View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0014805||CentOS-7||openldap||public||2018-05-15 06:32||2018-05-16 19:49|
|Status||closed||Resolution||no change required|
|Target Version||Fixed in Version|
|Summary||0014805: openldap TLS is not sending the intermediate cert after update|
|Description||since update openLDAP from 2.4.44-5 to 2.4.44-13, openLDAP server is not sending out any more the intermediate certificate|
|Steps To Reproduce||- install openldap in version 2.4.44-5|
- create a server SSL certificate signed by a intermediate certificate
- bundle the server and the intermediate certificate together with the key into a PKCS12 cert: openssl pkcs12 -export -out server-fqdn.intermediate-chain.crt.bundle.pkcs12 -inkey server-fqdn.key.pem -in server-fqdn.intermediate-chain.crt.bundle.pem -certfile root-ca.crt.pem
- import the PKCS12 cert into the NSS DB in /etc/openldap/certs: pk12util -d /etc/openldap/certs -i server-fqdn.intermediate-chain.crt.bundle.pkcs12
- import the CA cert into /etc/pki/ca-trust/source/anchors/ and recreate the ca-trust by: update-ca-trust extract
- configure openldap to have the following TLS attributes: olcTLSCACertificatePath: /etc/openldap/certs olcTLSCertificateFile: "The nick name of the server cert" olcTLSCertificateKeyFile: /etc/openldap/certs/password
- enable ldaps by adding "ldaps:///" in the file /etc/sysconfig/slapd to the argument SLAPD_URLS
- restart openldap by systemctl restart slapd
- check ldapsearch by using ldaps: ldapsearch -D <user DN of Manager> -W -b "<base-DN>" cn=<searching-object> -H ldaps://<server-fqdn> --> after typing in the password, the searched object is presented (this search is also possible from any LDAP client, that trust in the CA cert)
- check SSL by: openssl s_client -connect <server-fqdn>:636 -showcerts --> the whole SSL cert chain (server-cert, intermediate cert, root CA cert) is presented with a result of "Verify return code: 0 (ok)"
- update openldap from 2.4.44-5 to the newest version in CentOS 7 (2.4.44-13)
- check ldapsearch by using ldaps: ldapsearch -D <user DN of Manager> -W -b "<base-DN>" cn=<searching-object> -H ldaps://<server-fqdn> --> after typing in the password you get the error: "ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)"
- check SSL by: openssl s_client -connect <server-fqdn>:636 -showcerts --> only the server cert is presented (the intermediate cert is missing) --> Error message: Verify return code: 21 (unable to verify the first certificate)
|Additional Information||In the CentOS forum, I was told to open a bug: https://www.centos.org/forums/viewtopic.php?f=48&t=67042|
|on advice in centos forum, I also reported the bug on bugzilla.redhat.com. Bug ID Red Hat: 1578438|
I found two solutions for this issue:
Solution 1 (with NSS):
Modify the trustargs of the intermediate certificate in the NSS cert store of the openldap server:
certutil -d /etc/openldap/certs -M -t "CT,," -n "Intermediate cert nick name"
This adds the to trust args:
C - Trusted CA (implies c)
T - trusted CA for client authentication (ssl server only)
Solution 2 (with OS CA trust):
copy the intermediate certificate on the openldap server into the directory
/etc/pki/ca-trust/source/anchors/ and perform a
After restarting openldap, intermediate certificate is delivered again from the server for both solutions.
Somehow it sound logic to have this trustargs set on the intermediate certificate, but I am still wondering, why it was working for the last two years without them?
So I am not sure, if it is really a bug or just a miss configuration on my side, which was working for a long time but now it isn't any more.
Probably the problem relates from OpenLDAP build of 7.5 has changed to use
OpenSSL instead of Mozilla NSS.
> Previously, the OpenLDAP suite used the Mozilla implementation of Network Security Services (Mozilla NSS).
> With this update, OpenLDAP uses the OpenSSL library.
> Existing certificates in the NSS database (DB) are automatically extracted to the
> PEM format and passed to OpenSSL.
> Note that NSS DBs continue to be supported. However, OpenSSL-like configuration, such as PEM files,
> is preferred over NSS-like configuration, such as NSS DB. (BZ#1400578)
As also discussed in Bug ID Red Hat: 1578438 I understand this is not a bug. It is a configuration error on my side which was not compatible with the new build of openLDAP in CentOS 7.5
I'm sorry for that.
Thank you very much.
|CLosing as per comment and https://bugzilla.redhat.com/show_bug.cgi?id=1578438|
|2018-05-15 06:32||mcguppy||New Issue|
|2018-05-15 06:32||mcguppy||Tag Attached: nss|
|2018-05-15 15:26||mcguppy||Note Added: 0031822|
|2018-05-16 09:04||mcguppy||Note Added: 0031840|
|2018-05-16 12:10||kabe||Note Added: 0031844|
|2018-05-16 19:43||mcguppy||Note Added: 0031849|
|2018-05-16 19:49||TrevorH||Status||new => closed|
|2018-05-16 19:49||TrevorH||Resolution||open => no change required|
|2018-05-16 19:49||TrevorH||Note Added: 0031850|