Re: Antw: Intermediate certificates not being sent

Nat Sincheler wrote: > > > On 7/27/2016 11:19 PM, Ulrich Windl wrote: >>>>> Nat Sincheler <fai1107(a)macrotex.net&gt; schrieb am 26.07.2016 um >>>>> 17:20 in >> Nachricht <991f77f9-fd05-eb9b-7f07-f350c4a7bc68(a)macrotex.net&gt;: >> >>> >>> On 7/25/2016 11:24 PM, Ulrich Windl wrote: >>>>>>> Nat Sincheler <fai1107(a)macrotex.net&gt; schrieb am 25.07.2016 um >>>>>>> 19:06 in >>>> Nachricht <c19c2a3a-3c90-5baa-43c7-800b050ea5b7(a)macrotex.net&gt;: >>>>> We have an OpenLDAP server that is listening on port 636 over ldaps. >>>>> When I run >>>>> >>>>> openssl s_client -showcerts -connect ldap-server:636 >>>>> >>>>> I only see the host certificate. The intermediate and root >>>>> certificates >>>>> do *not* come through. >>>> >>>> If I di that on one of outr servers, I get: >>>> Root CA >>>> Intermediate CA >>>> Server Certificate >>>> >>>> ... >>>> New, TLSv1/SSLv3, Cipher is AES256-SHA >>>> Server public key is 2048 bit >>>> >>>>> >>>>> For this server I have in the file slapd.d/cn=config.ldif the setting >>>>> >>>>> olcTLSCACertificatePath: /etc/ssl/certs >>>> >>>> Hi! >>>> >>>> Here it works with these settings: >>>> olcTLSCACertificatePath: /etc/ssl/certs >>>> olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem >>>> olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key >>>> >>>> Could it be a permissions problem? Did you try to check the >>>> certificate >>> chain with openssl (preferrable as LDAP user)? >>> >>> When I run the openssl s_client command I get no errors, but I also get >>> no intermediate or root certificates sent. I see this in the output: >>> "No >>> client certificate CA names sent". >> >> Hi! >> >> To me it looks like a problem with your certificates. Try to verify them >> using openssl, like this: >> openssl verify -CApath /etc/ssl/certs -verbose >> /etc/ssl/servercerts/slapd.pem >> /etc/ssl/servercerts/slapd.pem: OK > > % grep -R Certificate *.ldif > > olcTLSCACertificatePath: /etc/ssl/certs > olcTLSCertificateFile: /etc/ssl/certs/server.pem > olcTLSCertificateKeyFile: /etc/ssl/private/server.key > > % directory2:/etc/ldap# openssl verify -CApath /etc/ssl/certs -verbose > /etc/ssl/certs/server.pem > > /etc/ssl/certs/server.pem: OK > > So, the openssl command line can find the certificate chain. Why can't > openldap? If your OpenLDAP build is not behaving the same as your OpenSSL build, then most likely your OpenLDAP was not built with OpenSSL. Otherwise, their behavior would match. You never provided essential information such as OS platform and OpenLDAP version, so nobody can give you definitive answers.