Defining trusted root ca for ldaps server cert validation

Alan Buxey alan.buxey at
Thu May 4 23:26:43 CEST 2017


you'll want to use a client certificate and have the relevant
server/root certificate if you want security.  if you can afford for
stuff to transit non secured then you can choose not to use TLS (check
the option out).  you only gave a small snippet of output...I would
suggest that the server isnt allowed to read/access that file - hence
the error.

this may be file permissions, it may be selinux


On 4 May 2017 at 20:51, Philipp Trenz <mail at> wrote:
> Hi there,
> I’m searching where to define the trusted root ca for validation of the SSL certificate on ldaps connections (FR 3.0.12 with CentOS 7).
> I added the root ca to the system and tested ldaps connection with 'openssl s_client -connect my_ldap_server_IP:636 -CApath /etc/pki/tls/certs‘ and it returns 'Verify return code: 19 (self signed certificate in certificate chain)‘.
> Then I tested the trusted root ca’s at the system to be sure the correct ca’s are there with ...
> awk -v cmd='openssl x509 -noout -subject' \
>       '/BEGIN/{close(cmd)};{print | cmd}' \
> < /etc/pki/tls/certs/ca-bundle.crt
> … and the CA is listed. Am I doing something wrong or is it a OpenSSL issue? Do I have to (or is it possible to) define the trusted root ca within Freeradius?
> I also didn’t quite understand what the tls section in mods-enabled/ldap is for. As far as I know ldap clients don’t need a client certificate except the LDAP configuration requires it. And in my case it isn’t. When I let ‚ca_file‘ point to my root ca, i get the following:
> TLS: could not add the certificate '/usr/local/etc/raddb/certs/cacert.crt' - error -8018:Unknown PKCS #11 error..
> TLS: /usr/local/etc/raddb/certs/cacert.crt is not a valid CA certificate file - error -8018:Unknown PKCS #11 error..
> TLS: could not perform TLS system initialization.
> TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error.
> TLS: can't create ssl handle.
> I have to admit I’m not practiced with PKI.
> Thanks so much for help!
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list