Re: Antw: Intermediate certificates not being sent
>> Nat Sincheler <fai1107(a)macrotex.net> schrieb am
26.07.2016 um 17:20 in
Nachricht
<991f77f9-fd05-eb9b-7f07-f350c4a7bc68(a)macrotex.net>:
On 7/25/2016 11:24 PM, Ulrich Windl wrote:
>>>> Nat Sincheler <fai1107(a)macrotex.net> schrieb am 25.07.2016 um 19:06
in
> Nachricht <c19c2a3a-3c90-5baa-43c7-800b050ea5b7(a)macrotex.net>:
>> We have an OpenLDAP server that is listening on port 636 over ldaps.
>> When I run
>>
>> openssl s_client -showcerts -connect ldap-server:636
>>
>> I only see the host certificate. The intermediate and root certificates
>> do *not* come through.
>
> If I di that on one of outr servers, I get:
> Root CA
> Intermediate CA
> Server Certificate
>
> ...
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
>
>>
>> For this server I have in the file slapd.d/cn=config.ldif the setting
>>
>> olcTLSCACertificatePath: /etc/ssl/certs
>
> Hi!
>
> Here it works with these settings:
> olcTLSCACertificatePath: /etc/ssl/certs
> olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem
> olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key
>
> Could it be a permissions problem? Did you try to check the certificate
chain with openssl (preferrable as LDAP user)?
When I run the openssl s_client command I get no errors, but I also get
no intermediate or root certificates sent. I see this in the output: "No
client certificate CA names sent".
Hi!
To me it looks like a problem with your certificates. Try to verify them using openssl,
like this:
openssl verify -CApath /etc/ssl/certs -verbose /etc/ssl/servercerts/slapd.pem
/etc/ssl/servercerts/slapd.pem: OK
Regards,
Ulrich
It appears that OpenLDAP is not sending the intermediate or root
certificates.
However, if I put all the intermediate and root certificates into a
single file and point olcTLSCACertificateFile at this file, those
intermediate certificates _are_ sent.
So, it appears that olcTLSCACertificateFile sends the certificates but
but olcTLSCACertificatePath does not.
Am I misunderstanding the purpose olcTLSCACertificatePath?
Thanks.
>
> Regards,
> Ulrich
>
>>
>> I checked and all the intermediate and root certificates are in
>> /etc/ssl/certs soft-linked via the usual OpenSSL rehash hash, e.g.,
>>
>> lrwxrwxrwx 1 root root 42 Jul 14 19:03 b4261fc2.0 ->
>> /etc/ssl/certs/incommon-usertrust-2024.pem
>>
>> Any idea why the intermediate and root certificates do not get sent to
>> the LDAPS client? Is there something in the LDAP log that might give me
>> a clue as to what is going on?
>
>
>
>