by-night weblog. > > > > What did I miss (besides: a lot)? > > > > Thanks in advance, > > > > > > John D. Borresen (Dave) > > Linux/Unix Systems Administrator > > MIT Lincoln Laboratory > > Surveillance Systems Group > > 244 Wood St > > Lexington, MA 02420 > > Ph: (781) 981-1609 > > Email: [email protected] > > > -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
