I am failing to authenticate through ldap proxy and I am seeing this error coming in continuously
*TLS certificate verification: Error, self signed certificate in certificate chain*
*TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain).*
Any suggestions how to resolve this?
Here is my slapd.conf.
### Schema includes
########################################################## include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema ## Module paths ############################################################## modulepath /usr/lib64/openldap/ moduleload back_ldap # Main settings ############################################################### pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args sizelimit unlimited TLSCACertificateFile /root/data/certs/ldap.crt TLSCertificateFile /root/data/certs/ldap.crt TLSCertificateKeyFile /root/data/certs/ldap.key ### Database definition (Proxy to Corp LDAP) ######################################### database ldap readonly yes protocol-version 3 rebind-as-user yes uri "ldaps://192.168.1.100:636" suffix "ou=People,dc=example,dc=net" ### Logging ################################################################### loglevel 0 It had been working until last week when IT changed there ldap certificate
I generate the certificate using this command
*openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /root/data/certs/ldap.key -out /root/data/certs/ldap.crt -subj "/CN=host.example.net/OU=Example/O=Example/L=City/ST=ST/C=US http://host.example.net/OU=Example/O=Example/L=City/ST=ST/C=US"*
So I recreated against the same IT ldap server, so I do have the new cert and keys produced same way as before.
All new authentication are failing now.
On Mon, Nov 12 2018 at 20:02:05 -0500, vadud3@gmail.com scribbled in "openldap proxy giving TLS certificate error":
I am failing to authenticate through ldap proxy and I am seeing this error coming in continuously
*TLS certificate verification: Error, self signed certificate in certificate chain*
*TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain).*
Any suggestions how to resolve this?
Here is my slapd.conf.
<SNIP>
TLSCACertificateFile /root/data/certs/ldap.crt TLSCertificateFile /root/data/certs/ldap.crt TLSCertificateKeyFile /root/data/certs/ldap.key
<SNIP>
I generate the certificate using this command
*openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /root/data/certs/ldap.key -out /root/data/certs/ldap.crt -subj "/CN=host.example.net/OU=Example/O=Example/L=City/ST=ST/C=US http://host.example.net/OU=Example/O=Example/L=City/ST=ST/C=US"*
So I recreated against the same IT ldap server, so I do have the new cert and keys produced same way as before.
I think the issue is that you've generated, and are using, a self-signed certificate, rather than one signed by a trusted Certificate Authority. As the error messages state, the file referenced by the "TLSCACertificateFile" option contains that cert. The purpose of the option is to specify the intermediate chain between the certificate and the trusted Root CA chain.
I note that you're using the same ldap.crt file for both "TLSCACertificateFile" and "TLSCACertificateFile" -- have you tried removing the latter entirely, as with a self-signed cert it's a little redundant?
Cheers.
Dameon.
On Tue, Nov 13, 2018 at 4:48 AM Dameon Wagner dameon.wagner@it.ox.ac.uk wrote:
On Mon, Nov 12 2018 at 20:02:05 -0500, vadud3@gmail.com scribbled in "openldap proxy giving TLS certificate error":
I am failing to authenticate through ldap proxy and I am seeing this
error
coming in continuously
*TLS certificate verification: Error, self signed certificate in certificate chain*
*TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self
signed
certificate in certificate chain).*
Any suggestions how to resolve this?
Here is my slapd.conf.
<SNIP> > > TLSCACertificateFile /root/data/certs/ldap.crt > > TLSCertificateFile /root/data/certs/ldap.crt > > TLSCertificateKeyFile /root/data/certs/ldap.key <SNIP> > > I generate the certificate using this command > > *openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout > /root/data/certs/ldap.key -out /root/data/certs/ldap.crt -subj > "/CN=host.example.net/OU=Example/O=Example/L=City/ST=ST/C=US > <http://host.example.net/OU=Example/O=Example/L=City/ST=ST/C=US>"* > > So I recreated against the same IT ldap server, so I do have the new > cert and keys produced same way as before.
I think the issue is that you've generated, and are using, a self-signed certificate, rather than one signed by a trusted Certificate Authority. As the error messages state, the file referenced by the "TLSCACertificateFile" option contains that cert. The purpose of the option is to specify the intermediate chain between the certificate and the trusted Root CA chain.
I note that you're using the same ldap.crt file for both "TLSCACertificateFile" and "TLSCACertificateFile" -- have you tried removing the latter entirely, as with a self-signed cert it's a little redundant?
Cheers.
Dameon.
I end up changing the config to same and just replaced this section
TLSCACertificateFile /root/data/certs/ldap.crt
TLSCertificateFile /root/data/certs/ldap.crt TLSCertificateKeyFile /root/data/certs/ldap.key
with below
TLSCertificateFile /root/data/certs/ldap.crt
TLSCertificateKeyFile /root/data/certs/ldap.key
And also needed to empty out the /etc/openldap/certs/ dir and populate with all the pem certs that we received from IT LDAP team.
All working fine now
--
<> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
Dr. Dameon Wagner, Unix Platform Services IT Services, University of Oxford
<> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
openldap-technical@openldap.org