Re: Can't get certificates installed on new server

Wed, 25 Feb 2015 23:09:08 -0800 

Gremaud Cyrill wrote:

Hello Philip,

It is a self-signed certificate ?

If yes, you must remove the line olcTLSCACertificateFile.


That is utter nonsense.


-----Original Message-----
From: openldap-technical [mailto:[email protected]] On 
Behalf Of Philip Colmer
Sent: mercredi 25 février 2015 15:13
To: [email protected]
Subject: Can't get certificates installed on new server

I'm getting a generic error 80 when I try to use ldapmodify to configure my 
LDAP server to use a SSL certificate. Here is the LDIF I'm using:

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/gd_bundle-g2-g1.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/private/wildcard.linaro.org.key
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/certs/wildcard.linaro.org.crt

and the command:

ldapmodify -v -x -H ldapi:/// -f certinfo.ldif -D cn=admin,cn=config -W

Running logging at the highest level doesn't seem to give me much to go on ...

Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=8
active_threads=0 tvp=NULL
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=9
active_threads=0 tvp=NULL
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll:
listen=10 active_threads=0 tvp=NULL
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll:
listen=11 active_threads=0 tvp=NULL
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 do_modify Feb 25 
14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1
do_modify: dn (cn=config)
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: >>> dnPrettyNormal: <cn=config> Feb 25 
14:03:08 ip-10-166-134-219 slapd[1651]: <<< dnPrettyNormal:
<cn=config>, <cn=config>
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 modifications:
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add: olcTLSCACertificateFile Feb 25 
14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 34 Feb 25 14:03:08 
ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateFile Feb 25 14:03:08 
ip-10-166-134-219 slapd[1651]: #011#011one value, length 40 Feb 25 14:03:08 
ip-10-166-134-219 slapd[1651]: #011add: olcTLSCertificateKeyFile Feb 25 14:03:08 
ip-10-166-134-219 slapd[1651]: #011#011one value, length 38 Feb 25 14:03:08 
ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD dn="cn=config"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD 
attr=olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile Feb 25 
14:03:08 ip-10-166-134-219 slapd[1651]: <= acl_access_allowed:
granted to database root
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_required entry (cn=config), 
objectClass "olcGlobal"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"objectClass"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "cn"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcConfigFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcConfigDir"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcArgsFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcAttributeOptions"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcAuthzPolicy"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcConcurrency"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcConnMaxPending"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcConnMaxPendingAuth"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcGentleHUP"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcIdleTimeout"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcIndexSubstrIfMaxLen"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcIndexSubstrIfMinLen"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcIndexSubstrAnyLen"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcIndexSubstrAnyStep"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcIndexIntLen"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcListenerThreads"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcLocalSSF"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcLogLevel"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcPidFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcReadOnly"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcReverseLookup"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcSaslSecProps"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcSockbufMaxIncoming"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcSockbufMaxIncomingAuth"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcThreads"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcTLSVerifyClient"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcTLSProtocolMin"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcToolThreads"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcWriteTimeout"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"structuralObjectClass"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryUUID"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"creatorsName"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"createTimestamp"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcTLSCACertificateFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcTLSCertificateFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"olcTLSCertificateKeyFile"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "entryCSN"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"modifiersName"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type 
"modifyTimestamp"
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result:
conn=1001 op=1 p=3
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result:
err=80 matched="" text=""
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_response:
msgid=2 tag=103 err=80
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 RESULT
tag=103 err=80 text=
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on 1 descriptor 
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on:
Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]:  14r

I've checked that the user that slapd is running under can read the three files.

Any suggestions or clarification on what I've overlooked?

Thanks.

Regards

Philip




--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Reply via email to