On Mon, Nov 12 2018 at 20:02:05 -0500, vadud3@gmail.com scribbled in "openldap proxy giving TLS certificate error":
I am failing to authenticate through ldap proxy and I am seeing this error coming in continuously
*TLS certificate verification: Error, self signed certificate in certificate chain*
*TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain).*
Any suggestions how to resolve this?
Here is my slapd.conf.
<SNIP>
TLSCACertificateFile /root/data/certs/ldap.crt TLSCertificateFile /root/data/certs/ldap.crt TLSCertificateKeyFile /root/data/certs/ldap.key
<SNIP>
I generate the certificate using this command
*openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /root/data/certs/ldap.key -out /root/data/certs/ldap.crt -subj "/CN=host.example.net/OU=Example/O=Example/L=City/ST=ST/C=US http://host.example.net/OU=Example/O=Example/L=City/ST=ST/C=US"*
So I recreated against the same IT ldap server, so I do have the new cert and keys produced same way as before.
I think the issue is that you've generated, and are using, a self-signed certificate, rather than one signed by a trusted Certificate Authority. As the error messages state, the file referenced by the "TLSCACertificateFile" option contains that cert. The purpose of the option is to specify the intermediate chain between the certificate and the trusted Root CA chain.
I note that you're using the same ldap.crt file for both "TLSCACertificateFile" and "TLSCACertificateFile" -- have you tried removing the latter entirely, as with a self-signed cert it's a little redundant?
Cheers.
Dameon.