[Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA

Howard Chu hyc at symas.com
Sat Jun 3 05:22:40 UTC 2006 

fedora-directory-users-request at redhat.com wrote:
> Date: Fri, 02 Jun 2006 17:48:00 -0700
> From: Jeff Gamsby <JFGamsby at lbl.gov>
>
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>   
Geeze you guys, these messages could seriously use some trimming.
>>>>>           
>>>>>>>>>
>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>                   
>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>                     
>>>>>>>>>>> I blew away the server and installed a new one, then I used 
>>>>>>>>>>> the setupssl.sh script to setup SSL. The script completed 
>>>>>>>>>>> successfully, and the server is listening on port 636, but 
>>>>>>>>>>> I'm back to a familiar error:
>>>>>>>>>>>
>>>>>>>>>>> ldapsearch -x -ZZ -d -1
>>>>>>>>>>>                       

Listening on port 636 with SSL means you have an ldaps:// listener. The 
ldapsearch -Z options are for LDAPv3 StartTLS, which is incompatible 
with (LDAPv2+) ldaps://. Use either ldaps:// or StartTLS, you cannot use 
both together. This is already noted in the manpages.
>>>
>> I'm not sure I understand what's going on either, but the message 
>> "Peer does not recognize and trust the CA that issued your 
>> certificate." means that ldapsearch did not verify your LDAP server 
>> certificate (Server-Cert).  This is usually due to one or both of the 
>> following:
>> 1) The value of the cn attribute in the leftmost RDN of the subjectDN 
>> in the LDAP server cert is not the fqdn of the LDAP server host, or 
>> the client cannot resolve it.
>> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of the 
>> CA that issued the LDAP server certificate (Server-Cert)
>>     

No, on the client side this error can only be caused by (2), there is a 
completely different error message for (1). Also for (1), "client cannot 
resolve it" is not a consideration; as mandated by RFC2830 the hostname 
supplied by the user (on the command line) must exactly match the name 
in the cert CN (or one of the subjectAltNames). No resolution procedures 
are allowed.

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

More information about the Fedora-directory-users mailing list