I am not aware of what dpkg-reconfigure does, but try adding "-CAfile /usr/share/ca-certificates/home.jltaylor.net.crt" to s_client and check again.
-Sandeep On Fri, Jan 14, 2011 at 10:47 AM, Jonathan Taylor <[email protected]>wrote: > I am trying to setup a TurnKey(debian based) MediaWiki installation to > contact an LDAP server(W2K3) over SSL but I am having issues with the > SSL part. I have setup the LDAP server as a certificate authority and > have created my RSA private key as follows: > > openssl req -new -newkey rsa:2048 -nodes -keyout > wiki.home.jltaylor.net.key -out wiki.home.jltaylor.net.csr > > This generated my private key along with a certificate signing request > that is used to get my certificate. I took this CSR and fed it into my > CA website and it spit out a certificate. I then copied this along > with the CA certificate over to my wiki box. I then ran the following: > > cat wiki.home.jltaylor.net.key wiki.home.jltaylor.net.cer > > wiki.home.jltaylor.net.pem > > The .cer file was provided by the CA website. I took my CA > certificate(home.jltaylor.net.crt) and copied it to the > /usr/share/ca-certificates folder then I ran: > > dpkg-reconfigure ca-certificates > > I selected my new certificate for installation, it said it installed 1 > new certificate. I have tested that OpenSSL validates that my > certificate is valid: > > root@mediawiki ~# openssl verify wiki.home.jltaylor.net.pem > wiki.home.jltaylor.net.pem: OK > root@mediawiki ~# > > But if I use OpenSSL to validate that it can communicate with my LDAP > server I get this: > > root@mediawiki ~# openssl s_client -connect > domain.home.jltaylor.net:636 -cert wiki.home.jltaylor.net.pem > CONNECTED(00000003) > depth=0 /CN=domain.home.jltaylor.net > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 /CN=domain.home.jltaylor.net > verify error:num=27:certificate not trusted > verify return:1 > depth=0 /CN=domain.home.jltaylor.net > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > Certificate chain > 0 s:/CN=domain.home.jltaylor.net > i:/DC=net/DC=jltaylor/DC=home/CN=home-jltaylor CA > --- > Server certificate > -----BEGIN CERTIFICATE----- > ... > -----END CERTIFICATE----- > subject=/CN=domain.home.jltaylor.net > issuer=/DC=net/DC=jltaylor/DC=home/CN=home-jltaylor CA > --- > Acceptable client certificate CA names > /DC=net/DC=jltaylor/DC=home/CN=home-jltaylor CA > ... > --- > SSL handshake has read 4889 bytes and written 2184 bytes > --- > New, TLSv1/SSLv3, Cipher is RC4-MD5 > Server public key is 1024 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : RC4-MD5 > Session-ID: > 440700006F9E3A8BEE6AADE9B06913A697B85678514E0AD6A0202303B317D8C9 > Session-ID-ctx: > Master-Key: > > DA87A121993F11D68E8A5BE4C5D6BA725A7EEE0A40AA768B05A85B27B479DBA542FFCB0A10E6D4B38E5143645C52B9C1 > Key-Arg : None > Start Time: 1294966198 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > --- > root@mediawiki ~# > > It sounds like it is having issues getting a local copy of the CA > certificate but I believe I have my client setup to make the CA > certificate available. Any help is appreciated. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [email protected] >
