Hi,
I'm stuck with this openssl problem for a week... What I'm trying to do is to enable SSL via Open Directory. Here is what I did so far:
- Exported self-signed root certificate authority and certificate from server in .csr format, renamed to .pem and imported this CA in client machine via Keychain Access App. (later also copied to /etc/openldap/mycert)
- At Terminal window I entered: <openssl s_client -connect aaa.example.com:636 -showcert"> and copied the server certificate that begin with "----BEGIN CERTIFICATE----", pasted on Textedit and saved it with a name "mycert.pem".
- under /etc/openldap I created mycert directory and pasted those two pem file mentioned above, and rehashed with command <sudo c_rehash> and it created link files that have a .0 extension.
- at this moment I redo <openssl s_client -connect aaa.example.com:636 -CApath /etc/openldap/mycert> and it returns "Verify return code: 0 (ok)".
- I thought everything's fine so I modified /etc/openldap/ldap.conf and added the line "TLS_CACERTDIR /etc/openldap/mycert", so that I run again openssl command without -CAPath and then it returned "Verify return code: 21 (unable to verify the first certificate)". What's wrong here...?
- when I run the command <ldapsearch -V -x -H ldaps://aaa.example.com:636 -b "dc=aaa,dc=example,dc=com"> it returns "result: 0 success". I also opened Directory Utility and double clicked LDAPv3 in the Services tab, and ticked "SSL" box. It seemed that everything went well, but when I restart my iMac/Macbook, at the login window it doesn't show available directory network anymore (without SSL works fine).
my enviroment is:
Intel imac 24 late 2006 - snow leopard 10.6.8 Server,
Intel imac 27 late 2009 - snow leopard 10.6.8,
macbook pro Intel 2011 - snow leopard 10.6.8.
If anyone knows how to force openssl to real properly ldap.conf file, or knows how to fix this problem, please answer me. Thanks!
I'm stuck with this openssl problem for a week... What I'm trying to do is to enable SSL via Open Directory. Here is what I did so far:
- Exported self-signed root certificate authority and certificate from server in .csr format, renamed to .pem and imported this CA in client machine via Keychain Access App. (later also copied to /etc/openldap/mycert)
- At Terminal window I entered: <openssl s_client -connect aaa.example.com:636 -showcert"> and copied the server certificate that begin with "----BEGIN CERTIFICATE----", pasted on Textedit and saved it with a name "mycert.pem".
- under /etc/openldap I created mycert directory and pasted those two pem file mentioned above, and rehashed with command <sudo c_rehash> and it created link files that have a .0 extension.
- at this moment I redo <openssl s_client -connect aaa.example.com:636 -CApath /etc/openldap/mycert> and it returns "Verify return code: 0 (ok)".
- I thought everything's fine so I modified /etc/openldap/ldap.conf and added the line "TLS_CACERTDIR /etc/openldap/mycert", so that I run again openssl command without -CAPath and then it returned "Verify return code: 21 (unable to verify the first certificate)". What's wrong here...?
- when I run the command <ldapsearch -V -x -H ldaps://aaa.example.com:636 -b "dc=aaa,dc=example,dc=com"> it returns "result: 0 success". I also opened Directory Utility and double clicked LDAPv3 in the Services tab, and ticked "SSL" box. It seemed that everything went well, but when I restart my iMac/Macbook, at the login window it doesn't show available directory network anymore (without SSL works fine).
my enviroment is:
Intel imac 24 late 2006 - snow leopard 10.6.8 Server,
Intel imac 27 late 2009 - snow leopard 10.6.8,
macbook pro Intel 2011 - snow leopard 10.6.8.
If anyone knows how to force openssl to real properly ldap.conf file, or knows how to fix this problem, please answer me. Thanks!