[solved] openldap TLS is not sending the intermediate cert after update

Issues related to applications and software problems
Post Reply
mcguppy
Posts: 5
Joined: 2018/05/14 15:48:33

[solved] openldap TLS is not sending the intermediate cert after update

Post by mcguppy » 2018/05/14 16:13:29

Hi all

These days, some of my openLDAP nodes automatically updated to CentOS 7.5. In this update, openLDAP was updated from 2.4.44-5 to 2.4.44-13 (see changelog: https://centos.pkgs.org/7/centos-x86_64 ... 4.rpm.html )

Since the update, openLDAP server is not sending out any more the intermediate certificate.

This results in an error with all ldap operations like this:

Code: Select all

TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Connecting with openssl client shows me, that just the server certificate itself is delivered but the intermediate cert is not.

I have set up openLDAP with mozilla NSS according this doc: https://www.openldap.org/faq/data/cache/1514.html and bundled the intermediate together with the server cert before I imported it into the NSS DB.

Bundeling was done by:

Code: Select all

openssl pkcs12 -export -out server-fqdn.intermediate-chain.crt.bundle.pkcs12 -inkey server-fqdn.key.pem -in server-fqdn.intermediate-chain.crt.bundle.pem -certfile root-ca.crt.pem
Import was done by:

Code: Select all

pk12util -d /etc/openldap/certs -i server-fqdn.intermediate-chain.crt.bundle.pkcs12
This results in:

Code: Select all

certutil -d /etc/openldap/certs/ -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

OpenLDAP Server									CTu,u,u
Intermediate cert  nick name 				,,   
The nick name of the server cert			u,u,u
The according arguments in the slap.d config looks like this:

Code: Select all

# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "The nick name of the server cert"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
olcSizeLimit: -1
olcLogLevel: stats


All was working well for about 2 years until these updates last week.

As a workaround I could install the intermediate cert on all LDAP clients, but this is not really what I am looking for.

Can someone tell me, how I can configure openLDAP again to deliver the server cert and the intermediate cert?

Thank you very much.

Kind regards.
Last edited by mcguppy on 2018/05/18 12:39:46, edited 1 time in total.

hunter86_bg
Posts: 1222
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: openldap TLS is not sending the intermediate cert after update

Post by hunter86_bg » 2018/05/15 03:58:45

It looks as a bug to me, but I am no LDAP expert. If nobody answers here, your best approach would be to open a bug (both CentOS and Red Hat bugzillas with reference to each other).

mcguppy
Posts: 5
Joined: 2018/05/14 15:48:33

Re: openldap TLS is not sending the intermediate cert after update

Post by mcguppy » 2018/05/15 11:32:09

Thanks for hint with the bug report.
I opened one under https://bugs.centos.org/view.php?id=14805

User avatar
TrevorH
Forum Moderator
Posts: 23213
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: openldap TLS is not sending the intermediate cert after update

Post by TrevorH » 2018/05/15 11:42:18

Assuming that this is bug inherited from RHEL, you'll also want to report it on bugzilla.redhat.com. A fix for an upstream issue has to come from them.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

mcguppy
Posts: 5
Joined: 2018/05/14 15:48:33

Re: openldap TLS is not sending the intermediate cert after update

Post by mcguppy » 2018/05/15 15:28:19

Bug has been reported to Red Hat as well: https://bugzilla.redhat.com/show_bug.cgi?id=1578438

mcguppy
Posts: 5
Joined: 2018/05/14 15:48:33

Re: openldap TLS is not sending the intermediate cert after update

Post by mcguppy » 2018/05/16 08:53:59

I found out two solutions for this problem:
these two solutions were not the once, I used in the end, as with these solutions, NSS is still in use. Read later post o see my final solution
Solution 1 (with NSS):
Modify the trustargs of the intermediate certificate in the NSS cert store of the openldap server:

Code: Select all

certutil -d /etc/openldap/certs -M -t "CT,," -n "Intermediate cert  nick name"
This adds the to trust args:
  • C - Trusted CA (implies c)
  • T - trusted CA for client authentication (ssl server only)
Solution 2 (with OS CA trust):
copy the intermediate certificate on the openldap server into the directory /etc/pki/ca-trust/source/anchors/ and perform a

Code: Select all

update-ca-trust extract
In both solutions you have to restart openldap after the change.

Somehow it sound logic to have this trustargs set on the intermediate certificate, but I am still wondering, why it was working for the last two years without them.
I will update the bug reports accordingly and we will see, what the engineers will find out.
Last edited by mcguppy on 2018/05/18 12:39:16, edited 1 time in total.

mcguppy
Posts: 5
Joined: 2018/05/14 15:48:33

Re: openldap TLS is not sending the intermediate cert after update

Post by mcguppy » 2018/05/18 12:36:05

Hi all

I would like to share here my final solution. Perhaps someone can profit from it in the future.

