View Issue Details

IDProjectCategoryView StatusLast Update
0014805CentOS-7openldappublic2018-05-16 19:49
Reportermcguppy 
PriorityhighSeverityblockReproducibilityalways
Status closedResolutionno change required 
Platformx86_64OSCentOSOS Version7
Product Version7.5.1804 
Target VersionFixed in Version 
Summary0014805: openldap TLS is not sending the intermediate cert after update
Descriptionsince update openLDAP from 2.4.44-5 to 2.4.44-13, openLDAP server is not sending out any more the intermediate certificate
Steps To Reproduce- install openldap in version 2.4.44-5
- create a server SSL certificate signed by a intermediate certificate
- bundle the server and the intermediate certificate together with the key into a PKCS12 cert: openssl pkcs12 -export -out server-fqdn.intermediate-chain.crt.bundle.pkcs12 -inkey server-fqdn.key.pem -in server-fqdn.intermediate-chain.crt.bundle.pem -certfile root-ca.crt.pem
- import the PKCS12 cert into the NSS DB in /etc/openldap/certs: pk12util -d /etc/openldap/certs -i server-fqdn.intermediate-chain.crt.bundle.pkcs12
- import the CA cert into /etc/pki/ca-trust/source/anchors/ and recreate the ca-trust by: update-ca-trust extract
- configure openldap to have the following TLS attributes: olcTLSCACertificatePath: /etc/openldap/certs olcTLSCertificateFile: "The nick name of the server cert" olcTLSCertificateKeyFile: /etc/openldap/certs/password
- enable ldaps by adding "ldaps:///" in the file /etc/sysconfig/slapd to the argument SLAPD_URLS
- restart openldap by systemctl restart slapd
- check ldapsearch by using ldaps: ldapsearch -D <user DN of Manager> -W -b "<base-DN>" cn=<searching-object> -H ldaps://<server-fqdn> --> after typing in the password, the searched object is presented (this search is also possible from any LDAP client, that trust in the CA cert)
- check SSL by: openssl s_client -connect <server-fqdn>:636 -showcerts --> the whole SSL cert chain (server-cert, intermediate cert, root CA cert) is presented with a result of "Verify return code: 0 (ok)"
- update openldap from 2.4.44-5 to the newest version in CentOS 7 (2.4.44-13)
- check ldapsearch by using ldaps: ldapsearch -D <user DN of Manager> -W -b "<base-DN>" cn=<searching-object> -H ldaps://<server-fqdn> --> after typing in the password you get the error: "ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)"
- check SSL by: openssl s_client -connect <server-fqdn>:636 -showcerts --> only the server cert is presented (the intermediate cert is missing) --> Error message: Verify return code: 21 (unable to verify the first certificate)
Additional InformationIn the CentOS forum, I was told to open a bug: https://www.centos.org/forums/viewtopic.php?f=48&t=67042
Tagsnss
abrt_hash
URL

Activities

mcguppy

mcguppy

2018-05-15 15:26

reporter   ~0031822

on advice in centos forum, I also reported the bug on bugzilla.redhat.com. Bug ID Red Hat: 1578438
mcguppy

mcguppy

2018-05-16 09:04

reporter   ~0031840

I found two solutions for this issue:

-----

Solution 1 (with NSS):
Modify the trustargs of the intermediate certificate in the NSS cert store of the openldap server:

certutil -d /etc/openldap/certs -M -t "CT,," -n "Intermediate cert nick name"

This adds the to trust args:
C - Trusted CA (implies c)
T - trusted CA for client authentication (ssl server only)

------

Solution 2 (with OS CA trust):
copy the intermediate certificate on the openldap server into the directory
/etc/pki/ca-trust/source/anchors/ and perform a

update-ca-trust extract

------

After restarting openldap, intermediate certificate is delivered again from the server for both solutions.

Somehow it sound logic to have this trustargs set on the intermediate certificate, but I am still wondering, why it was working for the last two years without them?
So I am not sure, if it is really a bug or just a miss configuration on my side, which was working for a long time but now it isn't any more.
kabe

kabe

2018-05-16 12:10

reporter   ~0031844

Probably the problem relates from OpenLDAP build of 7.5 has changed to use
OpenSSL instead of Mozilla NSS.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.5_release_notes/new_features_authentication_and_interoperability

> Previously, the OpenLDAP suite used the Mozilla implementation of Network Security Services (Mozilla NSS).
> With this update, OpenLDAP uses the OpenSSL library.
> Existing certificates in the NSS database (DB) are automatically extracted to the
> PEM format and passed to OpenSSL.
> Note that NSS DBs continue to be supported. However, OpenSSL-like configuration, such as PEM files,
> is preferred over NSS-like configuration, such as NSS DB. (BZ#1400578)
mcguppy

mcguppy

2018-05-16 19:43

reporter   ~0031849

As also discussed in Bug ID Red Hat: 1578438 I understand this is not a bug. It is a configuration error on my side which was not compatible with the new build of openLDAP in CentOS 7.5
I'm sorry for that.
Thank you very much.
Kind regards.
TrevorH

TrevorH

2018-05-16 19:49

developer   ~0031850

CLosing as per comment and https://bugzilla.redhat.com/show_bug.cgi?id=1578438

Issue History

Date Modified Username Field Change
2018-05-15 06:32 mcguppy New Issue
2018-05-15 06:32 mcguppy Tag Attached: nss
2018-05-15 15:26 mcguppy Note Added: 0031822
2018-05-16 09:04 mcguppy Note Added: 0031840
2018-05-16 12:10 kabe Note Added: 0031844
2018-05-16 19:43 mcguppy Note Added: 0031849
2018-05-16 19:49 TrevorH Status new => closed
2018-05-16 19:49 TrevorH Resolution open => no change required
2018-05-16 19:49 TrevorH Note Added: 0031850