8:41 a.m.
Nat Sincheler wrote:
On 7/27/2016 11:19 PM, Ulrich Windl wrote:
>>>> Nat Sincheler <fai1107(a)macrotex.net> schrieb am 26.07.2016 um 17:20
in
> Nachricht <991f77f9-fd05-eb9b-7f07-f350c4a7bc68(a)macrotex.net>:
>
>>
>> On 7/25/2016 11:24 PM, Ulrich Windl wrote:
>>>>>> Nat Sincheler <fai1107(a)macrotex.net> schrieb am 25.07.2016
um 19:06 in
>>> Nachricht <c19c2a3a-3c90-5baa-43c7-800b050ea5b7(a)macrotex.net>:
>>>> We have an OpenLDAP server that is listening on port 636 over ldaps.
>>>> When I run
>>>>
>>>> openssl s_client -showcerts -connect ldap-server:636
>>>>
>>>> I only see the host certificate. The intermediate and root certificates
>>>> do *not* come through.
>>>
>>> If I di that on one of outr servers, I get:
>>> Root CA
>>> Intermediate CA
>>> Server Certificate
>>>
>>> ...
>>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>>> Server public key is 2048 bit
>>>
>>>>
>>>> For this server I have in the file slapd.d/cn=config.ldif the setting
>>>>
>>>> olcTLSCACertificatePath: /etc/ssl/certs
>>>
>>> Hi!
>>>
>>> Here it works with these settings:
>>> olcTLSCACertificatePath: /etc/ssl/certs
>>> olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem
>>> olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key
>>>
>>> Could it be a permissions problem? Did you try to check the certificate
>> chain with openssl (preferrable as LDAP user)?
>>
>> When I run the openssl s_client command I get no errors, but I also get
>> no intermediate or root certificates sent. I see this in the output: "No
>> client certificate CA names sent".
>
> Hi!
>
> To me it looks like a problem with your certificates. Try to verify them
> using openssl, like this:
> openssl verify -CApath /etc/ssl/certs -verbose /etc/ssl/servercerts/slapd.pem
> /etc/ssl/servercerts/slapd.pem: OK
% grep -R Certificate *.ldif
olcTLSCACertificatePath: /etc/ssl/certs
olcTLSCertificateFile: /etc/ssl/certs/server.pem
olcTLSCertificateKeyFile: /etc/ssl/private/server.key
% directory2:/etc/ldap# openssl verify -CApath /etc/ssl/certs -verbose
/etc/ssl/certs/server.pem
/etc/ssl/certs/server.pem: OK
So, the openssl command line can find the certificate chain. Why can't openldap?
If your OpenLDAP build is not behaving the same as your OpenSSL build, then
most likely your OpenLDAP was not built with OpenSSL. Otherwise, their
behavior would match.
You never provided essential information such as OS platform and OpenLDAP
version, so nobody can give you definitive answers.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11:23 a.m.
New subject: Antw: Intermediate certificates not being sent
On 7/28/2016 8:41 AM, Howard Chu wrote:
Nat Sincheler wrote:
>
>
> On 7/27/2016 11:19 PM, Ulrich Windl wrote:
>>>>> Nat Sincheler <fai1107(a)macrotex.net> schrieb am 26.07.2016 um
>>>>> 17:20 in
>> Nachricht <991f77f9-fd05-eb9b-7f07-f350c4a7bc68(a)macrotex.net>:
>>
>>>
>>> On 7/25/2016 11:24 PM, Ulrich Windl wrote:
>>>>>>> Nat Sincheler <fai1107(a)macrotex.net> schrieb am
25.07.2016 um
>>>>>>> 19:06 in
>>>> Nachricht <c19c2a3a-3c90-5baa-43c7-800b050ea5b7(a)macrotex.net>:
>>>>> We have an OpenLDAP server that is listening on port 636 over ldaps.
>>>>> When I run
>>>>>
>>>>> openssl s_client -showcerts -connect ldap-server:636
>>>>>
>>>>> I only see the host certificate. The intermediate and root
>>>>> certificates
>>>>> do *not* come through.
>>>>
>>>> If I di that on one of outr servers, I get:
>>>> Root CA
>>>> Intermediate CA
>>>> Server Certificate
>>>>
>>>> ...
>>>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>>>> Server public key is 2048 bit
>>>>
>>>>>
>>>>> For this server I have in the file slapd.d/cn=config.ldif the
setting
>>>>>
>>>>> olcTLSCACertificatePath: /etc/ssl/certs
>>>>
>>>> Hi!
>>>>
>>>> Here it works with these settings:
>>>> olcTLSCACertificatePath: /etc/ssl/certs
>>>> olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem
>>>> olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key
>>>>
>>>> Could it be a permissions problem? Did you try to check the
>>>> certificate
>>> chain with openssl (preferrable as LDAP user)?
>>>
>>> When I run the openssl s_client command I get no errors, but I also get
>>> no intermediate or root certificates sent. I see this in the output:
>>> "No
>>> client certificate CA names sent".
>>
>> Hi!
>>
>> To me it looks like a problem with your certificates. Try to verify them
>> using openssl, like this:
>> openssl verify -CApath /etc/ssl/certs -verbose
>> /etc/ssl/servercerts/slapd.pem
>> /etc/ssl/servercerts/slapd.pem: OK
>
> % grep -R Certificate *.ldif
>
> olcTLSCACertificatePath: /etc/ssl/certs
> olcTLSCertificateFile: /etc/ssl/certs/server.pem
> olcTLSCertificateKeyFile: /etc/ssl/private/server.key
>
> % directory2:/etc/ldap# openssl verify -CApath /etc/ssl/certs -verbose
> /etc/ssl/certs/server.pem
>
> /etc/ssl/certs/server.pem: OK
>
> So, the openssl command line can find the certificate chain. Why can't
> openldap?
If your OpenLDAP build is not behaving the same as your OpenSSL build,
then most likely your OpenLDAP was not built with OpenSSL. Otherwise,
their behavior would match.
You never provided essential information such as OS platform and
OpenLDAP version, so nobody can give you definitive answers.
We are using version 2.4.42 of OpenLDAP compiled on Debian jessie which
use GnuTLS rather than OpenSSL.
2500
days inactive
2500
days old
openldap-technical@openldap.org
1 comments
2 participants
participants (2)
-
Howard Chu -
Nat Sincheler