Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OpenLDAP: TLS error -8179:Peer's Certificate issuer is not recognized

Tags:

ssl

openldap

I'm not familiar with certificates and openldap. I'm trying to port someone elses work from an older OS to CentOS-6 with openldap-2.4.23. On the old OS, an ldap connection worked without issue. Now on CentOS-6, I get the following error when doing a simple bind:

TLS error -8179:Peer's Certificate issuer is not recognized.

My /etc/openldap/ldap.conf has a single line:

TLS_CACERTDIR   /etc/openldap/certs

I tried commenting out that line and putting the following into the file but that didn't change the error message I received.

tls_reqcert allow

I also tried putting only the following line in ldap.conf but that didn't change the error. I tried this based on information found in this question.

LDAPTLS_CACERT  /etc/ssl/certs/ca-bundle.crt

I copied files into the following directories:

/etc/pki/tls/certs/ca.crt

/etc/pki/tls/certs/server.crt

/etc/pki/tls/private/server.key

I have no choice but to use openldap-2.4.23. Any idea what is causing this error or what I can do to troubleshoot?

Thanks in advance. SP

like image 718
user3748237 Avatar asked Jul 30 '14 11:07

user3748237

People also ask

How do I fix unable to get local issuer certificate?

When ssl certificate problem unable to get local issuer certificate error is caused by a self-signed certificate, the fix is to add the certificate to the trusted certificate store. Open the file ca-bundle. crt located in the directory above, then copy and paste the Git SSL certificate to the end of the file.

What is TLS in LDAP?

Transport Layer Security (TLS) is the standard name for the Secure Socket Layer (SSL). The terms (unless qualified with specific version numbers) are generally interchangable. StartTLS is the name of the standard LDAP operation for initiating TLS/SSL.

1 Answers

As per http://www.zytrax.com/books/ldap/ch6/ldap-conf.html TLS_CACERT should point to the file containing the CA cert that the client will use to verify the certificate. You need to make sure the your servers CA [The CA that signed your server certificate] is present in the file that TLS_CACERT points to[in your case /etc/ssl/certs/ca-bundle.crt.

like image 192
Yuvika Avatar answered Oct 27 '22 05:10

Yuvika
Sign in to Comment

Related questions

nginx error message - what does "peer" refer to?
Calling a REST web service over SSL
How to securely use pip (with SSL) on Ubuntu Trusty?
Using SSL with UDP
Giving Node.js access to certificate/private key
What is causing intermittent SEC_E_BUFFER_TOO_SMALL error coming from WinHttpSendRequest?
Go https client issue - remote error: tls: handshake failure
configure secure SSL Apache reverse proxy
Multi-Tenant Application on AWS - Multiple SSL Certificate Installation Strategies
SSL slow. Establishing secure connection taking too long
OpenSSL: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
How do you check the Negotiated TLS Handshake from the Server?
What is the role of https.Agent in Node?
Make a connection to a HTTPS server from Java and ignore the validity of the security certificate
Security for Web Apps
X.509 Are all parts of a DN optional?
Using a custom keystore with Jetty's WebSocketClientFactory
Connection keep-alive not working with System.Net.Http.HttpClient on certain hosts
Server Name Indication from C#
Why do browsers accept secure cookies sent over a non-secure (HTTP) connection?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!