It looks like the algorythm used by the provider to generate the certificates is not supported by this old version of gnutls.
Running gnutls-serv (gnutls 3.0) with the bundle: Server is starting but fails upon requests: |<1>| Could not find an appropriate certificate: Insufficient credentials for that request.
Running gnutls-serv (gnutls 3.0) with seperate files: Server does not start Error reading 'multi.deverywa.re.pem.crt' or 'multi.deverywa.re.pem.key' Error: ASN1 parser: Error in DER parsing.
Running both bundled or separate files (same files transfered on another host) on a newer or (gnutls 3.6) works as expected.
I guess there is no way to make it run, unless upgrading the OS.
Thank you !
Jérôme BECOT wrote:Hello, We have a couple of old ldap servers (Debian 7/openldap 2.4.31) on which we try to replace the certificates. On these servers we have a bundled configuration:Presumably since that's a Debian build it was built using GnuTLS. I suggest you try using gnutls-cli with your PEM file and see what works or doesn't work.# config dn: cn=config olcTLSCACertificateFile: /etc/ldap/tls/multi.deverywa.re.pem olcTLSCertificateFile: /etc/ldap/tls/multi.deverywa.re.pem olcTLSCertificateKeyFile: /etc/ldap/tls/multi.deverywa.re.pem The file is a bundle containing both the certificates (wildcard and it's issuer) and the key. Until this year we just had to upload the new bundle and restart slapd. This year Gandi changed their signing certificate but it is still issued by UserTrust. But OpenLDAP refuses to use it now. We tried to set LogLevel to any, but nothing really showed in the log. On the server side: slapd[9217]: connection_read(16): TLS accept failure error=-1 id=1041, closing On the client side (localhost): openssl s_client -connect localhost:636 -servername ldap.deverywa.re CONNECTED(00000003) 140365161965224:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 315 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1695652388 Timeout : 300 (sec) Verify return code: 0 (ok) We still use 2048 RSA key to generate the certificates. We have checked permissions and it is fine. How could I debug what's wrong on the server side ? Thank you -- *Jérôme BECOT* Ingénieur DevOps Infrastructure Téléphone fixe: 01 82 28 37 06 Mobile : +33 757 173 193 Deveryware - 43 rue Taitbout - 75009 PARIS https://www.deveryware.com <https://www.deveryware.com> Deveryware_Logo <https://www.deveryware.com>