On Mon, Sep 25, 2023 at 12:53 PM Jérôme BECOT jerome.becot@deveryware.com wrote:
Hello,
We have a couple of old ldap servers (Debian 7/openldap 2.4.31) on which we try to replace the certificates. On these servers we have a bundled configuration:
# config dn: cn=config olcTLSCACertificateFile: /etc/ldap/tls/multi.deverywa.re.pem olcTLSCertificateFile: /etc/ldap/tls/multi.deverywa.re.pem olcTLSCertificateKeyFile: /etc/ldap/tls/multi.deverywa.re.pem
The file is a bundle containing both the certificates (wildcard and it's issuer) and the key. Until this year we just had to upload the new bundle and restart slapd. This year Gandi changed their signing certificate but it is still issued by UserTrust. But OpenLDAP refuses to use it now.
We tried to set LogLevel to any, but nothing really showed in the log. On the server side:
slapd[9217]: connection_read(16): TLS accept failure error=-1 id=1041, closing
On the client side (localhost):
openssl s_client -connect localhost:636 -servername ldap.deverywa.re
openssl s_client -connect ldap.deverywa.re:636 -servername ldap.deverywa.re
Otherwise, the certificate needs to include the name 'localhost' in Subject Alt Names.
CONNECTED(00000003) 140365161965224:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 315 bytes
0 bytes read means s_client did not get a response from the server.
Try the usual suspects. Ensure there's something listening on the port, ensure a firewall is not blocking the port, ensure TLS is enabled, etc.
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1695652388 Timeout : 300 (sec) Verify return code: 0 (ok)
We still use 2048 RSA key to generate the certificates. We have checked permissions and it is fine. How could I debug what's wrong on the server side ?
Jeff