openldap TLS error -8179:Peer's Certificate issuer is not recognized

ssl ldap ssl-certificate python openldap
12,691

The reason why I received those errors was because I did not have the ldap server's certificates installed on my server. The ldap server doesn't need to have my server's certs installed.

I contacted someone within my company who was able to provide two certificates, a root cert and an intermediary cert, both in der format. Notably, these certificates were not the same as those I received using the openssl s_client -showcerts command. I followed this link to convert them from der to pem, like this:

openssl x509 -in root.cer -inform der -outform pem -out root.pem
openssl x509 -in intermediary.cer -inform der -outform pem -out intermediary.pem
# Combine these files into one cert in exactly this order
cat root.pem > master.pem
cat intermediary.pem >> master.pem

I could then issue this command fine

openssl s_client -connect myhost:636 -CAfile /path/to/master.pem

And to connect in Python:

import ldap
# point to the cert
cert_file='/path/to/master.pem'
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, cert_file)
con = ldap.initialize('ldaps://myhost.com')
dn = 'CN=me,DC=myhost,DC=com'
pw = 'password'
con.simple_bind_s(dn, pw)
Share:
12,691

Related videos on Youtube

Matthew Moisen
Author by

Matthew Moisen

Backend engineer specializing in Python and RDBMS.

Updated on September 18, 2022

Comments

  • Matthew Moisen
    Matthew Moisen over 1 year

    tl;dr Does this error mean that I need to find my company's ldap server's public certificate and install it, or that my company's ldap server needs to install my public cert? If the former, how can I grab the certs and install it?

    I'm attempting to integrate an application with my company's LDAP. I'm very new to LDAP and SSL so I apologize in advance. I can do this successfully on non-ssl but am hitting this issue when I attempt to do this over SSL. I am on a Rhel 6.4 with openldap version 2.4.

    Using either ldapsearch

    ldapsearch -v -h myhost.com -b 'DC=myhost,DC=com, -D 'CN=me,DC=myhost,DC=com' -x -W -Z

    or Python

    import ldap
con = ldap.initialize('ldaps://myhost.com')
dn = 'CN=me,DC=myhost,DC=com'
pw = 'password'
con.simple_bind_s(dn, pw)

    results in:

    ldap_start_tls: Connect error (-11)
    additional info: TLS error -8179:Peer's Certificate issuer is not recognized.

    Does this mean that I need to find my company's ldap server's public certificate and install it somewhere, for example, /etc/openldap/certs? Or, does it mean that I need to tell my company's ldap server to approve my public certificate?

    openssl s_client -connect myhost.com:636

    This dumps a certificate, but at the end says:

    Verify return code: 20 (unable to get local issuer certificate)

    Again, I'm unsure if this means that I need the ldap server's certs or vice versa.

    I did try to see the certificate chain like this:

    openssl s_client -showcerts -connect myhost.com:636

    I copied the certificates in order and made a file like so, named cert.pem:

    -----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

    I tried this:

    openssl s_client -connect myhost.com:636 -cert /path/to/cert.pem

    but it failed with:

    unable to load client certificate private key file
140503604590408:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:
Expecting: ANY PRIVATE KEY

    (I also tried -CAfile and -CApath on this, but I received the unable to get local issuer certificate.)

    I recreated the pem file but this time included my server's private key, and cert, followed by the ldap server's certs, but received the same error (Verify return code: 20 (unable to get local issuer certificate)) again.

    Am I creating these certificate files incorrectly?

  • Matthew Moisen
    Matthew Moisen about 8 years
    We run the non-ssl ldap on the default 389, and SSL ldap on the default 636. I tried openssl s_client to connect to the non-ssl port and it failed with errno=104, presumably because it doesn't use SSL.
  • Christopher Schultz
    Christopher Schultz over 7 years
    Had you used the output of openssl s_client, you would not have had to convert from DER to PEM.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

ldap_result: Can't contact LDAP server (-1)
Spring security, ssl ldap and no certificate
HOW-TO: LDAP bind+authenticate using python-ldap
Python ldap3 LDAPSocketOpenError unable to send message, socket is not open
SSLError using pip install (to install tensorflow)
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
ldapsearch can't connect to ldaps
stunnel - certificate verification
How to enable TLS on OpenLDAP
MQTT certificates verification fails