can't use godaddy SSL cert

bluethundr bluethundr at gmail.com
Sun Nov 28 18:49:48 UTC 2010 

Hi Eric,

 Sorry I am clear on that now. I have tried the -h value that matches
the one in the cert, but I get the same result, unfortunately:

 [root at VIRCENT03:~]#ldapsearch -h LBSD2.summitnjhome.com -b
"dc=summitnjhome,dc=com" -Z -D "cn=Manager,dc=summitnjhome,dc=com"
"(objectclass=sudoRole)" -W
ldap_start_tls: Connect error (-11)
	additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Enter LDAP Password:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
	additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

[root at VIRCENT03:~]#openssl s_client -connect
LBSD2.summitnjhome.com:389 -showcerts -CAfile
/usr/local/etc/openldap/certs/cacerts/all.crt
10504:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('/usr/local/etc/openldap/certs/cacerts/all.crt','r')
10504:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
10504:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:279:
CONNECTED(00000003)
10504:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:

Thanks again for following up!



On Sun, Nov 28, 2010 at 1:23 PM, Erik Norgaard <norgaard at locolomo.org> wrote:
> On 28/11/10 18.51, bluethundr wrote:
>
>> Yes the hostname is in the CN of the cert file. So I agree that -h is
>> not the issue. :)
>> [root at VIRCENT03:~]#ldapsearch -h ldap -b "dc=summitnjhome,dc=com" -Z
>> -D "cn=Manager,dc=summitnjhome,dc=com" "(objectclass=sudoRole)" -W
>
> Maybe I didn't make myself clear: the host name you use to connect to (-h),
> in your command line example above, ldap, must be the same as the CN of the
> server certificate. It is irrelevant if the servers hostname is the same as
> the CN.
>
> That might be why you get
>
>> ldap_start_tls: Connect error (-11)
>>       additional info: error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> Try
>
>  -h LBSD2.summitnjhome.com
>
> BR, Erik
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>



-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3

More information about the freebsd-questions mailing list