Error after Certificate updated in LDAP/AD Import Users

[FLCUISIT]

We recently replaced an expired root certificate in active directory. When we are trying to authenticate via STARTTLS, i get the following error:

Unable to authenticate: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)

Checked the certificate on the server with the following command:
openssl s_client -showcerts -connect servername.domain.tld:636 (with our true names) and am not getting any errors.

I have created a workaround which disabled encryption on LDP for the time being, but trying to get down to the root cause and solution.

[ssax]

Please follow these steps and it should resolve it:

If your XI server OS version is RedHat/CentOS/Oracle:

Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files

Code: Select all

/etc/pki/ca-trust/source/anchors/

Then run these commands:

Code: Select all

update-ca-trust extract
systemctl restart httpd php-fpm

Then test it again.

If that still doesn't work, take your CA certs and put into this file (just one on top of the other in the file if you have multiple CA signer certs):

Code: Select all

/etc/openldap/certs/ca.pem

Then add this to your /etc/openldap/ldap.conf:

Code: Select all

TLS_CACERT /etc/openldap/certs/ca.pem

Then restart apache and try again:

Code: Select all

systemctl restart httpd php-fpm

That should do it.

If that still doesn't resolve it (it should), please send the output of this command:
- Change your.ad.server before running

Code: Select all

echo 'DONE' | openssl s_client -showcerts -connect your.ad_or_ldap.server:636

If your XI server OS version is Ubuntu/Debian:

Take the CA certs and put them in individual files in this directory:
- NOTE: They must have a .crt extension on the files

Code: Select all

/usr/local/share/ca-certificates/

Then run these commands:

Code: Select all

sudo update-ca-certificates
systemctl restart apache2

Then test it again.

If that still doesn't work, take your CA certs and put into this file (just one on top of the other in the file if you have multiple CA signer certs):

Code: Select all

/etc/openldap/certs/ca.pem

Then add this to your /etc/ldap/ldap.conf:

Code: Select all

TLS_CACERT /etc/openldap/certs/ca.pem

Then restart apache and try again:

Code: Select all

systemctl restart apache2

That should do it.

If that still doesn't resolve it (it should), please send the output of this command:
- Change your.ad.server before running

Code: Select all

echo 'DONE' | openssl s_client -showcerts -connect your.ad_or_ldap.server:636

[FLCUISIT]

That did the trick. Thanks for the help.

[benjaminsmith]

That did the trick. Thanks for the help.

Excellent. We'll go ahead close this out, but feel free to contact us again if you have any questions.

Have a great weekend!

--Benjamin