On 11/16/2020 12:08 AM, Paul B. Henson wrote:
I just updated one of my servers running 6.7 to 6.8, and am having a
problem with openldap. I have the intermediate cert and root CA in a
file referenced by the openldap config:
TLSCACertificateFile /etc/openldap/cabundle.crt
Under 6.7 with the openldap port from that version, this results in the
chain being served:
Certificate chain
0 s:CN = ldap-netsvc.pbhware.com
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
2 s:O = Digital Signature Trust Co., CN = DST Root CA X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
However, under 6.8 with the newer openldap 2.4.53 port, only the server
cert itself is being served, not the intermediate or root:
Certificate chain
0 s:CN = ldap-netsvc.pbhware.com
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
This of course causes clients to fail to validate the server cert :(.
I'm running openldap 2.4.53 on other operating systems and as far as I
know there's no change in behavior with it. So I'm guessing there's an
interoperability issue between openbsd libressl and openldap that's
causing this problem?
Do I need to configure something differently? Any other suggestions?
Thanks much...
I remember seeing this commit recently. Not sure if this is your problem
or not.
https://marc.info/?l=openbsd-cvs&m=160511882917510&w=2