[SOLVED] main: TLS init def ctx failed: -1

Error added: 2007-10-10T15:46:28Z

2 people waiting for the answer...

15 answers found.

Answer 1367 (100.0% helpful)

I used strace slapd, and it keep complaining about not been able to read the CA certification file ca.crt

Tire putting this ca.crt file in various locations, with 777 permissions, even in the root, e.g. /ca.crt

it still complains about access denied. I suspect it is a configuration in /etc/aparmor.d/slapd

So in the end, to get it running, I simply copied all my ssl files to 


and it if finally working now.

I guess /etc/apparmor.d/slapd configured /etc/ldap to be a valid location for placing those ssl files, though I don\'t really see it specified there.

Answer 2090 (100.0% helpful)

Problem was resolved after installing an ssl-cert package ( Ubuntu 12.04 TLS )

#apt-get install ssl-cert

Answer 2437 (100.0% helpful)

I create cert file by openssl in ubuntu 14.04. so I installed openssl/libssl-cert before, the error show in this environment. It works after following steps:
1.	check your certfile path whether it is correct. 检查文件路径,是否存在
2.	check your file permission. 检查文件权限
chown openldap.openldap /etc/ssl/certs/ldapcert.pem
chown openldap.openldap /etc/ssl/private/ldapkey.pem
chmod -R 0400 /etc/ssl/certs/ldapcert.pem
chmod -R 0400 /etc/ssl/private/ldapkey.pem
Example: 示例:
-rw-r--r-- 1 root     root     1383 Dec  1 09:47 /etc/ssl/certs/cacert.pem
-r-------- 1 openldap openldap 3808 Dec  1 09:48 /etc/ssl/certs/ldapcert.pem
-r-------- 1 openldap openldap  891 Dec  1 09:47 /etc/ssl/private/ldapkey.pem
3.	Whether install libssl-dev/ssl-cert, especially ssl-cert. 是否安装了libssl-dev/ssl-cert
4.	Whether add user openldap to group ssl-cert. 是否添加openldap至ssl-cert用户组
adduser openldap ssl-cert
5.	Whether certfile is correct. 检查证书是否正确
openssl verify -CAfile /etc/ssl/certs/cacert.pem /etc/ssl/certs/ldapcert.pem
6.	Check apparmor. With the 1st step, if your cert file not under path /etc/ssl/... your should add your cert file path to /etc/apparmor.d/usr.sbin.slapd, then reload the apparmor service like this : /etc/init.d/apparmor reload
If you have any other question, please feel free to concat to me or refer to blog

Answer 943 (87.5% helpful)

I had the same thing after trying to get OpenLDAP to use TLS. Using \"strace slapd\" revealed that it couldn\'t read the certificates I had generated. Using \"chgrp openldap\" on private key, public certficiate and CA certificate should fix the problem.

Answer 1294 (83.33333% helpful)

It worked for me after creating the private key and certificate using certtool (instead of openssl) and also using certtool to sign the certificate for LDAP.  This is because OpenLDAP has been compiled against gnutls rather than openssl.

In addition, I made the mistake of storing the private key (in Ubuntu 9.10) in /etc/ssl/private rather than a directory that the openldap user could read.

Answer 1732 (66.666664% helpful)

On Ubuntu 9.10, put user openldap into group ssl-cert (use vigr *and* vigr -s) and then copy certificates and keys to /etc/ssl/private.

Answer 1247 (50.0% helpful)

From answer 2, I\'d like to add that slapd (with user openldap) does not follow certificate symlinks. 

Answer 1919 (50.0% helpful)

I followed the following howto:

But I tried to be smart and added a slapd config for cipher suite:

This line prevented slapd from starting. Removing it fixed the problem. This was shown by running slapd with the "-d 2" debug option.

Answer 1283 (37.5% helpful)

The reason for the \"main: TLS init def ctx failed: -1\" problem could also be this: 

I had only the 
in my certificate file. After a while of investigation I found out, that OpenLDAP also wanted the text part of certificate. To get to that use the following command:
openssl x509 -text -in yourcert.pem -out yourcerttxt.pem

Answer 1452 (0.0% helpful)

For Mandriva, you need to give TLSCACertificateFile the same treatment, so your final file should look like:

TLSCertificateFile      /etc/pki/tls/cert/ldap.pem
TLSCertificateKeyFile   /etc/pki/tls/private/ldap.pem
TLSCACertificateFile    /etc/pki/tls/certs/ldap.pem


Answer 1709 (0.0% helpful)

If this is on a mac, I had the exact same problem in my log. I posted my long answer here:
But in short: Check your certificates, have you deleted some of them?

Answer 1246 (0.0% helpful)

I used the answer 1 to fix my similar problem and my error changes 
from -> \"main: TLS init def ctx failed: -1\"
to -> \"main: TLS init def ctx failed: -207\"

Answer 1441 (0.0% helpful)

In the slapd.conf provided in packages for Mandriva 2009.1, 2010 and 2010.1 (I can\'t tell for others distro) TLSCertificateFile is set to /etc/pki/tls/private/ldap.pem.
I set it to /etc/pki/tls/certs/ldap.pem and it works.


Answer 1467 (0.0% helpful)

When you generate and sign the keys, you MUST copy BOTH files (newcert.pem _and_ newkey.pem) to the server 02 using the SAME CA (cacert.pem) from server 01.

Answer 1688 (0.0% helpful)

Check out the slapd flags, make sure you have ldaps:///

On ubuntu, edit /etc/default/slapd and add ldaps:///

Add an answer/solution

If you know the answer, please add your own solution below.
If you don't know, but find out later, please come back and share your answer - there will be other people struggling with this too.

Please enter 61948 here

If you want to be notified via email when this is solved, enter your email address here:

Psst - want to help build a list of common error messages?
Put the following line in your /etc/[r]syslog.conf file:


Collecting solutions to error messages since Aug 2005. © rtfm 2005-2019