OpenLDAP server: chaining of SSL certificates (let's encrypt) does not work as expected

ssl-certificate openssl lets-encrypt openldap

Solution 1:

As @Timor said:

OpenLDAP's slapd simply does not send the certificate chain to clients when TLS handshaking, even if a bundle of server certificate, intermediate certificate has been provided to it as its certificate.

I had this problem when I was using olcSyncrepl to replicate a ldaps server with tls_reqcert=demand and slapd was generating ldap_sasl_bind_s failed (-1) error.

A simple workaround that I have found is to put intermediate certificate into a file (maybe /etc/ssl/certs/ca-certificates.crt in ubuntu) and put tls_cacert=/etc/ssl/certs/ca-certificates.crt in the olcSyncrepl.

Solution 2:

OpenLDAP's slapd simply does not send the certificate chain to clients when TLS handshaking, even if a bundle of server certificate, intermediate certificate has been provided to it as its certificate.

The only suitable work-around without turning certificate validation off on the clients is the following.

  • create a certificate bundle from intermediate certificate, root certificate
  • make the client use this bundle as a trusted CA certificate, so it can factor the complete chain and validate; this works at least with software that's compiled against OpenLDAP libraries
    • OpenLDAP command line clients as ldapmodify, ldapsearch:
      add TLS_CACERT imedrootbundle.pem to either ~/.ldaprc or the system-wide /etc/openldap/ldap.conf
    • dovecot:
      add tls_ca_cert_file = imedrootbundle.pem to your /etc/dovecot/dovecot-ldap.conf.ext file
    • postfix:
      add tls_ca_cert_file = imedrootbundle.pem to all of your cf files, that you use as postfix dictionaries to query your directory

Keep in mind though, that the root certificate is not provided by let's encrypt's certbot and may change in the future thus rendering your intermediate certificate, root certificate useless. I set up a hook script with certbot that checks the intermediate certificate's issuer and tries to select the correct root certificate based on those that I know of. It complains if it can't find one. This at least breaks everything in a controlled manner early in the process.

Related

Force applications to use TLS 1.2 for certain domains
Are Kubernetes updates an atomic transaction?
What will I need to create a web server out of an R710? [closed]
What are the symptoms of an IP address conflict?
How to install PHP 8 in Oracle Linux with Apache?
Proxy settings at/prior to cloud-init runtime
Upgrading Tomcat 7.0 - 8.5 or 9.0?
How do untar as the current user by default?
CryptographyDeprecationWarning: Python 3.5 support will be dropped in the next release of cryptography. Please upgrade your Python
Authenticate Samba against OpenLDAP
IIS 7.5 confused between Windows Authentication and Forms Authentication
Window Server Domain DNS