[Date Prev][Date Next] [Chronological] [Thread] [Top]

openldap proxy giving TLS certificate error



I am failing to authenticate through ldap proxy and I am seeing this error coming in continuously

TLS certificate verification: Error, self signed certificate in certificate chain
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain).

Any suggestions how to resolve this?

Here is my slapd.conf.

### Schema includes ##########################################################
include                 /etc/openldap/schema/core.schema
include                 /etc/openldap/schema/cosine.schema
include                 /etc/openldap/schema/inetorgperson.schema
include                 /etc/openldap/schema/misc.schema
include                 /etc/openldap/schema/nis.schema
## Module paths ##############################################################
modulepath              /usr/lib64/openldap/
moduleload              back_ldap
# Main settings ###############################################################
pidfile                 /var/run/openldap/slapd.pid
argsfile                /var/run/openldap/slapd.args
sizelimit               unlimited
TLSCACertificateFile    /root/data/certs/ldap.crt
TLSCertificateFile      /root/data/certs/ldap.crt
TLSCertificateKeyFile   /root/data/certs/ldap.key
### Database definition (Proxy to Corp LDAP) #########################################
database                ldap
readonly                yes
protocol-version        3
rebind-as-user          yes
uri                    "ldaps://192.168.1.100:636"
suffix                  "ou=People,dc=example,dc=net"
### Logging ###################################################################
loglevel                0
It had been working until last week when IT changed there ldap certificate

I generate the certificate using this command

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /root/data/certs/ldap.key -out /root/data/certs/ldap.crt -subj "/CN=host.example.net/OU=Example/O=Example/L=City/ST=ST/C=US"

So I recreated against the same IT ldap server, so I do have the new cert and keys produced same way as before.

All new authentication are failing now.

--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?