My /etc/openldap/ldap.conf file include the following,
#TLS_CACERT /etc/pki/CA/certs/chain2root.pem #TLS_CACERT /etc/openldap/cacerts/fc5a8fxx.0 TLS_REQCERT demand
The two CAs are from different signers, but "ldapwhoami -x -ZZ" will output Anonymous (means TLS/SSL is working) when one of the two TLS_CACERT lines is uncommented. Actually the first is the right one, I just didn't expect that the second one also work.
If both are commented, I get the following error,
ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)
Can someone help me to understand what's wrong?
Dalton
On Tue, Aug 25, 2020 at 08:51:43PM -0500, Dalton Zhang wrote:
Can someone help me to understand what's wrong?
Is the CA in question also present in your system-wide trust store? Configuring TLS_CACERT has the side effect of enabling the global roots as well as the specified one. See [ITS#5582].
[ITS#5582]: https://bugs.openldap.org/show_bug.cgi?id=5582
Thank you Ryan. I can confirm the statement by setting,
olcTLSCACertificateFile: ""
at the server. Previously it was set with the right Root CA.
Dalton
On 8/26/20 12:12 AM, Ryan Tandy wrote:
On Tue, Aug 25, 2020 at 08:51:43PM -0500, Dalton Zhang wrote:
Can someone help me to understand what's wrong?
Is the CA in question also present in your system-wide trust store? Configuring TLS_CACERT has the side effect of enabling the global roots as well as the specified one. See [ITS#5582].
openldap-technical@openldap.org