On Tue, Nov 13, 2018 at 4:48 AM Dameon Wagner <dameon.wagner@it.ox.ac.uk> wrote:
On Mon, Nov 12 2018 at 20:02:05 -0500, vadud3@gmail.com scribbled
 in "openldap proxy giving TLS certificate error":
> I am failing to authenticate through ldap proxy and I am seeing this error
> coming in continuously
>
> *TLS certificate verification: Error, self signed certificate in
> certificate chain*
>
> *TLS: can't connect: error:14090086:SSL
> routines:ssl3_get_server_certificate:certificate verify failed (self signed
> certificate in certificate chain).*
>
> Any suggestions how to resolve this?
>
> Here is my slapd.conf.
<SNIP>
> > TLSCACertificateFile    /root/data/certs/ldap.crt
> > TLSCertificateFile      /root/data/certs/ldap.crt
> > TLSCertificateKeyFile   /root/data/certs/ldap.key
<SNIP>
>
> I generate the certificate using this command
>
> *openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout
> /root/data/certs/ldap.key -out /root/data/certs/ldap.crt -subj
> "/CN=host.example.net/OU=Example/O=Example/L=City/ST=ST/C=US
> <http://host.example.net/OU=Example/O=Example/L=City/ST=ST/C=US>"*
>
> So I recreated against the same IT ldap server, so I do have the new
> cert and keys produced same way as before.

I think the issue is that you've generated, and are using, a
self-signed certificate, rather than one signed by a trusted
Certificate Authority.  As the error messages state, the file
referenced by the "TLSCACertificateFile" option contains that cert.
The purpose of the option is to specify the intermediate chain between
the certificate and the trusted Root CA chain.

I note that you're using the same ldap.crt file for both
"TLSCACertificateFile" and "TLSCACertificateFile" -- have you tried
removing the latter entirely, as with a self-signed cert it's a little
redundant?

Cheers.

Dameon.


I end up changing the config to same and just replaced this section

TLSCACertificateFile    /root/data/certs/ldap.crt
TLSCertificateFile      /root/data/certs/ldap.crt
TLSCertificateKeyFile   /root/data/certs/ldap.key

with below

TLSCertificateFile      /root/data/certs/ldap.crt
TLSCertificateKeyFile   /root/data/certs/ldap.key

And also needed to empty out the /etc/openldap/certs/ dir and populate with all the pem certs that 
we received from IT LDAP team. 

All working fine now

  
--
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
Dr. Dameon Wagner, Unix Platform Services
IT Services, University of Oxford
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><




--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?