Login/Register
OpenLDAP: TLS error -8179:Peer's Certificate issuer is not recognized
Asked Answered
sslopenldap
T

3

7

I'm not familiar with certificates and openldap. I'm trying to port someone elses work from an older OS to CentOS-6 with openldap-2.4.23. On the old OS, an ldap connection worked without issue. Now on CentOS-6, I get the following error when doing a simple bind:

TLS error -8179:Peer's Certificate issuer is not recognized.

My /etc/openldap/ldap.conf has a single line:

TLS_CACERTDIR   /etc/openldap/certs

I tried commenting out that line and putting the following into the file but that didn't change the error message I received.

tls_reqcert allow

I also tried putting only the following line in ldap.conf but that didn't change the error. I tried this based on information found in this question.

LDAPTLS_CACERT  /etc/ssl/certs/ca-bundle.crt

I copied files into the following directories:

/etc/pki/tls/certs/ca.crt

/etc/pki/tls/certs/server.crt

/etc/pki/tls/private/server.key

I have no choice but to use openldap-2.4.23. Any idea what is causing this error or what I can do to troubleshoot?

Thanks in advance. SP

Thrombus answered 30/7, 2014 at 11:55 Comment(0)
H
4

As per http://www.zytrax.com/books/ldap/ch6/ldap-conf.html TLS_CACERT should point to the file containing the CA cert that the client will use to verify the certificate. You need to make sure the your servers CA [The CA that signed your server certificate] is present in the file that TLS_CACERT points to[in your case /etc/ssl/certs/ca-bundle.crt.

Huntingdon answered 31/7, 2014 at 6:49 Comment(0)
P
3

I had the same error. In my case the reason was, that my client had the wrong certificate in /etc/ipa/ca.crt. To fix this, I just copied /etc/ipa/ca.crt from the KDC server to the client and the error disappeared.

Playful answered 22/10, 2014 at 13:35 Comment(0)
G
0

Depending upon the environment, OpenLDAP may completely ignore the value set for TLS_CACERTDIR because evidently GnuTLS doesn't support that type of certificate store.

From the man page for ldap.conf(5)

   TLS_CACERTDIR <path>
          Specifies the path of a directory that contains  Certifi‐
          cate Authority certificates in separate individual files.
          The TLS_CACERT is always used before TLS_CACERTDIR.  This
          parameter is ignored with GnuTLS.

In my case, I suspect that GnuTLS is in use, so TLS_CACERTDIR simply does nothing. Using TLS_CACERT pointed to a file containing the certificate of my server's signing CA seems to have done the trick.

I think https://serverfault.com/questions/437546/centos-openldap-cert-trust-issues is a much more complete answer.

Gecko answered 3/10, 2016 at 19:5 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.