Hi,
I'm having difficulty making tools like ldapsearch accept SSL certificates signed by a Windows domain controller, even when the trust chain seems good. The problem extends to PHP, which uses openldap (PHP debug logging shows the exact same errors).
We manually trusted the CA certifcate of the domain controller:
cp -v /tmp/PDC02CA.crt /usr/local/share/ca-certificates update-ca-certificates
OpenSSL approves it (it doesn't aprove without the previous step):
# openssl verify -verify_hostname PDC01.city.cmpny.local /tmp/PDC01.city.cmpny.local.crt /tmp/PDC01.city.cmpny.local.crt: OK
And:
openssl s_client -verify_hostname PDC01.city.cmpny.local -connect PDC01.city.cmpny.local:3269
CONNECTED(00000005) depth=1 DC = local, DC = cmpny, DC = city, CN = city-PDC02-CA verify return:1 depth=0 verify return:1 --- Certificate chain 0 s: i:DC = local, DC = cmpny, DC = city, CN = city-PDC02-CA
But ldapsearch just will not approve it:
$ ldapsearch -d1 -H ldaps://PDC01.city.cmpny.local:3269 ldap_url_parse_ext(ldaps://PDC01.city.cmpny.local:3269) ldap_create ldap_url_parse_ext(ldaps://PDC01.city.cmpny.local:3269/??base) [..snip...] ldap_connect_to_host: TCP PDC01.city.cmpny.local:3269 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.105.10.10:3269 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS: peer cert untrusted or revoked (0x102) TLS: can't connect: (unknown error code). ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: (unknown error code)
Running 'strace' shows '/etc/ssl/certs/ca-certificates.crt' is properly read. Doing all the standard tricks with 'LDAPTLS_CACERT, TLS_CACERT', pointing directly to '/tmp/PDC02CA.crt', editing '/etc/ldap/ldap.conf' with all possible permutations. Nothing works, except 'TLS_REQCERT never'.
Other certificates are accepted when testing public servers. They are just https, but for SSL tests that doesn't matter. Like:
ldapsearch -d1 -H ldaps://www.google.com:443
Or
ldapsearch -d1 -H ldaps://www.amazon.co.uk:443
The latter only has the correct domain name in the 'subject alternate name', not the common name. I theorized that maybe the SAN was a cause, but this test result, and [1], show that should work fine.
If I deliberately try to create a hostname mismatch, it says: 'TLS: hostname (blabla.com) does not match common name in certificate (www.amazon.co.uk)'. Very different from my 'peer cert untrusted or revoked'.
Could this be a bug (in GnuTLS)?
Versions:
ldapsearch: @(#) $OpenLDAP: ldapsearch (Ubuntu) (Feb 18 2021 14:22:42) Ubuntu: 18.04.5 LTS libgnutls30: 3.5.18-1ubuntu1.4
Regards,
Wiebe
[1] https://www.openldap.org/lists/openldap-technical/201310/msg00167.html