Ubuntu 11.10 TLS: peer cert untrusted or revoked (0x82) can't connect ldap_err2string
Hi,
Since an upgrade to my ldap server, my Ubuntu box has been having issues authenticating (it was working before). I've now done a do-release-upgrade from 10.04 to 11.10, but it does not appear to have fixed itself. Command: sudo ldapsearch -d-1 -x -D "cn=admin,dc=mydom,dc=com" -W -s sub "objectClass=posixUser" Result: TLS: peer cert untrusted or revoked (0x82) TLS: can't connect: (unknown error code). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) The ldap server is CentOS 5.8, and I have other CentOS boxes that successfully utilise the ldap server without issue (and I can run the above command successfully from any of them). From the error, it appears that the LDAP connection settings are correct, but all my Googling suggests its a problem in Ubuntu's use of this particular setup of TLS certificates. My TLS certs are signed by a self-signed signing box (CentOS) within my domain. I have tried using both openssl and certtool to generate the TLS certs for the ubuntu box, but in both cases this problem still occurs. Does anybody have any ideas for what else I might try to resolve this? It's the only Ubuntu box I actually use, so I may just ditch it in favour of another CentOS box. Regards, Rob. |
well it sounds like the certificate issuer used on the ldap server isn't in the Ubuntu cert bundle. on CentOS this woudl default to /etc/pki/tls/certs/ca-bundle.crt, not sure about Ubuntu. Examine the certificate chain and see why your trust is failing that way. Add more debugging to the command and you should probably see more information, alternatively you could just use curl to https://1.2.3.4:636 and see the SSL level complaints there. or use the "openssl s_client" tool to go in deeper if you're still struggling.
|
Good call on using curl and openssl.
Code:
curl https://myldap.srv:636/ Code:
curl --cacert /etc/ldap/cacert.pem https://myldap.srv:636/ Which kind of suggests my ldap client may be ignoring the TLS_CACERT option in the ldap.conf file. Code:
#SIZELIMIT 12 Code:
--- I've also checked that the certs are the same in both /etc/ldap/ldap.conf and /etc/ldap.conf: Code:
tls_cacertfile /etc/ldap/cacert.pem Regards, Rob. |
All times are GMT -5. The time now is 06:00 AM. |