We have an OpenLDAP server that is listening on port 636 over ldaps. When I run
openssl s_client -showcerts -connect ldap-server:636
I only see the host certificate. The intermediate and root certificates do *not* come through.
For this server I have in the file slapd.d/cn=config.ldif the setting
olcTLSCACertificatePath: /etc/ssl/certs
I checked and all the intermediate and root certificates are in /etc/ssl/certs soft-linked via the usual OpenSSL rehash hash, e.g.,
lrwxrwxrwx 1 root root 42 Jul 14 19:03 b4261fc2.0 -> /etc/ssl/certs/incommon-usertrust-2024.pem
Any idea why the intermediate and root certificates do not get sent to the LDAPS client? Is there something in the LDAP log that might give me a clue as to what is going on?
Nat Sincheler fai1107@macrotex.net schrieb am 25.07.2016 um 19:06 in
Nachricht c19c2a3a-3c90-5baa-43c7-800b050ea5b7@macrotex.net:
We have an OpenLDAP server that is listening on port 636 over ldaps. When I run
openssl s_client -showcerts -connect ldap-server:636
I only see the host certificate. The intermediate and root certificates do *not* come through.
If I di that on one of outr servers, I get: Root CA Intermediate CA Server Certificate
... New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit
For this server I have in the file slapd.d/cn=config.ldif the setting
olcTLSCACertificatePath: /etc/ssl/certs
Hi!
Here it works with these settings: olcTLSCACertificatePath: /etc/ssl/certs olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key
Could it be a permissions problem? Did you try to check the certificate chain with openssl (preferrable as LDAP user)?
Regards, Ulrich
I checked and all the intermediate and root certificates are in /etc/ssl/certs soft-linked via the usual OpenSSL rehash hash, e.g.,
lrwxrwxrwx 1 root root 42 Jul 14 19:03 b4261fc2.0 -> /etc/ssl/certs/incommon-usertrust-2024.pem
Any idea why the intermediate and root certificates do not get sent to the LDAPS client? Is there something in the LDAP log that might give me a clue as to what is going on?
On 7/25/2016 11:24 PM, Ulrich Windl wrote:
Nat Sincheler fai1107@macrotex.net schrieb am 25.07.2016 um 19:06 in
Nachricht c19c2a3a-3c90-5baa-43c7-800b050ea5b7@macrotex.net:
We have an OpenLDAP server that is listening on port 636 over ldaps. When I run
openssl s_client -showcerts -connect ldap-server:636
I only see the host certificate. The intermediate and root certificates do *not* come through.
If I di that on one of outr servers, I get: Root CA Intermediate CA Server Certificate
... New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit
For this server I have in the file slapd.d/cn=config.ldif the setting
olcTLSCACertificatePath: /etc/ssl/certs
Hi!
Here it works with these settings: olcTLSCACertificatePath: /etc/ssl/certs olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key
Could it be a permissions problem? Did you try to check the certificate chain with openssl (preferrable as LDAP user)?
When I run the openssl s_client command I get no errors, but I also get no intermediate or root certificates sent. I see this in the output: "No client certificate CA names sent".
It appears that OpenLDAP is not sending the intermediate or root certificates.
However, if I put all the intermediate and root certificates into a single file and point olcTLSCACertificateFile at this file, those intermediate certificates _are_ sent.
So, it appears that olcTLSCACertificateFile sends the certificates but but olcTLSCACertificatePath does not.
Am I misunderstanding the purpose olcTLSCACertificatePath?
Thanks.
Regards, Ulrich
I checked and all the intermediate and root certificates are in /etc/ssl/certs soft-linked via the usual OpenSSL rehash hash, e.g.,
lrwxrwxrwx 1 root root 42 Jul 14 19:03 b4261fc2.0 -> /etc/ssl/certs/incommon-usertrust-2024.pem
Any idea why the intermediate and root certificates do not get sent to the LDAPS client? Is there something in the LDAP log that might give me a clue as to what is going on?
Nat Sincheler fai1107@macrotex.net schrieb am 26.07.2016 um 17:20 in
Nachricht 991f77f9-fd05-eb9b-7f07-f350c4a7bc68@macrotex.net:
On 7/25/2016 11:24 PM, Ulrich Windl wrote:
Nat Sincheler fai1107@macrotex.net schrieb am 25.07.2016 um 19:06 in
Nachricht c19c2a3a-3c90-5baa-43c7-800b050ea5b7@macrotex.net:
We have an OpenLDAP server that is listening on port 636 over ldaps. When I run
openssl s_client -showcerts -connect ldap-server:636
I only see the host certificate. The intermediate and root certificates do *not* come through.
If I di that on one of outr servers, I get: Root CA Intermediate CA Server Certificate
... New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit
For this server I have in the file slapd.d/cn=config.ldif the setting
olcTLSCACertificatePath: /etc/ssl/certs
Hi!
Here it works with these settings: olcTLSCACertificatePath: /etc/ssl/certs olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key
Could it be a permissions problem? Did you try to check the certificate
chain with openssl (preferrable as LDAP user)?
When I run the openssl s_client command I get no errors, but I also get no intermediate or root certificates sent. I see this in the output: "No client certificate CA names sent".
