Not sure if this is an openldap issue but have to examine everything we can.
We revised our nss certificate store as part of addressing the expiration of
our root cert.
It now has two certs, the end service cert and the intermediate.
Basic client operations (ldapsearch) work fine; using -d1 shows that the
appropriate service certificate is loaded and the the search is successful.
But if we run an 'openssl s_client -showcerts' against the host and port 636,
we continue to see the expired root certificate even though it's not in the nss
store configured chain. This is causing issues for some applications (mainly
java based) so we're just trying to understand where the expired root would be
coming from if it's not in the openldap server configuration.
Thanks,
Peter
relevant bits:
#slapd.conf
# TLS/ssl
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile DirectoryLdap
#sudo certutil -d /etc/openldap/certs -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
intermediate-2024 ,,
PennGroupsLdap
#sudo certutil -d /etc/openldap/certs -L -n PennGroupsLdap
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2b:27:6c:70:ac:b4:5c:3d:11:05:17:d9:15:59:24:af
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbo
r,ST=MI,C=US"
Validity:
Not Before: Tue Feb 05 00:00:00 2019
Not After : Thu Feb 04 23:59:59 2021
Subject: "CN=penngroups-dev.net.isc.upenn.edu,OU=ISC: N&T - NES - Ide
ntity and Access Management (IAM),O=University of Pennsylvania,ST
REET=3451 Walnut Street,L=Philadelphia,ST=PA,postalCode=19104,C=U
S"
*snip*
#sudo certutil -d /etc/openldap/certs -L -n intermediate-2024
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
47:20:d0:fa:85:46:1a:7e:17:a1:64:02:91:84:63:74
Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption
Issuer: "CN=USERTrust RSA Certification Authority,O=The USERTRUST Net
work,L=Jersey City,ST=New Jersey,C=US"
Validity:
Not Before: Mon Oct 06 00:00:00 2014
Not After : Sat Oct 05 23:59:59 2024
Subject: "CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arb
or,ST=MI,C=US"
*snip*
gather the openssl s_client info; why are 4 certs (depth 0->3) presented
instead of the expected 2 (dept h0->1)?
#openssl s_client -host localhost -port 636 -showcerts 2>local.certs >>
local.certs
#grep -A1 "s:" local.certs
0 s:/C=US/postalCode=19104/ST=PA/L=Philadelphia/street=3451 Walnut
Street/O=University of Pennsylvania/OU=ISC: N&T - NES - Identity and Access
Management (IAM)/CN=penngroups-dev.net.isc.upenn.edu
i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
--
1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA
Certification Authority
--
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA
Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
--
3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
0 s:/C=US/postalCode=19104/ST=PA/L=Philadelphia/street=3451 Walnut
Street/O=University of Pennsylvania/OU=ISC: N&T - NES - Identity and Access
Management (IAM)/CN=penngroups-dev.net.isc.upenn.edu
i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
--
1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA
Certification Authority
--
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA
Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
--
3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
