These days, some of my openLDAP nodes automatically updated to CentOS 7.5. In this update, openLDAP was updated from 2.4.44-5 to 2.4.44-13 (see changelog: https://centos.pkgs.org/7/centos-x86_64 ... 4.rpm.html )
Since the update, openLDAP server is not sending out any more the intermediate certificate.
This results in an error with all ldap operations like this:
Code: Select all
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I have set up openLDAP with mozilla NSS according this doc: https://www.openldap.org/faq/data/cache/1514.html and bundled the intermediate together with the server cert before I imported it into the NSS DB.
Bundeling was done by:
Code: Select all
openssl pkcs12 -export -out server-fqdn.intermediate-chain.crt.bundle.pkcs12 -inkey server-fqdn.key.pem -in server-fqdn.intermediate-chain.crt.bundle.pem -certfile root-ca.crt.pem
Code: Select all
pk12util -d /etc/openldap/certs -i server-fqdn.intermediate-chain.crt.bundle.pkcs12
Code: Select all
certutil -d /etc/openldap/certs/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
OpenLDAP Server CTu,u,u
Intermediate cert nick name ,,
The nick name of the server cert u,u,u
Code: Select all
# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "The nick name of the server cert"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
olcSizeLimit: -1
olcLogLevel: stats
All was working well for about 2 years until these updates last week.
As a workaround I could install the intermediate cert on all LDAP clients, but this is not really what I am looking for.
Can someone tell me, how I can configure openLDAP again to deliver the server cert and the intermediate cert?
Thank you very much.
Kind regards.