unable to get local issuer certificate

Fri, 14 Jan 2011 03:47:01 -0800 

I am trying to setup a TurnKey(debian based) MediaWiki installation to
contact an LDAP server(W2K3) over SSL but I am having issues with the
SSL part. I have setup the LDAP server as a certificate authority and
have created my RSA private key as follows:

    openssl req -new -newkey rsa:2048 -nodes -keyout
wiki.home.jltaylor.net.key -out wiki.home.jltaylor.net.csr

This generated my private key along with a certificate signing request
that is used to get my certificate. I took this CSR and fed it into my
CA website and it spit out a certificate. I then copied this along
with the CA certificate over to my wiki box. I then ran the following:

    cat wiki.home.jltaylor.net.key wiki.home.jltaylor.net.cer >
wiki.home.jltaylor.net.pem

The .cer file was provided by the CA website. I took my CA
certificate(home.jltaylor.net.crt) and copied it to the
/usr/share/ca-certificates folder then I ran:

    dpkg-reconfigure ca-certificates

I selected my new certificate for installation, it said it installed 1
new certificate. I have tested that OpenSSL validates that my
certificate is valid:

    root@mediawiki ~# openssl verify wiki.home.jltaylor.net.pem
    wiki.home.jltaylor.net.pem: OK
    root@mediawiki ~#

But if I use OpenSSL to validate that it can communicate with my LDAP
server I get this:

    root@mediawiki ~# openssl s_client -connect
domain.home.jltaylor.net:636 -cert wiki.home.jltaylor.net.pem
    CONNECTED(00000003)
    depth=0 /CN=domain.home.jltaylor.net
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 /CN=domain.home.jltaylor.net
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 /CN=domain.home.jltaylor.net
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
    0 s:/CN=domain.home.jltaylor.net
       i:/DC=net/DC=jltaylor/DC=home/CN=home-jltaylor CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    subject=/CN=domain.home.jltaylor.net
    issuer=/DC=net/DC=jltaylor/DC=home/CN=home-jltaylor CA
    ---
    Acceptable client certificate CA names
    /DC=net/DC=jltaylor/DC=home/CN=home-jltaylor CA
    ...
    ---
    SSL handshake has read 4889 bytes and written 2184 bytes
    ---
    New, TLSv1/SSLv3, Cipher is RC4-MD5
    Server public key is 1024 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : RC4-MD5
        Session-ID:
440700006F9E3A8BEE6AADE9B06913A697B85678514E0AD6A0202303B317D8C9
        Session-ID-ctx:
        Master-Key:
DA87A121993F11D68E8A5BE4C5D6BA725A7EEE0A40AA768B05A85B27B479DBA542FFCB0A10E6D4B38E5143645C52B9C1
        Key-Arg   : None
        Start Time: 1294966198
        Timeout   : 300 (sec)
        Verify return code: 21 (unable to verify the first certificate)
    ---
    root@mediawiki ~#

It sounds like it is having issues getting a local copy of the CA
certificate but I believe I have my client setup to make the CA
certificate available.  Any help is appreciated.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to