Red Hat Bugzilla – Bug 112262
LDAP start_tls fails: Connect error (91)
Last modified: 2014-08-31 19:25:38 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET
Description of problem:
When trying to setup an OpenLDAP server to use TLS it can not use the
pre-generated slapd.pem certificate. It will always fail with a
Connect error (91)
aditional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
From the information I found this is due to a few reasons, first is
that the common name in the certificate doesn't match the host name.
But that is only the start, also with the 2.1 version of OpenLDAP the
certificate must be signed by a CA, slef created or commercial. Also
new to the 2.1 code is the addition of the TLS_CACERT line required
in the /etc/openldap/ldap.conf file. After following the steps found
at http://www.openldap.org/faq/data/cache/185.html the server now
works with TLS like it should. I believe this is something that could
easily be fixed for the next release and could save a lot of
headaches. (Or all the TLS configuration stuff could be left out so
as not to be confusing!)
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Setup an OpenLDAP server
2. ldapsearch ... -ZZ
This can be fixed by adding the line
I just did a fresh re-install of openldap-servers and was able to use
the pre-generated slapd.pem without trouble.
added line TLS_REQCERT allow to slapd.conf file on a new install of
entire OS and used defaults for other TLS settings in the file (pre-
generated slapd.pem) and still get a ldap_start_tls: Connect error
(91) ....certificate verify failed
I still believe the main reason is that the pregenerated cert is not
signed by a CA.
I'm unable to connect to any LDAP server using TLS ... even ones that
I can verify are good (by using the same query on a RH8 box).
For example, the following command succeeds on a RH8 box, but the same
command fails on a fresh-installed Fedora Core1 box:
ldapsearch -x -ZZ -h ldap.yoyoweb.com -p 1389 -b \'dc=yoyoweb,dc=com'
The error is:
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
... more information ... part of the problem seems to be the port number?
I set up a server on port 389, and again the query works flawlessly on
RH8, but now on Fedora 1 I get:
ldap_start_tls: Connect error (91)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Same problem for me on Fedora Core 2. I have disabled TLS for the
time being but a side effect of this is that authentication to gdm no
longer works (see bug 97676 -- GDM LDAP User Authentication Fails).
The work around for that is to switch to KDM by entering:
I still believe that it's a bug for gdm to require TLS or SSL on LDAP
connections when "ssl no" is set in /etc/ldap.conf
You actually want to add
to /etc/openldap/ldap.conf (not slapd.conf)
Fedora Core 1 is maintained by the Fedora Legacy project for security updates
only. If this problem is a security issue, please reopen and reassign to the
Fedora Legacy product. If it is not a security issue and hasn't been resolved in
the current FC5 updates or in the FC6 test release, reopen and change the
version to match.
NOTE: Fedora Core 1 is reaching the final end of support even by the Legacy
project. After Fedora Core 6 Test 2 is released (currently scheduled for July
26th), there will be no more security updates for FC1. Please use these next two
weeks to upgrade any remaining FC1 systems to a current release.
Note that FC1 and FC2 are no longer supported even by Fedora Legacy. Many
changes have occurred since these older releases. Please install a supported
version of Fedora Core and retest. If this still occurs on FC3 or FC4, please
assign to that version and Fedora Legacy. If it still occurs on FC5 or FC6,
please reopen and assign to the correct version. Thanks!