As discussed with Matus Honek in Red Hat Bugzilla (Bug 1578438), I finally decided to get rid completely of Mozilla NSS certificate store and use openssl only in the future.

Pre-Conditions:
  • Openldap is already updated to version 2.4.44-13 or higher (from CentOS 7.5 on)
  • Your Mozilla NSS store is only used by openldap (otherwise, don’t do the cleanup staff at the end as this would break other services, that probably using this NSS store)
Here my steps I followed to perform this switchover:
  • Copy the cert key in pem form to /etc/pki/tls/private/ (I had not to export it from the NSS store, as it was available in pem form)
  • As the keys in this directory are usually only readable by root, I make it readable for user ldap by setting an ACL:

    Code: Select all

    setfacl -m u:ldap:r /etc/pki/tls/private/dev-ad-user-sync-srv.ffhs.local.key.pem
  • Copy the cert in pem form to /etc/pki/tls/certs/ (I had not to export it from the NSS store, as it was available in pem form)
  • Make sure others have read right to the cert
  • Copy the root CA to /etc/pki/ca-trust/source/anchors/
  • If you use an intermediate CA cert, also copy this to /etc/pki/ca-trust/source/anchors/
  • Update the CA trust:

    Code: Select all

    update-ca-trust extract
  • Optional: grep in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem if the CA certs are extracted into this ca bundle
  • Reconfigure openldap.

    My cn=config looked like this before the change:

    Code: Select all

    dn: cn=config
    objectClass: olcGlobal
    cn: config
    olcArgsFile: /var/run/openldap/slapd.args
    olcPidFile: /var/run/openldap/slapd.pid
    olcTLSCACertificatePath: /etc/openldap/certs
    olcTLSCertificateKeyFile: /etc/openldap/certs/password
    structuralObjectClass: olcGlobal
    entryUUID: 091e7b9a-c539-1037-9b51-07aa765fcaee
    creatorsName: cn=config
    createTimestamp: 20180326120035Z
    olcSizeLimit: -1
    olcTLSCertificateFile: "<nickname of the server cert>"
    
    I used this ldif file:

    Code: Select all

    dn: cn=config
    changetype: modify
    add: olcTLSCACertificateFile
    olcTLSCACertificateFile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    -
    delete: olcTLSCACertificatePath
    -
    replace: olcTLSCertificateKeyFile
    olcTLSCertificateKeyFile: /etc/pki/tls/private/dev-ad-user-sync-srv.ffhs.local.key.pem
    -
    replace: olcTLSCertificateFile
    olcTLSCertificateFile: /etc/pki/tls/certs/dev-ad-user-sync-srv.ffhs.local.crt.pem
    
    and executed it by:

    Code: Select all

    ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldif/switch_openldap_from_nss_to_openssl.ldif
    After that, my cn=config looked like this:

    Code: Select all

    dn: cn=config
    objectClass: olcGlobal
    cn: config
    olcArgsFile: /var/run/openldap/slapd.args
    olcPidFile: /var/run/openldap/slapd.pid
    olcSizeLimit: -1
    olcTLSCACertificateFile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    olcTLSCertificateFile: /etc/pki/tls/certs/dev-ad-user-sync-srv.ffhs.local.crt.
     pem
    olcTLSCertificateKeyFile: /etc/pki/tls/private/dev-ad-user-sync-srv.ffhs.local
     .key.pem
Remark: according Matus Honek the argument olcTLSCACertificateFile is not needed as when it is not set, the system wide trust store is used any way. In my setup this did not work, so I stayed with it.
Then I did some cleanup:
  • remove the NSS store

    Code: Select all

    rm /etc/openldap/certs/*
  • remove the old, not used any more extracted NSS cert staff in /tmp folder:

    Code: Select all

    rm -rf /tmp/openldap-tlsmc-certs*
There is no need to restart anything indeed but I did it anyway to make sure, no more NSS is exported to any directory /tmp/openldap-tlsmc-*and like this, I was sure, NSS is completely switched of.

Testing:
  • perform some ldapsearch to ldaps or with ldpa and start TLS
  • perform a test by openssl:

    Code: Select all

     openssl s_client -connect dev-ad-user-sync-srv.ffhs.local:636 –showcerts
    --> you should be presented with the whole cert chain and an end message like Verify return code: 0 (ok)
Congratulation, you are running openldap with openssl and have cleaned up all NSS staff.
Hope this is useful for someone in the future.
Kind regards, Stefan

Post Reply