I'm not certain the hack redhat added to force openldap to use nss actually causes openldap to use the nss cert store. My rhel6 openldap servers appear to just use the PEM certs they would have used as if redhat never messed with forcing openldap to use nss, but rather left it at openssl. I did check and slapd is linked against the nss libs, but using the pem file in /etc/openldap/cacerts.
The fix for this might be as simple as linking the PEM version of the updated cert store into the directory where openldap is looking.
On Wed, Jun 3, 2020 at 11:32 AM Quanah Gibson-Mount quanah@symas.com wrote:
--On Wednesday, June 3, 2020 8:15 PM +0300 Леонид Юрьев leo@yuriev.ru wrote:
Seems this is https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration.
Since RHEL6 is in use here, specifically see the linked tweet for Fedora/RHEL in the above post.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 6/3/20 8:35 PM, Dale Thompson - NOAA Federal wrote:
I'm not certain the hack redhat added to force openldap to use nss actually causes openldap to use the nss cert store. My rhel6 openldap servers appear to just use the PEM certs they would have used as if redhat never messed with forcing openldap to use nss, but rather left it at openssl. I did check and slapd is linked against the nss libs, but using the pem file in /etc/openldap/cacerts.
I vaguely remember that they have implemented a PKCS#11 module for using PEM files as key store with libnss.
Ciao, Michael.
Dale Thompson - NOAA Federal wrote:
I'm not certain the hack redhat added to force openldap to use nss actually causes openldap to use the nss cert store. My rhel6 openldap servers appear to just use the PEM certs they would have used as if redhat never messed with forcing openldap to use nss, but rather left it at openssl. I did check and slapd is linked against the nss libs, but using the pem file in /etc/openldap/cacerts.
The fix for this might be as simple as linking the PEM version of the updated cert store into the directory where openldap is looking.
Redhat adds a custom PKCS#11 module to their NSS that lets it use PEM files. So it can use either their usual certificate DBs or plain PEM files.
Thanks, all, for your responses. Ayer's blog entry and the twitter link it had the root (heh) explanation we were looking for.
We did in fact import the new root cert into the nss database as a way to get the broken applications to work. I'm going to continue to try the blacklist approach outlined in Christian Heimes' tweet.
Howard, I kinda figured this wasn't actually an openldap issue; do you still want the full output? ________________________________ From: Howard Chu hyc@symas.com Sent: Wednesday, June 3, 2020 2:44 PM To: Dale Thompson - NOAA Federal dale.j.thompson@noaa.gov; openldap-technical@openldap.org openldap-technical@openldap.org Subject: Re: ssl certificate chain
Dale Thompson - NOAA Federal wrote:
I'm not certain the hack redhat added to force openldap to use nss actually causes openldap to use the nss cert store. My rhel6 openldap servers appear to just use the PEM certs they would have used as if redhat never messed with forcing openldap to use nss, but rather left it at openssl. I did check and slapd is linked against the nss libs, but using the pem file in /etc/openldap/cacerts.
The fix for this might be as simple as linking the PEM version of the updated cert store into the directory where openldap is looking.
Redhat adds a custom PKCS#11 module to their NSS that lets it use PEM files. So it can use either their usual certificate DBs or plain PEM files.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
openldap-technical@openldap.org