[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antw: Intermediate certificates not being sent

To: <fai1107@macrotex.net>,<openldap-technical@openldap.org>
Subject: Re: Antw: Intermediate certificates not being sent
From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
Date: Thu, 28 Jul 2016 08:19:43 +0200
Content-disposition: inline
In-reply-to: <991f77f9-fd05-eb9b-7f07-f350c4a7bc68@macrotex.net>
References: <c19c2a3a-3c90-5baa-43c7-800b050ea5b7@macrotex.net> <57971E20020000A10002218D@gwsmtp1.uni-regensburg.de> <991f77f9-fd05-eb9b-7f07-f350c4a7bc68@macrotex.net>

>>> Nat Sincheler <fai1107@macrotex.net> schrieb am 26.07.2016 um 17:20 in
Nachricht <991f77f9-fd05-eb9b-7f07-f350c4a7bc68@macrotex.net>:

> 
> On 7/25/2016 11:24 PM, Ulrich Windl wrote:
>>>>> Nat Sincheler <fai1107@macrotex.net> schrieb am 25.07.2016 um 19:06 in
>> Nachricht <c19c2a3a-3c90-5baa-43c7-800b050ea5b7@macrotex.net>:
>>> We have an OpenLDAP server that is listening on port 636 over ldaps.
>>> When I run
>>>
>>>    openssl s_client -showcerts -connect ldap-server:636
>>>
>>> I only see the host certificate. The intermediate and root certificates
>>> do *not* come through.
>>
>> If I di that on one of outr servers, I get:
>> Root CA
>> Intermediate CA
>> Server Certificate
>>
>> ...
>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>> Server public key is 2048 bit
>>
>>>
>>> For this server I have in the file slapd.d/cn=config.ldif the setting
>>>
>>> olcTLSCACertificatePath: /etc/ssl/certs
>>
>> Hi!
>>
>> Here it works with these settings:
>> olcTLSCACertificatePath: /etc/ssl/certs
>> olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem
>> olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key
>>
>> Could it be a permissions problem? Did you try to check the certificate 
> chain with openssl (preferrable as LDAP user)?
> 
> When I run the openssl s_client command I get no errors, but I also get 
> no intermediate or root certificates sent. I see this in the output: "No 
> client certificate CA names sent".

Hi!

To me it looks like a problem with your certificates. Try to verify them using openssl, like this:
openssl verify -CApath /etc/ssl/certs -verbose /etc/ssl/servercerts/slapd.pem
/etc/ssl/servercerts/slapd.pem: OK

Regards,
Ulrich

> 
> It appears that OpenLDAP is not sending the intermediate or root 
> certificates.
> 
> However, if I put all the intermediate and root certificates into a 
> single file and point olcTLSCACertificateFile at this file, those 
> intermediate certificates _are_ sent.
> 
> So, it appears that olcTLSCACertificateFile sends the certificates but 
> but olcTLSCACertificatePath does not.
> 
> Am I misunderstanding the purpose olcTLSCACertificatePath?
> 
> Thanks.
> 
> 
>>
>> Regards,
>> Ulrich
>>
>>>
>>> I checked and all the intermediate and root certificates are in
>>> /etc/ssl/certs soft-linked via the usual OpenSSL rehash hash, e.g.,
>>>
>>>    lrwxrwxrwx 1 root root 42 Jul 14 19:03 b4261fc2.0 ->
>>> /etc/ssl/certs/incommon-usertrust-2024.pem
>>>
>>> Any idea why the intermediate and root certificates do not get sent to
>>> the LDAPS client? Is there something in the LDAP log that might give me
>>> a clue as to what is going on?
>>
>>
>>
>>

Follow-Ups:
- Re: Antw: Intermediate certificates not being sent
  - From: Nat Sincheler <fai1107@macrotex.net>

References:
- Intermediate certificates not being sent
  - From: Nat Sincheler <fai1107@macrotex.net>
- Antw: Intermediate certificates not being sent
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
- Re: Antw: Intermediate certificates not being sent
  - From: Nat Sincheler <fai1107@macrotex.net>

Prev by Date: Re: sizelimit
Next by Date: Multimaster syncrepl configuration
Index(es):
- Chronological
- Thread