ssl certificate verify failed for AD

[marquetteu]

trying to setup a new nagios server and i keep getting the following error:

Code: Select all

Unable to authenticate: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)

i've put the entire chain into the Certificate authority management section:

Code: Select all

adauth.marquette.edu	InCommon RSA Server CA	Wed Jun 01 2022 18:59:59 GMT-0500 (Central Daylight Time)	
InCommon RSA Server CA	USERTrust RSA Certification Authority	Sat Oct 05 2024 18:59:59 GMT-0500 (Central Daylight Time)	
USERTrust RSA Certification Authority	AAA Certificate Services	Sun Dec 31 2028 17:59:59 GMT-0600 (Central Standard Time)	
AAA Certificate Services	AAA Certificate Services	Sun Dec 31 2028 17:59:59 GMT-0600 (Central Standard Time)	

[jbrunkow]

Is the certificate you are using self signed? If so, you may need to add other certificates that are used in the chain.

For connecting over SSL/TLS, or STARTTLS using self-signed certificates you will need to add the certificate(s) of the domain controller(s) to the local certificate authority so they are trusted. If any certificate was signed by a host other than itself, that certificate authority/host certificate needs to be added.

Can you refer me to a document or article if you are using one? It sounds like you may be following the document linked below.
SSL WITH AD ON XI

[marquetteu]

the certificate is signed by GlobalSign. the hostname that i'm hitting is handled by a F5 which runs on 636 and has the certificates which then acts as the go between as the domain controllers do not encrypt traffic.

quick diagram:
nagios -> ssl/636 -> f5 -> 389 -> DC

to get the cert i'm using openssl

Code: Select all

openssl s_client -showcerts -connect adauth.marquette.edu:636 > ldapsrv1.crt

i got the command from an older XI document (attached)

and then taking the certs out of the ldapsrv1.crt file.

do i need to put the cert in the /etc/openldap/ldap.conf as well?

[jbrunkow]

I'm afraid that document might be a little outdated. Can you please try following the one linked below instead?
USING SSL WITH AD ON XI
It outlines a different method of obtaining a certificate. The result is a .cer file not a .crt file, so I'm wondering if that's causing a problem.

[marquetteu]

all of the methods outlined in the article you linked require access to the ldap servers (method 1 to the windows server, method 2 to a web page which we don't run, and method 3 shell access to the ldap server) which i don't have which is why i used the old document to get the certs using openssl. Are there any ways to get the cert without needing direct access to the ldap servers?

[jbrunkow]

I do not believe there is a way to obtain an SSL certificate without having access to the LDAP server. The article you were following specifies that the openssl command you were using must be run "from the LDAP server...as root."

Did you decode the certificate? It looks like the old document says to do that as well.

[marquetteu]

yes i decoded the certificate. i know the cert acquisition works because i use this same method for apache/basic ldap auth

[jbrunkow]

What is the output of this command?

Code: Select all

openssl s_client -showcerts -connect adauth.marquette.edu:636

Can you please screenshot your AD / LDAP settings as well with the Auth Server expanded.

See the following article for information on how to enable debugging logging.
Enable Debug logging

If you are dealing with RHEL 7 you could try putting the certificate in /etc/pki/ca-trust/source/anchors/ and run the following command.

Code: Select all

update-ca-trust extract

You could also tail the Apache error logs, test the connection, then hit Ctrl + C to stop tailing the log in the command line.

Code: Select all

tail -Fn0 /var/log/httpd/*error_log

If you would like to dive even deeper into analyzing this problem, you could even intercept the traffic with tcpdump and analyze that. But, just like with tail, make sure that you end the process shortly after you perform a test so that we don't accidentally gather a large amount of irrelevant data.

Code: Select all

tcpdump -i 'any' -w /tmp/<IPAddress>-output.pcap

[marquetteu]

