[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antw: Intermediate certificates not being sent



>>> Nat Sincheler <fai1107@macrotex.net> schrieb am 25.07.2016 um 19:06 in
Nachricht <c19c2a3a-3c90-5baa-43c7-800b050ea5b7@macrotex.net>:
> We have an OpenLDAP server that is listening on port 636 over ldaps. 
> When I run
> 
>    openssl s_client -showcerts -connect ldap-server:636
> 
> I only see the host certificate. The intermediate and root certificates 
> do *not* come through.

If I di that on one of outr servers, I get:
Root CA
Intermediate CA
Server Certificate

...
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit

> 
> For this server I have in the file slapd.d/cn=config.ldif the setting
> 
> olcTLSCACertificatePath: /etc/ssl/certs

Hi!

Here it works with these settings:
olcTLSCACertificatePath: /etc/ssl/certs
olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem
olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key

Could it be a permissions problem? Did you try to check the certificate chain with openssl (preferrable as LDAP user)?

Regards,
Ulrich

> 
> I checked and all the intermediate and root certificates are in 
> /etc/ssl/certs soft-linked via the usual OpenSSL rehash hash, e.g.,
> 
>    lrwxrwxrwx 1 root root 42 Jul 14 19:03 b4261fc2.0 -> 
> /etc/ssl/certs/incommon-usertrust-2024.pem
> 
> Any idea why the intermediate and root certificates do not get sent to 
> the LDAPS client? Is there something in the LDAP log that might give me 
> a clue as to what is going on?