View Issue Details

IDProjectCategoryView StatusLast Update
0014805CentOS-7openldappublic2018-05-16 19:49
Status closedResolutionno change required 
Platformx86_64OSCentOSOS Version7
Product Version7.5.1804 
Target VersionFixed in Version 
Summary0014805: openldap TLS is not sending the intermediate cert after update
Descriptionsince update openLDAP from 2.4.44-5 to 2.4.44-13, openLDAP server is not sending out any more the intermediate certificate
Steps To Reproduce- install openldap in version 2.4.44-5
- create a server SSL certificate signed by a intermediate certificate
- bundle the server and the intermediate certificate together with the key into a PKCS12 cert: openssl pkcs12 -export -out server-fqdn.intermediate-chain.crt.bundle.pkcs12 -inkey server-fqdn.key.pem -in server-fqdn.intermediate-chain.crt.bundle.pem -certfile root-ca.crt.pem
- import the PKCS12 cert into the NSS DB in /etc/openldap/certs: pk12util -d /etc/openldap/certs -i server-fqdn.intermediate-chain.crt.bundle.pkcs12
- import the CA cert into /etc/pki/ca-trust/source/anchors/ and recreate the ca-trust by: update-ca-trust extract
- configure openldap to have the following TLS attributes: olcTLSCACertificatePath: /etc/openldap/certs olcTLSCertificateFile: "The nick name of the server cert" olcTLSCertificateKeyFile: /etc/openldap/certs/password
- enable ldaps by adding "ldaps:///" in the file /etc/sysconfig/slapd to the argument SLAPD_URLS
- restart openldap by systemctl restart slapd
- check ldapsearch by using ldaps: ldapsearch -D <user DN of Manager> -W -b "<base-DN>" cn=<searching-object> -H ldaps://<server-fqdn> --> after typing in the password, the searched object is presented (this search is also possible from any LDAP client, that trust in the CA cert)
- check SSL by: openssl s_client -connect <server-fqdn>:636 -showcerts --> the whole SSL cert chain (server-cert, intermediate cert, root CA cert) is presented with a result of "Verify return code: 0 (ok)"
- update openldap from 2.4.44-5 to the newest version in CentOS 7 (2.4.44-13)
- check ldapsearch by using ldaps: ldapsearch -D <user DN of Manager> -W -b "<base-DN>" cn=<searching-object> -H ldaps://<server-fqdn> --> after typing in the password you get the error: "ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)"
- check SSL by: openssl s_client -connect <server-fqdn>:636 -showcerts --> only the server cert is presented (the intermediate cert is missing) --> Error message: Verify return code: 21 (unable to verify the first certificate)
Additional InformationIn the CentOS forum, I was told to open a bug:




2018-05-15 15:26

reporter   ~0031822

on advice in centos forum, I also reported the bug on Bug ID Red Hat: 1578438


2018-05-16 09:04

reporter   ~0031840

I found two solutions for this issue:


Solution 1 (with NSS):
Modify the trustargs of the intermediate certificate in the NSS cert store of the openldap server:

certutil -d /etc/openldap/certs -M -t "CT,," -n "Intermediate cert nick name"

This adds the to trust args:
C - Trusted CA (implies c)
T - trusted CA for client authentication (ssl server only)


Solution 2 (with OS CA trust):
copy the intermediate certificate on the openldap server into the directory
/etc/pki/ca-trust/source/anchors/ and perform a

update-ca-trust extract


After restarting openldap, intermediate certificate is delivered again from the server for both solutions.

Somehow it sound logic to have this trustargs set on the intermediate certificate, but I am still wondering, why it was working for the last two years without them?
So I am not sure, if it is really a bug or just a miss configuration on my side, which was working for a long time but now it isn't any more.


2018-05-16 12:10

reporter   ~0031844

Probably the problem relates from OpenLDAP build of 7.5 has changed to use
OpenSSL instead of Mozilla NSS.

> Previously, the OpenLDAP suite used the Mozilla implementation of Network Security Services (Mozilla NSS).
> With this update, OpenLDAP uses the OpenSSL library.
> Existing certificates in the NSS database (DB) are automatically extracted to the
> PEM format and passed to OpenSSL.
> Note that NSS DBs continue to be supported. However, OpenSSL-like configuration, such as PEM files,
> is preferred over NSS-like configuration, such as NSS DB. (BZ#1400578)


2018-05-16 19:43

reporter   ~0031849

As also discussed in Bug ID Red Hat: 1578438 I understand this is not a bug. It is a configuration error on my side which was not compatible with the new build of openLDAP in CentOS 7.5
I'm sorry for that.
Thank you very much.
Kind regards.


2018-05-16 19:49

manager   ~0031850

CLosing as per comment and

Issue History

Date Modified Username Field Change
2018-05-15 06:32 mcguppy New Issue
2018-05-15 06:32 mcguppy Tag Attached: nss
2018-05-15 15:26 mcguppy Note Added: 0031822
2018-05-16 09:04 mcguppy Note Added: 0031840
2018-05-16 12:10 kabe Note Added: 0031844
2018-05-16 19:43 mcguppy Note Added: 0031849
2018-05-16 19:49 TrevorH Status new => closed
2018-05-16 19:49 TrevorH Resolution open => no change required
2018-05-16 19:49 TrevorH Note Added: 0031850