All geek questions in one place

OpenLDAP: TLS error -8179: Peer issuer is not recognized

I am not familiar with certificates and openldap . I am trying to move someone from elses from an older OS to CentOS-6 using openldap-2.4.23 . On the old OS, the ldap connection worked without problems. Now in CentOS-6 I get the following error when doing a simple bind:

TLS error -8179:Peer Certificate issuer is not recognized .

My /etc/openldap/ldap.conf has one line:

 TLS_CACERTDIR /etc/openldap/certs

I tried to comment on this line and put the following into the file, but this did not change the error message I received.

 tls_reqcert allow

I also tried to put only the following line in ldap.conf , but that did not change the error. I tried this based on the information found in this question .

 LDAPTLS_CACERT /etc/ssl/certs/ca-bundle.crt

I copied the files to the following directories:

 /etc/pki/tls/certs/ca.crt /etc/pki/tls/certs/server.crt /etc/pki/tls/private/server.key

I have no choice but to use openldap-2.4.23 . Any idea what causes this error or what can I do to troubleshoot?

Thanks in advance. SP

+6
source share
3 answers

According to http://www.zytrax.com/books/ldap/ch6/ldap-conf.html TLS_CACERT must point to a file containing CA cert , which the client will use to verify the certificate. You must ensure that your CA [CAs that signed your server certificate] is present in a file that TLS_CACERT points to [in your case /etc/ssl/certs/ca-bundle.crt .

+4
source

I had the same error. In my case, the reason was that my client had the wrong certificate in /etc/ipa/ca.crt. To fix this, I just copied /etc/ipa/ca.crt from the KDC server to the client and the error went away.

+3
source

Depending on the environment, OpenLDAP may completely ignore the value set for TLS_CACERTDIR , because it is obvious that GnuTLS does not support this type of certificate store.

On the man page for ldap.conf(5)

  TLS_CACERTDIR <path> Specifies the path of a directory that contains Certifi‐ cate Authority certificates in separate individual files. The TLS_CACERT is always used before TLS_CACERTDIR. This parameter is ignored with GnuTLS.

In my case, I suspect that GnuTLS is being used, so TLS_CACERTDIR just does nothing. Using TLS_CACERT , pointing to a file containing my server's certificate sign CA, seems to have done the trick.

I think https://serverfault.com/questions/437546/centos-openldap-cert-trust-issues is a much more complete answer.

0
source

Source: https://habr.com/ru/post/973096/

More articles:


All Articles