LDAPS and adding new CA to trust store
Hi,
I have recently moved a number of Wordpress sites to my server that use an LDAP/S authentication plugin to authenticate against another host. The LDAP host uses an internal CA for it's certificates. On the server where I moved them from, I added this to the httpd.conf file before the virtual host containers, and that seemed to work.
I have tried adding that with the Apache include editor on the new cPanel server, in all 3 areas, with no effect. I have also tried adding the custom CA root and intermediary certificates to the cPanel server (CentOS 6)
I still get
So I have to assume the private CA is not installed on my end, so the cert is not trusted. I know the ports are open, and I can authenticate fine over ldap (port 389), just not ldaps (port 636). I've been scratching my head for hours and am out of ideas... Any suggestions?
LDAPVerifyServerCert OffI have tried adding that with the Apache include editor on the new cPanel server, in all 3 areas, with no effect. I have also tried adding the custom CA root and intermediary certificates to the cPanel server (CentOS 6)
I still get
TLS: certificate [redacted] is not valid - error -8179:Peer's Certificate issuer is not recognized..
tls_write: want=7, written=7
0000: 15 03 03 00 02 02 30 ......0
TLS: error: connect - force handshake failure: errno 2 - moznss error -8179
TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
So I have to assume the private CA is not installed on my end, so the cert is not trusted. I know the ports are open, and I can authenticate fine over ldap (port 389), just not ldaps (port 636). I've been scratching my head for hours and am out of ideas... Any suggestions?
-
Just to follow up here, in case anyone else stumbles across this... I had a couple issues and discovered a few things. Ultimately, there's a file at /etc/openldap/ldap.conf
It has a configuration forTLS_CACERTDIR /etc/openldap/cacerts
which was wrong. That directory didn't even exist. Once that was corrected and my CA was being recognized, I realized I had a name mismatch in the SSL cert (I was trying to connect via IP address and the cert was based on a name). Although I'll probably put an entry in my /etc/hosts file for now, as the name in the cert is an internal only name and not a FQDN, I also discovered that you can put the following in the ldap.conf file for blind trust.TLS_REQCERT allow
Most of the pointers I found were in0 -
Hello @verdon, Thanks for taking the time to share the outcome here. I've marked this thread as SOLVED. 0
Please sign in to leave a comment.
Comments
2 comments