Defining trusted root ca for ldaps server cert validation

Philipp Trenz mail at
Thu May 4 21:51:23 CEST 2017

Hi there,

I’m searching where to define the trusted root ca for validation of the SSL certificate on ldaps connections (FR 3.0.12 with CentOS 7).
I added the root ca to the system and tested ldaps connection with 'openssl s_client -connect my_ldap_server_IP:636 -CApath /etc/pki/tls/certs‘ and it returns 'Verify return code: 19 (self signed certificate in certificate chain)‘.
Then I tested the trusted root ca’s at the system to be sure the correct ca’s are there with ...

awk -v cmd='openssl x509 -noout -subject' \
      '/BEGIN/{close(cmd)};{print | cmd}' \
< /etc/pki/tls/certs/ca-bundle.crt

… and the CA is listed. Am I doing something wrong or is it a OpenSSL issue? Do I have to (or is it possible to) define the trusted root ca within Freeradius?

I also didn’t quite understand what the tls section in mods-enabled/ldap is for. As far as I know ldap clients don’t need a client certificate except the LDAP configuration requires it. And in my case it isn’t. When I let ‚ca_file‘ point to my root ca, i get the following:

TLS: could not add the certificate '/usr/local/etc/raddb/certs/cacert.crt' - error -8018:Unknown PKCS #11 error..
TLS: /usr/local/etc/raddb/certs/cacert.crt is not a valid CA certificate file - error -8018:Unknown PKCS #11 error..
TLS: could not perform TLS system initialization.
TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error.
TLS: can't create ssl handle.

I have to admit I’m not practiced with PKI.

Thanks so much for help!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP
URL: <>

More information about the Freeradius-Users mailing list