That's part of our puzzle. Happy to send more output if it would be helpful.
ldapsearch connects fine:
connect success TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: using moznss security dir /etc/openldap/certs prefix . TLS: certificate [CN=directory.upenn.edu,OU=ISC: N&T - NES - Identity and Access Management (IAM),O=University of Pennsylvania,STREET=3451 Walnut Street,L=Philadelphia,ST=PA,postalCode=19104,C=US] is valid TLS certificate verification: subject: CN=directory.upenn.edu,OU=ISC: N&T - NES - Identity and Access Management (IAM),O=University of Pennsylvania,STREET=3451 Walnut Street,L=Philadelphia,ST=PA,postalCode=19104,C=US, issuer: CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 0, cache not reusable: 0 ldap_open_defconn: successful
even when there's an expired cert in the chain:
head pd-ldap1.certs (from this command: openssl s_client -host pd-ldap1.net.isc.upenn.edu -port 636 -showcerts 2>pd-ldap1.certs >> pd-ldap1.certs)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=10:certificate has expired notAfter=May 30 10:48:38 2020 GMT verify return:0 DONE CTED(00000003) --- Certificate chain 0 s:/C=US/postalCode=19104/ST=PA/L=Philadelphia/street=3451 Walnut Street/O=University of Pennsylvania/OU=ISC: N&T - NES - Identity and Access Management (IAM)/CN=directory.upenn.edu i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA [0 phei@pi-haproxy2 ~]$ head -20 pd-ldap1.certs depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=10:certificate has expired notAfter=May 30 10:48:38 2020 GMT verify return:0 DONE CTED(00000003) ________________________________ From: Howard Chu hyc@symas.com Sent: Wednesday, June 3, 2020 9:43 AM To: Heinemann, Peter G phei@isc.upenn.edu; openldap-technical@openldap.org openldap-technical@openldap.org Subject: Re: ssl certificate chain
phei@isc.upenn.edu wrote:
Not sure if this is an openldap issue but have to examine everything we can.
We revised our nss certificate store as part of addressing the expiration of our root cert.
It now has two certs, the end service cert and the intermediate. Basic client operations (ldapsearch) work fine; using -d1 shows that the appropriate service certificate is loaded and the the search is successful.
What is the output from ldapsearch -d -1 ?
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/