Re: openldap proxy giving TLS certificate error

On Tue, Nov 13, 2018 at 4:48 AM Dameon Wagner dameon.wagner@it.ox.ac.uk wrote:

On Mon, Nov 12 2018 at 20:02:05 -0500, vadud3@gmail.com scribbled in "openldap proxy giving TLS certificate error":

...

I am failing to authenticate through ldap proxy and I am seeing this

error

...

coming in continuously

*TLS certificate verification: Error, self signed certificate in certificate chain*

*TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self

signed

...

certificate in certificate chain).*

Any suggestions how to resolve this?

Here is my slapd.conf.

<SNIP> > > TLSCACertificateFile /root/data/certs/ldap.crt > > TLSCertificateFile /root/data/certs/ldap.crt > > TLSCertificateKeyFile /root/data/certs/ldap.key <SNIP> > > I generate the certificate using this command > > *openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout > /root/data/certs/ldap.key -out /root/data/certs/ldap.crt -subj > "/CN=host.example.net/OU=Example/O=Example/L=City/ST=ST/C=US > <http://host.example.net/OU=Example/O=Example/L=City/ST=ST/C=US>"* > > So I recreated against the same IT ldap server, so I do have the new > cert and keys produced same way as before.

I think the issue is that you've generated, and are using, a self-signed certificate, rather than one signed by a trusted Certificate Authority. As the error messages state, the file referenced by the "TLSCACertificateFile" option contains that cert. The purpose of the option is to specify the intermediate chain between the certificate and the trusted Root CA chain.

I note that you're using the same ldap.crt file for both "TLSCACertificateFile" and "TLSCACertificateFile" -- have you tried removing the latter entirely, as with a self-signed cert it's a little redundant?

Cheers.

Dameon.

I end up changing the config to same and just replaced this section

TLSCACertificateFile /root/data/certs/ldap.crt

TLSCertificateFile /root/data/certs/ldap.crt TLSCertificateKeyFile /root/data/certs/ldap.key

with below

TLSCertificateFile /root/data/certs/ldap.crt

TLSCertificateKeyFile /root/data/certs/ldap.key

And also needed to empty out the /etc/openldap/certs/ dir and populate with all the pem certs that we received from IT LDAP team.

All working fine now

--

...

<> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><

Dr. Dameon Wagner, Unix Platform Services IT Services, University of Oxford

...

<> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><