Menu
▾
▴
[Luma-users] Certificate problems with Luma
|
From: Kevin <lum...@gn...> - 2005-01-17 22:53:15
|
Hi List-
My apologies if this is covered in documentation somewhere, but I can't
seem to find it. I think I may even have asked this question (or a
related one) in this list, but for some reason, reviewing those messages
is not helping me resolve this.
The question: how do I tell Luma that a self-signed root CA certificate
and those certificates issued/signed by that certificate are valid?
I keep getting this error message in the console when attempting to bind
to the server:
Error during LDAP bind request
Reason: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc':
"Can't contact LDAP server"}
I can connect to ports 389 and 636 with telnet so I don't think it's a
firewall issue. I see the openldap server (v2.2.17) logging the
connection from Luma and then closing the connection because of a
certificate problem:
Jan 17 16:13:38 tombstone slapd[11825]: connection_read(21): TLS accept
error error=-1 id=64, closing
The hostname of the server (both at the server and as typed into the
settings dialog in Luma) matches the hostname on the certificate that
I'm trying to use to make an encrypted connection to the server with
Luma, so I don't think that's the problem. I'm using the following
relevant settings in my slapd.conf file:
TLSCACertificatePath /etc/ssl/certs
TLSCertificateFile /etc/openldap/tombstonecrt.pem
TLSCertificateKeyFile /etc/openldap/tombstonekey.pem
The relevant information from serverlist.xml in my .luma directory is:
<!DOCTYPE LumaServerFile>
<LumaServerList version="1.0" >
<LumaLdapServer bindAnon="False" port="636" tls="True"...
When I have port="389" and tls="False" I have no problems.
The root CA certificate is present in /etc/ssl/certs, and it verifies ok
by openssl:
# openssl verify \
-CAfile /etc/ssl/certs/mycacert.pem /etc/openldap/tombstonecrt.pem
/etc/openldap/tombstonecrt.pem: OK
So I'm thinking that I need to tell Luma that this root CA certificate
is ok to trust, but I'm at a loss for how to do this.
I can connect with no problem if I just uncheck the "SSL" checkbox in
the settings dialog in Luma, but no luck with SSL checked. It looks
like that checkbox ("SSL") corresponds with the "tls" setting in
serverlist.xml, but as Bjorn Ove Grotan reminded me in this list, ldap
over ssl on port 636 is not the same as ldaps on port 389, so I'm
wondering if I'm mixed up again between ssl and tls...
TIA for any help.
-Kevin
http://www.gnosys.us
|