Re: Antw: Intermediate certificates not being sent

[Howard Chu <hyc@symas.com>]

Nat Sincheler wrote:
> On 7/27/2016 11:19 PM, Ulrich Windl wrote:
> > > > > Nat Sincheler <fai1107@macrotex.net> schrieb am 26.07.2016 um 17:20 in
> > Nachricht <991f77f9-fd05-eb9b-7f07-f350c4a7bc68@macrotex.net>:
> >
> > > On 7/25/2016 11:24 PM, Ulrich Windl wrote:
> > > > > > > Nat Sincheler <fai1107@macrotex.net> schrieb am 25.07.2016 um 19:06 in
> > > > Nachricht <c19c2a3a-3c90-5baa-43c7-800b050ea5b7@macrotex.net>:
> > > > > We have an OpenLDAP server that is listening on port 636 over ldaps.
> > > > > When I run
> > > > >
> > > > >    openssl s_client -showcerts -connect ldap-server:636
> > > > >
> > > > > I only see the host certificate. The intermediate and root certificates
> > > > > do *not* come through.
> > > >
> > > > If I di that on one of outr servers, I get:
> > > > Root CA
> > > > Intermediate CA
> > > > Server Certificate
> > > >
> > > > ...
> > > > New, TLSv1/SSLv3, Cipher is AES256-SHA
> > > > Server public key is 2048 bit
> > > >
> > > > > For this server I have in the file slapd.d/cn=config.ldif the setting
> > > > >
> > > > > olcTLSCACertificatePath: /etc/ssl/certs
> > > >
> > > > Hi!
> > > >
> > > > Here it works with these settings:
> > > > olcTLSCACertificatePath: /etc/ssl/certs
> > > > olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem
> > > > olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key
> > > >
> > > > Could it be a permissions problem? Did you try to check the certificate
> > > chain with openssl (preferrable as LDAP user)?
> > >
> > > When I run the openssl s_client command I get no errors, but I also get
> > > no intermediate or root certificates sent. I see this in the output: "No
> > > client certificate CA names sent".
> >
> > Hi!
> >
> > To me it looks like a problem with your certificates. Try to verify them
> > using openssl, like this:
> > openssl verify -CApath /etc/ssl/certs -verbose /etc/ssl/servercerts/slapd.pem
> > /etc/ssl/servercerts/slapd.pem: OK
>
> %  grep -R Certificate *.ldif
>
> olcTLSCACertificatePath: /etc/ssl/certs
> olcTLSCertificateFile: /etc/ssl/certs/server.pem
> olcTLSCertificateKeyFile: /etc/ssl/private/server.key
>
> % directory2:/etc/ldap# openssl verify -CApath /etc/ssl/certs -verbose
> /etc/ssl/certs/server.pem
>
> /etc/ssl/certs/server.pem: OK
>
> So, the openssl command line can find the certificate chain. Why can't openldap?

If your OpenLDAP build is not behaving the same as your OpenSSL build, then 
most likely your OpenLDAP was not built with OpenSSL. Otherwise, their 
behavior would match.

You never provided essential information such as OS platform and OpenLDAP 
version, so nobody can give you definitive answers.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/