Code: Select all

$ openssl s_client -showcerts -connect adauth.marquette.edu:636
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA
verify return:1
depth=0 C = US, postalCode = 53233, ST = Wisconsin, L = Milwaukee, street = 1250 W. Wisconsin Ave., O = Marquette University, OU = IT Services, CN = adauth.marquette.edu
verify return:1
---
Certificate chain
 0 s:C = US, postalCode = 53233, ST = Wisconsin, L = Milwaukee, street = 1250 W. Wisconsin Ave., O = Marquette University, OU = IT Services, CN = adauth.marquette.edu
   i:C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA
-----BEGIN CERTIFICATE-----
MIIHBTCCBe2gAwIBAgIQGcNLuh48AmQvydqE8i77PDANBgkqhkiG9w0BAQsFADB2
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0yMDA2MDEwMDAwMDBaFw0yMjA2MDEy
MzU5NTlaMIG6MQswCQYDVQQGEwJVUzEOMAwGA1UEERMFNTMyMzMxEjAQBgNVBAgT
CVdpc2NvbnNpbjESMBAGA1UEBxMJTWlsd2F1a2VlMR8wHQYDVQQJExYxMjUwIFcu
IFdpc2NvbnNpbiBBdmUuMR0wGwYDVQQKExRNYXJxdWV0dGUgVW5pdmVyc2l0eTEU
MBIGA1UECxMLSVQgU2VydmljZXMxHTAbBgNVBAMTFGFkYXV0aC5tYXJxdWV0dGUu
ZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+Mm6EQlmDyjV784
ZPxg1uIqVn0MLK3LljID1NHH8mlSCO2W0W30gZkGYPnTw7d+ARLG5oWdX64F9peN
Swm0fmGxuWvPA/Ye8pIs9wRnV4WQaqWNbcShc8hbcCXbDwxHmRty8HcpwK7366lp
aIzzacHAP/tJOVBZEm3oAgFp7wnIC0Ulij56HCco8m9W2KBy+oFF2CUE24PNrdmD
b5YY9xcKmtBF0Rgzc5L4mSJEC5zW3G+wJP/DVDQrLv1hG+Hth2bjiivh8UK8j+TO
F5R1ssoqr0Ud59OScrNDI2/7f6ujdVUuLs2BjZ3iIcbPIEjf/FolTxVjCDOTiJGI
117OgwIDAQABo4IDSDCCA0QwHwYDVR0jBBgwFoAUHgWjd49sluJbh0umtIascQAM
5zgwHQYDVR0OBBYEFBzBFo28mq2MYOxSPgGDBwPzDiz0MA4GA1UdDwEB/wQEAwIF
oDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBn
BgNVHSAEYDBeMFIGDCsGAQQBriMBBAMBATBCMEAGCCsGAQUFBwIBFjRodHRwczov
L3d3dy5pbmNvbW1vbi5vcmcvY2VydC9yZXBvc2l0b3J5L2Nwc19zc2wucGRmMAgG
BmeBDAECAjBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLmluY29tbW9uLXJz
YS5vcmcvSW5Db21tb25SU0FTZXJ2ZXJDQS5jcmwwdQYIKwYBBQUHAQEEaTBnMD4G
CCsGAQUFBzAChjJodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vSW5Db21tb25SU0FT
ZXJ2ZXJDQV8yLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0
LmNvbTAfBgNVHREEGDAWghRhZGF1dGgubWFycXVldHRlLmVkdTCCAXwGCisGAQQB
1nkCBAIEggFsBIIBaAFmAHUARqVV63X6kSAwtaKJafTzfREsQXS+/Um4havy/HD+
bUcAAAFycDmcrQAABAMARjBEAiAhwh/AsUAKNM+WFfrSdaCrlAcfZq1anq4CRVVQ
BKWYOAIgP1ElbYgW1SIiw+QAgFZWHzzJ0GXX78mQYBsG2FN9LpQAdQDfpV6raIJP
H2yt7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAXJwOZzTAAAEAwBGMEQCIFiIkmHn
mkFOzXLhlSCgnbxJmFcNBEXmSPpzr1B6Q2pVAiAEdxKrATyThV4lDckBDEhlonzU
CXLMjfeJE3RzhQy2GgB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kT
AAABcnA5nKQAAAQDAEcwRQIhALFXucbmJPo1GkQBOXtiNaZSFaHsZL2/WEwlHNws
rKpRAiAtw1aI2BDlRNlfFkUcT7/ZfYLIJ7gF9hqUXJLONBlFrTANBgkqhkiG9w0B
AQsFAAOCAQEAc1uycnMV1Px+8eAYOKjpwh1HBJEJBvR9y3W02gArO4CQPMgbuS1I
5Xn67guBlzIP1dhWheR8xaPMMbO5NRl/Xkr62Ac9FVWzNrr3BavZpfG+cxvlRcLR
+t2HXUgrgovTxgwtNDVyfJZ9PbSHAxUq+OjczJNYhhaNHdFRg7o4Sp+XXDxgsrb8
JoT4uCEacdIEVjSbFnBJIondGZ+e/kCxtezeIQ+TreA+p6uCFKLZpaASI7e0tObT
3sjlK5b2OBcLgvvQXjnnr0gKsEAuEiBdGuN7vPHdDzYcP0/v8ub7ZXzR6XNy1Td2
N1qHBmRM7MGgXi3wv6TKXKpka+54QmUVXQ==
-----END CERTIFICATE-----
 1 s:C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQx
MDA2MDAwMDAwWhcNMjQxMDA1MjM1OTU5WjB2MQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UEChMJSW50ZXJuZXQyMREw
DwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMWSW5Db21tb24gUlNBIFNlcnZlciBD
QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwb8bsvf2MYFVFRVA+e
xU5NEFj6MJsXKZDmMwysE1N8VJG06thum4ltuzM+j9INpun5uukNDBqeso7JcC7v
HgV9lestjaKpTbOc5/MZNrun8XzmCB5hJ0R6lvSoNNviQsil2zfVtefkQnI/tBPP
iwckRR6MkYNGuQmm/BijBgLsNI0yZpUn6uGX6Ns1oytW61fo8BBZ321wDGZq0GTl
qKOYMa0dYtX6kuOaQ80tNfvZnjNbRX3EhigsZhLI2w8ZMA0/6fDqSl5AB8f2IHpT
eIFken5FahZv9JNYyWL7KSd9oX8hzudPR9aKVuDjZvjs3YncJowZaDuNi+L7RyML
fzcCAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bL
MB0GA1UdDgQWBBQeBaN3j2yW4luHS6a0hqxxAAznODAOBgNVHQ8BAf8EBAMCAYYw
EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAECAjBQBgNVHR8ESTBHMEWgQ6BB
hj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2VydGlmaWNh
dGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNo
dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5j
cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZI
hvcNAQEMBQADggIBAC0RBjjW29dYaK+qOGcXjeIT16MUJNkGE+vrkS/fT2ctyNMU
11ZlUp5uH5gIjppIG8GLWZqjV5vbhvhZQPwZsHURKsISNrqOcooGTie3jVgU0W+0
+Wj8mN2knCVANt69F2YrA394gbGAdJ5fOrQmL2pIhDY0jqco74fzYefbZ/VS29fR
5jBxu4uj1P+5ZImem4Gbj1e4ZEzVBhmO55GFfBjRidj26h1oFBHZ7heDH1Bjzw72
hipu47Gkyfr2NEx3KoCGMLCj3Btx7ASn5Ji8FoU+hCazwOU1VX55mKPU1I2250Lo
RCASN18JyfsD5PVldJbtyrmz9gn/TKbRXTr80U2q5JhyvjhLf4lOJo/UzL5WCXED
Smyj4jWG3R7Z8TED9xNNCxGBMXnMete+3PvzdhssvbORDwBZByogQ9xL2LUZFI/i
eoQp0UM/L8zfP527vWjEzuDN5xwxMnhi+vCToh7J159o5ah29mP+aJnvujbXEnGa
nrNxHzu+AGOePV8hwrGGG7hOIcPDQwkuYwzN/xT29iLp/cqf9ZhEtkGcQcIImH3b
oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH
OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk
-----END CERTIFICATE-----
 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
-----BEGIN CERTIFICATE-----
MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
vGp4z7h/jnZymQyd/teRCBaho1+V
-----END CERTIFICATE-----
 3 s:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
-----END CERTIFICATE-----
---
Server certificate
subject=C = US, postalCode = 53233, ST = Wisconsin, L = Milwaukee, street = 1250 W. Wisconsin Ave., O = Marquette University, OU = IT Services, CN = adauth.marquette.edu