Hi!
To me it looks like a problem with your certificates. Try to verify them using openssl, like this: openssl verify -CApath /etc/ssl/certs -verbose /etc/ssl/servercerts/slapd.pem /etc/ssl/servercerts/slapd.pem: OK
Regards, Ulrich
It appears that OpenLDAP is not sending the intermediate or root certificates.
However, if I put all the intermediate and root certificates into a single file and point olcTLSCACertificateFile at this file, those intermediate certificates _are_ sent.
So, it appears that olcTLSCACertificateFile sends the certificates but but olcTLSCACertificatePath does not.
Am I misunderstanding the purpose olcTLSCACertificatePath?
Thanks.
Regards, Ulrich
I checked and all the intermediate and root certificates are in /etc/ssl/certs soft-linked via the usual OpenSSL rehash hash, e.g.,
lrwxrwxrwx 1 root root 42 Jul 14 19:03 b4261fc2.0 -> /etc/ssl/certs/incommon-usertrust-2024.pem
Any idea why the intermediate and root certificates do not get sent to the LDAPS client? Is there something in the LDAP log that might give me a clue as to what is going on?
On 7/27/2016 11:19 PM, Ulrich Windl wrote:
Nat Sincheler fai1107@macrotex.net schrieb am 26.07.2016 um 17:20 in
Nachricht 991f77f9-fd05-eb9b-7f07-f350c4a7bc68@macrotex.net:
On 7/25/2016 11:24 PM, Ulrich Windl wrote:
Nat Sincheler fai1107@macrotex.net schrieb am 25.07.2016 um 19:06 in
Nachricht c19c2a3a-3c90-5baa-43c7-800b050ea5b7@macrotex.net:
We have an OpenLDAP server that is listening on port 636 over ldaps. When I run
openssl s_client -showcerts -connect ldap-server:636
I only see the host certificate. The intermediate and root certificates do *not* come through.
If I di that on one of outr servers, I get: Root CA Intermediate CA Server Certificate
... New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit
For this server I have in the file slapd.d/cn=config.ldif the setting
olcTLSCACertificatePath: /etc/ssl/certs
Hi!
Here it works with these settings: olcTLSCACertificatePath: /etc/ssl/certs olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key
Could it be a permissions problem? Did you try to check the certificate
chain with openssl (preferrable as LDAP user)?
When I run the openssl s_client command I get no errors, but I also get no intermediate or root certificates sent. I see this in the output: "No client certificate CA names sent".
Hi!
To me it looks like a problem with your certificates. Try to verify them using openssl, like this: openssl verify -CApath /etc/ssl/certs -verbose /etc/ssl/servercerts/slapd.pem /etc/ssl/servercerts/slapd.pem: OK
% grep -R Certificate *.ldif
olcTLSCACertificatePath: /etc/ssl/certs olcTLSCertificateFile: /etc/ssl/certs/server.pem olcTLSCertificateKeyFile: /etc/ssl/private/server.key
% directory2:/etc/ldap# openssl verify -CApath /etc/ssl/certs -verbose /etc/ssl/certs/server.pem
/etc/ssl/certs/server.pem: OK
So, the openssl command line can find the certificate chain. Why can't openldap?
Regards, Ulrich
It appears that OpenLDAP is not sending the intermediate or root certificates.
However, if I put all the intermediate and root certificates into a single file and point olcTLSCACertificateFile at this file, those intermediate certificates _are_ sent.
So, it appears that olcTLSCACertificateFile sends the certificates but but olcTLSCACertificatePath does not.
Am I misunderstanding the purpose olcTLSCACertificatePath?
Thanks.
Regards, Ulrich
I checked and all the intermediate and root certificates are in /etc/ssl/certs soft-linked via the usual OpenSSL rehash hash, e.g.,
lrwxrwxrwx 1 root root 42 Jul 14 19:03 b4261fc2.0 -> /etc/ssl/certs/incommon-usertrust-2024.pem
Any idea why the intermediate and root certificates do not get sent to the LDAPS client? Is there something in the LDAP log that might give me a clue as to what is going on?
On Thursday, July 28, 2016 8:07:43 AM PDT, Nat Sincheler wrote:
On 7/27/2016 11:19 PM, Ulrich Windl wrote:
...
Nachricht 991f77f9-fd05-eb9b-7f07-f350c4a7bc68@macrotex.net: ...
% grep -R Certificate *.ldif
olcTLSCACertificatePath: /etc/ssl/certs olcTLSCertificateFile: /etc/ssl/certs/server.pem olcTLSCertificateKeyFile: /etc/ssl/private/server.key
% directory2:/etc/ldap# openssl verify -CApath /etc/ssl/certs -verbose /etc/ssl/certs/server.pem
/etc/ssl/certs/server.pem: OK
So, the openssl command line can find the certificate chain. Why can't openldap?
Of course, the problem is not in OpenLDAP but the SSL library that your build of OpenLDAP is using. The chances are good that your build is using GNUTLS. GNUTLS does not support a CA Certificate Path, you have to put all of the CA cert chain in a single file and use olcTLSCACertificateFile instead.
Bill
openldap-technical@openldap.org
-
Bill MacAllister -
Nat Sincheler -
Ulrich Windl