On 2020-06-02 17:16, phei@isc.upenn.edu wrote:
> Not sure if this is an openldap issue but have to examine everything we
> can.
>
> We revised our nss certificate store as part of addressing the
> expiration of our root cert.
>
> It now has two certs, the end service cert and the intermediate.
> Basic client operations (ldapsearch) work fine; using -d1 shows that
> the appropriate service certificate is loaded and the the search is
> successful.
>
> But if we run an 'openssl s_client -showcerts' against the host and
> port 636, we continue to see the expired root certificate even though
> it's not in the nss store configured chain. This is causing issues
> for some applications (mainly java based) so we're just trying to
> understand where the expired root would be coming from if it's not in
> the openldap server configuration.
To put it mildly, it is unlikely that it is openldap. It is most likely
that it will be the underlying SSL support that you need to understand.
You don't tell us whether you are using a distribution build, which
distribution, or whether you are using GNUTLS or OpenSSL. As I
remember with GNUTLS you have to put everything in one file. Just
don't put the bad CA cert in the file. With OpenSSL it can be a bit
tricky if you are just pointing to the cert directory. You would
need to make sure that you purge the cert directory of any bad/expired
certs.
A warning about my SSL advice. It has been awhile since I actually
tested SSL client connections to OpenLDAP, I use GSSAPI/Kerberos
for authentication and connection privacy.
I got bit by this on some of my web servers. I was able to solve it by
downloading a new root cert bundle from the CA for my web servers.
(
https://www.ssls.com/) But, I never could get the new cert chain to
work on my webkdc. I think it was because of a limitation of the
perl LWP module. But, it also might have been because the expired
root CA was in the ca-certificates package on debian/ubuntu and it
was not an option to delete that package. (That package has since
been patched. If you are on a debian system you might try just
installing the ca-certificates update.)
It was never clear what the problem was and the support was
abysmal. If its not a web server they just don't have a clue.
In the end I solved my problem by abandoning that CA and just going
to
https://letsencrypt.org/ and getting a free cert from them. I
spend a couple hours on a chat with support and never resolved
the issue. I spent about 15 minutes getting and installing a
cert from Let's Encrypt which solved my problem.
I would recommend that you drop that CA. They handled this
transition extremely poorly.
Bill
--
Bill MacAllister <bill@ca-zephyr.org>