Can't get certificates installed on new server

Wed, 25 Feb 2015 06:16:17 -0800 

I'm getting a generic error 80 when I try to use ldapmodify to
configure my LDAP server to use a SSL certificate. Here is the LDIF
I'm using:

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/gd_bundle-g2-g1.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/private/wildcard.linaro.org.key
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/certs/wildcard.linaro.org.crt

and the command:

ldapmodify -v -x -H ldapi:/// -f certinfo.ldif -D cn=admin,cn=config -W

Running logging at the highest level doesn't seem to give me much to go on ...

Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=8
active_threads=0 tvp=NULL
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=9
active_threads=0 tvp=NULL
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll:
listen=10 active_threads=0 tvp=NULL
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll:
listen=11 active_threads=0 tvp=NULL
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 do_modify
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1
do_modify: dn (cn=config)
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: >>> dnPrettyNormal: <cn=config>
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <<< dnPrettyNormal:
<cn=config>, <cn=config>
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 modifications:
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCACertificateFile
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 34
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateFile
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 40
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateKeyFile
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 38
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD dn="cn=config"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD
attr=olcTLSCACertificateFile olcTLSCertificateFile
olcTLSCertificateKeyFile
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <= acl_access_allowed:
granted to database root
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_required entry
(cn=config), objectClass "olcGlobal"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"objectClass"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "cn"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcConfigFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcConfigDir"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcArgsFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcAttributeOptions"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcAuthzPolicy"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcConcurrency"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcConnMaxPending"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcConnMaxPendingAuth"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcGentleHUP"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcIdleTimeout"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcIndexSubstrIfMaxLen"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcIndexSubstrIfMinLen"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcIndexSubstrAnyLen"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcIndexSubstrAnyStep"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcIndexIntLen"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcListenerThreads"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcLocalSSF"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcLogLevel"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcPidFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcReadOnly"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcReverseLookup"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcSaslSecProps"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcSockbufMaxIncoming"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcSockbufMaxIncomingAuth"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcThreads"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcTLSVerifyClient"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcTLSProtocolMin"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcToolThreads"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcWriteTimeout"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"structuralObjectClass"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryUUID"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"creatorsName"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"createTimestamp"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcTLSCACertificateFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcTLSCertificateFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"olcTLSCertificateKeyFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryCSN"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"modifiersName"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
"modifyTimestamp"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result:
conn=1001 op=1 p=3
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result:
err=80 matched="" text=""
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_response:
msgid=2 tag=103 err=80
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 RESULT
tag=103 err=80 text=
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on 1 descriptor
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on:
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]:  14r

I've checked that the user that slapd is running under can read the three files.

Any suggestions or clarification on what I've overlooked?

Thanks.

Regards

Philip

Reply via email to