On Tue, Nov 13, 2018 at 4:48 AM Dameon Wagner <[email protected]> wrote:
> On Mon, Nov 12 2018 at 20:02:05 -0500, [email protected] scribbled > in "openldap proxy giving TLS certificate error": > > I am failing to authenticate through ldap proxy and I am seeing this > error > > coming in continuously > > > > *TLS certificate verification: Error, self signed certificate in > > certificate chain* > > > > *TLS: can't connect: error:14090086:SSL > > routines:ssl3_get_server_certificate:certificate verify failed (self > signed > > certificate in certificate chain).* > > > > Any suggestions how to resolve this? > > > > Here is my slapd.conf. > <SNIP> > > > TLSCACertificateFile /root/data/certs/ldap.crt > > > TLSCertificateFile /root/data/certs/ldap.crt > > > TLSCertificateKeyFile /root/data/certs/ldap.key > <SNIP> > > > > I generate the certificate using this command > > > > *openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout > > /root/data/certs/ldap.key -out /root/data/certs/ldap.crt -subj > > "/CN=host.example.net/OU=Example/O=Example/L=City/ST=ST/C=US > > <http://host.example.net/OU=Example/O=Example/L=City/ST=ST/C=US>"* > > > > So I recreated against the same IT ldap server, so I do have the new > > cert and keys produced same way as before. > > I think the issue is that you've generated, and are using, a > self-signed certificate, rather than one signed by a trusted > Certificate Authority. As the error messages state, the file > referenced by the "TLSCACertificateFile" option contains that cert. > The purpose of the option is to specify the intermediate chain between > the certificate and the trusted Root CA chain. > > I note that you're using the same ldap.crt file for both > "TLSCACertificateFile" and "TLSCACertificateFile" -- have you tried > removing the latter entirely, as with a self-signed cert it's a little > redundant? > > Cheers. > > Dameon. > > I end up changing the config to same and just replaced this section TLSCACertificateFile /root/data/certs/ldap.crt > TLSCertificateFile /root/data/certs/ldap.crt > TLSCertificateKeyFile /root/data/certs/ldap.key with below TLSCertificateFile /root/data/certs/ldap.crt > TLSCertificateKeyFile /root/data/certs/ldap.key And also needed to empty out the /etc/openldap/certs/ dir and populate with all the pem certs that we received from IT LDAP team. All working fine now > -- > ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <>< > Dr. Dameon Wagner, Unix Platform Services > IT Services, University of Oxford > ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <>< > > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
