Greetings,
I'm trying to get LDAP to work with TLS but when I used the ldapsearch command to verify TLS is working, this error is showstopping me. The error is: TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error. !!Here's how this surfaced!! I just created a CA using a openssl.cnf and the openssl command. Here's my openssl.cnf: [ ca ] default_ca = mypersonalca [ mypersonalca ] # # WARNING: if you change that, change the default_keyfile in the [req] section below too # Where everything is kept dir = ./mypersonalca # Where the issued certs are kept certs = $dir/certs # Where the issued crl are kept crl_dir = $dir/crl # database index file database = $dir/index.txt # default place for new certs new_certs_dir = $dir/certs # # The CA certificate certificate = $dir/certs/ca.pem # The current serial number serial = $dir/serial # The current CRL crl = $dir/crl/crl.pem # WARNING: if you change that, change the default_keyfile in the [req] section below too # The private key private_key = $dir/private/ca.key # private random number file RANDFILE = $dir/private/.rand # The extentions to add to the cert x509_extensions = usr_cert # how long to certify for default_days = 365 # how long before next CRL default_crl_days= 30 # which md to use; people in comments indicated to use sha1 here default_md = sha1 # keep passed DN ordering preserve = no # Section names policy = mypolicy x509_extensions = certificate_extensions [ mypolicy ] # Use the supplied information commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = supplied organizationName = supplied organizationalUnitName = optional [ certificate_extensions ] # The signed certificate cannot be used as CA basicConstraints = CA:false [ req ] # same as private_key default_keyfile = ./mypersonalca/private/ca.key # Which hash to use default_md = sha1 # No prompts prompt = no # This is for CA subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer string_mask = utf8only basicConstraints = CA:true distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] # EDIT THOSE commonName = My Personal CA stateOrProvinceName = California countryName = US emailAddress = ce...@example.com organizationName = My Personal Certification Authority [ root_ca_extensions ] basicConstraints = CA:true Here's the command that I used to create the CA. OPENSSL=ca.cnf openssl req -x509 -nodes -days 3650 \ -newkey rsa:2048 -out mypersonalca/certs/ca.pem \ -outform PEM -keyout ./mypersonalca/private/ca.key Here's the command that created the certificates. openssl req -newkey rsa:1024 -nodes -sha1 \ -keyout cert.key -keyform PEM -out cert.req -outform PEM Here's the command that signed the certificate. OPENSSL_CONF=ca.cnf openssl ca -batch -notext -in cert.req -out cert.pem But when I did ' ldapsearch -d -1 -x -LLL -ZZ' to verify that TLS is working, I got: [root@fl1-lsh99apa007 ~]# ldapsearch -d -1 -x -LLL -ZZ ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP fl1-lsh99apa007.securesites.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.227.2.122:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x10c8b00 ptr=0x10c8b00 end=0x10c8b1f len=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ber_scanf fmt ({) ber: ber_dump: buf=0x10c8b00 ptr=0x10c8b05 end=0x10c8b1f len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 ber_flush2: 31 bytes to sd 3 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_write: want=31, written=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_result ld 0x10bf150 msgid 1 wait4msg ld 0x10bf150 msgid 1 (infinite timeout) wait4msg continue ld 0x10bf150 msgid 1 all 1 ** ld 0x10bf150 Connections: * host: fl1-lsh99apa007.securesites.com port: 389 (default) refcnt: 2 status: Connected last used: Tue Jun 18 15:19:12 2013 ** ld 0x10bf150 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x10bf150 request count 1 (abandoned 0) ** ld 0x10bf150 Response Queue: Empty ld 0x10bf150 response count 0 ldap_chkResponseList ld 0x10bf150 msgid 1 all 1 ldap_chkResponseList returns ld 0x10bf150 NULL ldap_int_select read1msg: ld 0x10bf150 msgid 1 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 78 07 0a 0....x.. ldap_read: want=6, got=6 0000: 01 00 04 00 04 00 ...... ber_get_next: tag 0x30 len 12 contents: ber_dump: buf=0x10c9f30 ptr=0x10c9f30 end=0x10c9f3c len=12 0000: 02 01 01 78 07 0a 01 00 04 00 04 00 ...x........ read1msg: ld 0x10bf150 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x10c9f30 ptr=0x10c9f33 end=0x10c9f3c len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ read1msg: ld 0x10bf150 0 new referrals read1msg: mark request completed, ld 0x10bf150 msgid 1 request done: ld 0x10bf150 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x10c9f30 ptr=0x10c9f33 end=0x10c9f3c len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ ldap_parse_result ber_scanf fmt ({iAA) ber: ber_dump: buf=0x10c9f30 ptr=0x10c9f33 end=0x10c9f3c len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ ber_scanf fmt (}) ber: ber_dump: buf=0x10c9f30 ptr=0x10c9f3c end=0x10c9f3c len=0 ldap_msgfree TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error. TLS: skipping 'ca.pem' - filename does not have expected format (certificate hash with numeric suffix) tls_write: want=102, written=102 0000: 16 03 01 00 61 01 00 00 5d 03 01 51 c0 b2 b0 28 ....a...]..Q...( 0010: c8 32 f9 e5 2a ec da dc 3d a0 76 5a 4b f1 5f 96 .2..*...=.vZK._. 0020: 9e 8f f2 26 f3 35 14 34 9a 53 76 00 00 36 00 ff ...&.5.4.Sv..6.. 0030: 00 88 00 87 00 39 00 38 00 84 00 35 00 45 00 44 .....9.8...5.E.D 0040: 00 66 00 33 00 32 00 96 00 41 00 05 00 04 00 2f .f.3.2...A...../ 0050: 00 16 00 13 00 0a 00 15 00 12 00 09 00 64 00 62 .............d.b 0060: 00 03 00 06 01 00 ...... tls_read: want=5, got=0 TLS: error: connect - force handshake failure: errno 0 - moznss error -5938 TLS: can't connect: TLS error -5938:Encountered end of file. ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS error -5938:Encountered end of file I also have this in my ldif file: olcTLSCACertificateFile: /home/rsimioni/mypersonalca/certs/ca.pem olcTLSCertificateFile: /home/rsimioni/cert.pem olcTLSCertificateKeyFile: /home/rsimioni/cert.key olcTLSVerifyClient: allow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.