Sunday, November 15, 2020

Re: OpenLDAP under 6.8 - no intermediate certs in chain

On 11/16/2020 12:08 AM, Paul B. Henson wrote:
> I just updated one of my servers running 6.7 to 6.8, and am having a
> problem with openldap. I have the intermediate cert and root CA in a
> file referenced by the openldap config:
>
> TLSCACertificateFile /etc/openldap/cabundle.crt
>
> Under 6.7 with the openldap port from that version, this results in the
> chain being served:
>
> Certificate chain
> 0 s:CN = ldap-netsvc.pbhware.com
> i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> i:O = Digital Signature Trust Co., CN = DST Root CA X3
> 2 s:O = Digital Signature Trust Co., CN = DST Root CA X3
> i:O = Digital Signature Trust Co., CN = DST Root CA X3
>
> However, under 6.8 with the newer openldap 2.4.53 port, only the server
> cert itself is being served, not the intermediate or root:
>
> Certificate chain
> 0 s:CN = ldap-netsvc.pbhware.com
> i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>
> This of course causes clients to fail to validate the server cert :(.
>
> I'm running openldap 2.4.53 on other operating systems and as far as I
> know there's no change in behavior with it. So I'm guessing there's an
> interoperability issue between openbsd libressl and openldap that's
> causing this problem?
>
> Do I need to configure something differently? Any other suggestions?
>
> Thanks much...


I remember seeing this commit recently. Not sure if this is your problem
or not.

https://marc.info/?l=openbsd-cvs&m=160511882917510&w=2

No comments:

Post a Comment