Re: Antw: Intermediate certificates not being sent

[Nat Sincheler <fai1107@macrotex.net>]

On 7/28/2016 8:41 AM, Howard Chu wrote:
> Nat Sincheler wrote:
> > On 7/27/2016 11:19 PM, Ulrich Windl wrote:
> > > > > > Nat Sincheler <fai1107@macrotex.net> schrieb am 26.07.2016 um
> > > > > > 17:20 in
> > > Nachricht <991f77f9-fd05-eb9b-7f07-f350c4a7bc68@macrotex.net>:
> > >
> > > > On 7/25/2016 11:24 PM, Ulrich Windl wrote:
> > > > > > > > Nat Sincheler <fai1107@macrotex.net> schrieb am 25.07.2016 um
> > > > > > > > 19:06 in
> > > > > Nachricht <c19c2a3a-3c90-5baa-43c7-800b050ea5b7@macrotex.net>:
> > > > > > We have an OpenLDAP server that is listening on port 636 over ldaps.
> > > > > > When I run
> > > > > >
> > > > > >    openssl s_client -showcerts -connect ldap-server:636
> > > > > >
> > > > > > I only see the host certificate. The intermediate and root
> > > > > > certificates
> > > > > > do *not* come through.
> > > > >
> > > > > If I di that on one of outr servers, I get:
> > > > > Root CA
> > > > > Intermediate CA
> > > > > Server Certificate
> > > > >
> > > > > ...
> > > > > New, TLSv1/SSLv3, Cipher is AES256-SHA
> > > > > Server public key is 2048 bit
> > > > >
> > > > > > For this server I have in the file slapd.d/cn=config.ldif the setting
> > > > > >
> > > > > > olcTLSCACertificatePath: /etc/ssl/certs
> > > > >
> > > > > Hi!
> > > > >
> > > > > Here it works with these settings:
> > > > > olcTLSCACertificatePath: /etc/ssl/certs
> > > > > olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem
> > > > > olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key
> > > > >
> > > > > Could it be a permissions problem? Did you try to check the
> > > > > certificate
> > > > chain with openssl (preferrable as LDAP user)?
> > > >
> > > > When I run the openssl s_client command I get no errors, but I also get
> > > > no intermediate or root certificates sent. I see this in the output:
> > > > "No
> > > > client certificate CA names sent".
> > >
> > > Hi!
> > >
> > > To me it looks like a problem with your certificates. Try to verify them
> > > using openssl, like this:
> > > openssl verify -CApath /etc/ssl/certs -verbose
> > > /etc/ssl/servercerts/slapd.pem
> > > /etc/ssl/servercerts/slapd.pem: OK
> >
> > %  grep -R Certificate *.ldif
> >
> > olcTLSCACertificatePath: /etc/ssl/certs
> > olcTLSCertificateFile: /etc/ssl/certs/server.pem
> > olcTLSCertificateKeyFile: /etc/ssl/private/server.key
> >
> > % directory2:/etc/ldap# openssl verify -CApath /etc/ssl/certs -verbose
> > /etc/ssl/certs/server.pem
> >
> > /etc/ssl/certs/server.pem: OK
> >
> > So, the openssl command line can find the certificate chain. Why can't
> > openldap?
>
> If your OpenLDAP build is not behaving the same as your OpenSSL build,
> then most likely your OpenLDAP was not built with OpenSSL. Otherwise,
> their behavior would match.
>
> You never provided essential information such as OS platform and
> OpenLDAP version, so nobody can give you definitive answers.

We are using version 2.4.42 of OpenLDAP compiled on Debian jessie which 
use GnuTLS rather than OpenSSL.