issuer=C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA

---
No client certificate CA names sent
Peer signing digest: SHA1
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6343 bytes and written 454 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 35541D7DD0EFABB188F261B5B13A9EC735B1075DB7DA9243865091584519F15C
    Session-ID-ctx:
    Master-Key: C2D96616E9E3AACFA447E1D71CB979322A02069048E13AC725C1F3058E3D63E345EF2D823A5BBB49FF1DF9B2BB96CE57
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1595618856
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

read:errno=104

which cert should be put in the anchors? the one for the ldap server or the ones for the chain?

i did a tail on the error log and nothing showed up. The test i'm trying to do is Manage Users, Add users from LDAP/AD and that is when i get

Code: Select all

    Unable to authenticate: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)

using tcpdump i see:

Code: Select all

TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unknown CA)

[jbrunkow]

The trouble must be with the self signed certificate.

You will need to add all of the certificates except the actual server you are querying. Add them to the following folder.

Code: Select all

/etc/pki/ca-trust/source/anchors/

Then run this command.

Code: Select all

update-ca-trust extract

...and restart Apache.

Code: Select all

service httpd restart

Can we please see your LDAP config as well?

Code: Select all

ls -l /etc/openldap
ls -l /etc/openldap/certs
ls -l /etc/openldap/cacerts
cat /etc/openldap/ldap.conf