Ubuntu 11.10 TLS: peer cert untrusted or revoked (0x82) can't connect ldap_err2string

peridian · 04-22-2012, 01:01 PM

Hi,

Since an upgrade to my ldap server, my Ubuntu box has been having issues authenticating (it was working before). I've now done a do-release-upgrade from 10.04 to 11.10, but it does not appear to have fixed itself.

Command:
sudo ldapsearch -d-1 -x -D "cn=admin,dc=mydom,dc=com" -W -s sub "objectClass=posixUser"

Result:
TLS: peer cert untrusted or revoked (0x82)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

The ldap server is CentOS 5.8, and I have other CentOS boxes that successfully utilise the ldap server without issue (and I can run the above command successfully from any of them).

From the error, it appears that the LDAP connection settings are correct, but all my Googling suggests its a problem in Ubuntu's use of this particular setup of TLS certificates.

My TLS certs are signed by a self-signed signing box (CentOS) within my domain.

I have tried using both openssl and certtool to generate the TLS certs for the ubuntu box, but in both cases this problem still occurs.

Does anybody have any ideas for what else I might try to resolve this? It's the only Ubuntu box I actually use, so I may just ditch it in favour of another CentOS box.

Regards,
Rob.

acid_kewpie · 04-23-2012, 09:29 AM

well it sounds like the certificate issuer used on the ldap server isn't in the Ubuntu cert bundle. on CentOS this woudl default to /etc/pki/tls/certs/ca-bundle.crt, not sure about Ubuntu. Examine the certificate chain and see why your trust is failing that way. Add more debugging to the command and you should probably see more information, alternatively you could just use curl to https://1.2.3.4:636 and see the SSL level complaints there. or use the "openssl s_client" tool to go in deeper if you're still struggling.

peridian · 04-26-2012, 03:30 PM

Good call on using curl and openssl.

Code:

curl https://myldap.srv:636/

Result:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

However, if I then use the following, it works:

Code:

curl --cacert /etc/ldap/cacert.pem https://myldap.srv:636/

Result:
curl: (52) Empty reply from server

This is specifying the explicit location of the public cacert.pem file distributed by my signing box.

Which kind of suggests my ldap client may be ignoring the TLS_CACERT option in the ldap.conf file.

Code:

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
URI ldaps://myldap.srv/
PORT 636
BASE dc=myldap,dc=srv
TLS_CACERT /etc/ldap/cacert.pem
TLS_CERT /etc/ldap/mysrv.srv.pem
TLS_KEY /etc/ldap/mysrv.srv.key.pem
TLS_REQCERT demand

The output from -debug on openssl points at the self-signed certificate being an issue:

Code:

---
No client certificate CA names sent
---
SSL handshake has read 1543 bytes and written 367 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : SSLv3
    Cipher    : AES256-SHA
    Session-ID: 
    Session-ID-ctx:
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Compression: 1 (zlib compression)
    Start Time: 1335471744
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

I don't understand why this would have been working before, and stop now. I've tried regenerating the SSL certificates pointed to in ldap.conf.

I've also checked that the certs are the same in both /etc/ldap/ldap.conf and /etc/ldap.conf:

Code:

tls_cacertfile /etc/ldap/cacert.pem
tls_cert /etc/ldap/mysrv.srv.pem
tls_key /etc/ldap/mysrv.srv.key.pem

Any pointers would be greatly appreciated.

Regards,
Rob.