Hello,
We have a couple of old ldap servers (Debian 7/openldap 2.4.31) on which we try to replace the certificates. On these servers we have a bundled configuration:
# config
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/tls/multi.deverywa.re.pem
olcTLSCertificateFile: /etc/ldap/tls/multi.deverywa.re.pem
olcTLSCertificateKeyFile: /etc/ldap/tls/multi.deverywa.re.pem
The file is a bundle containing both the certificates (wildcard and it's issuer) and the key. Until this year we just had to upload the new bundle and restart slapd. This year Gandi changed their signing certificate but it is still issued by UserTrust. But OpenLDAP refuses to use it now.
We tried to set LogLevel to any, but nothing really showed in the log. On the server side:
slapd[9217]: connection_read(16): TLS accept failure error=-1 id=1041, closing
On the client side (localhost):
openssl s_client -connect localhost:636 -servername
ldap.deverywa.re
CONNECTED(00000003)
140365161965224:error:140790E5:SSL routines:SSL23_WRITE:ssl
handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 315 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1695652388
Timeout : 300 (sec)
Verify return code: 0 (ok)
We still use 2048 RSA key to generate the certificates. We have
checked permissions and it is fine. How could I debug what's wrong
on the server side ?
Thank you