Re: Help troubleshooting SSL certificates issue

25 Sep 2023


      Jérôme BECOT wrote:
...
Hello,
We have a couple of old ldap servers (Debian 7/openldap 2.4.31) on which we try to replace the certificates. On these servers we have a bundled configuration:
Presumably since that's a Debian build it was built using GnuTLS. I suggest you try using gnutls-cli with your PEM file and see what works or doesn't work.
...
# config
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/tls/multi.deverywa.re.pem
olcTLSCertificateFile: /etc/ldap/tls/multi.deverywa.re.pem
olcTLSCertificateKeyFile: /etc/ldap/tls/multi.deverywa.re.pem
The file is a bundle containing both the certificates (wildcard and it's issuer) and the key. Until this year we just had to upload the new bundle and restart
slapd. This year Gandi changed their signing certificate but it is still issued by UserTrust. But OpenLDAP refuses to use it now.
We tried to set LogLevel to any, but nothing really showed in the log. On the server side:
slapd[9217]: connection_read(16): TLS accept failure error=-1 id=1041, closing
On the client side (localhost):
openssl s_client -connect localhost:636 -servername ldap.deverywa.re
CONNECTED(00000003)
140365161965224:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:

no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 315 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1695652388
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
We still use 2048 RSA key to generate the certificates. We have checked permissions and it is fine. How could I debug what's wrong on the server side ?
Thank you
-- 
*Jérôme BECOT*
Ingénieur DevOps Infrastructure
Téléphone fixe: 01 82 28 37 06
Mobile : +33 757 173 193
Deveryware - 43 rue Taitbout - 75009 PARIS
https://www.deveryware.com https://www.deveryware.com
 
Deveryware_Logo
https://www.deveryware.com
-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: Help troubleshooting SSL certificates issue

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 315 bytes