Cannot verify LDAPS SSL certificate on Debian installation
Please see http://projects.theforeman.org/issues/2435#change-41267 for details
#4 Updated by Dominic Cleal about 5 years ago
I'm unable to reproduce this at all, I tested on 1.7.4 and Ubuntu 14.04 with an LDAPS server that wouldn't verify out of the box, added my .crt to /usr/local/share/ca-certificates, ran update-ca-certificates and next time I logged in, it worked.
My only other idea, if the s_client is working, is whether the hostname in the LDAP authentication config in Foreman is exactly what's on the certificate?
#5 Updated by Vasil Mikhalenya about 5 years ago
Sure. Name and Server exactly match first cert cn in chain.
v-foreman:~# openssl s_client -CApath /etc/ssl/certs -connect dc.corp.domain.local:636
depth=2 CN = Corp Root CA
depth=1 CN = Corp Issuing SubCA 1
depth=0 CN = dc.corp.domain.local
only the option is to upgrade ubuntu to 14.04 ? going to try to complete it this week
#8 Updated by Vasil Mikhalenya about 5 years ago
the issue present on Ubuntu 14.04 and Centos7 ( SCL ruby193-) foreman 1.8 - so its actually non debian related issue
I suppose root of the issue is in cert chain - I have two certs in chain.
[v-foreman ~]# openssl s_client -CApath /etc/pki/tls/certs/ -connect dc.corp.local:636 CONNECTED(00000003) depth=1 CN = Corp Issuing SubCA 1 verify error:num=20:unable to get local issuer certificate verify return:0 ---
after trusting to both certs
[v-foreman ~]# openssl s_client -CApath /etc/pki/tls/certs/ -connect dc.corp.local:636 CONNECTED(00000003) depth=2 CN = Corp Root CA verify return:1 depth=1 CN = Corp Issuing SubCA 1 verify return:1 depth=0 CN = dc.corp.local verify return:1 ---
#9 Updated by Vasil Mikhalenya about 5 years ago
Seems like we might close ticket after updating docs. I've got LDAPs working by joining both certs in one file.
cat Corp_RCA.crt Corp_PICA.crt > Corp_INT.crt
ln -f -s Corp_INT.crt /etc/pki/tls/certs/$(openssl x509 -noout -hash -in /etc/pki/tls/certs/Corp_INT.crt).0
also works for ubuntu after update-ca-certificates -v -f
You'd also should stop and start httpd.
#10 Updated by Dominic Cleal about 5 years ago
- Status changed from New to Resolved
Thanks for the update Vasil - I updated the documentation to match your findings: https://github.com/theforeman/theforeman.org/commit/3affcfba41845fe47838d4bfc8cc4090d647b3f5
#11 Updated by Vasil Mikhalenya about 5 years ago
It is obvious that all certs should be trusted, but it only works for foreman (ruby) when you add certs concatenated in one file (not separate i.e. cert per file as I did originally) to a trusted storage. That was my point and this is the difference with openssl s_client -CApath /etc/pki/tls/certs/ which works with both options.