openldap TLS error -8179:Peer's Certificate issuer is not recognized
The reason why I received those errors was because I did not have the ldap server's certificates installed on my server. The ldap server doesn't need to have my server's certs installed.
I contacted someone within my company who was able to provide two certificates, a root cert and an intermediary cert, both in der
format. Notably, these certificates were not the same as those I received using the openssl s_client -showcerts
command. I followed this link to convert them from der
to pem
, like this:
openssl x509 -in root.cer -inform der -outform pem -out root.pem
openssl x509 -in intermediary.cer -inform der -outform pem -out intermediary.pem
# Combine these files into one cert in exactly this order
cat root.pem > master.pem
cat intermediary.pem >> master.pem
I could then issue this command fine
openssl s_client -connect myhost:636 -CAfile /path/to/master.pem
And to connect in Python:
import ldap
# point to the cert
cert_file='/path/to/master.pem'
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, cert_file)
con = ldap.initialize('ldaps://myhost.com')
dn = 'CN=me,DC=myhost,DC=com'
pw = 'password'
con.simple_bind_s(dn, pw)
Related videos on Youtube
Matthew Moisen
Backend engineer specializing in Python and RDBMS.
Updated on September 18, 2022Comments
-
Matthew Moisen over 1 year
tl;dr Does this error mean that I need to find my company's ldap server's public certificate and install it, or that my company's ldap server needs to install my public cert? If the former, how can I grab the certs and install it?
I'm attempting to integrate an application with my company's LDAP. I'm very new to LDAP and SSL so I apologize in advance. I can do this successfully on non-ssl but am hitting this issue when I attempt to do this over SSL. I am on a Rhel 6.4 with
openldap
version 2.4.Using either
ldapsearch
ldapsearch -v -h myhost.com -b 'DC=myhost,DC=com, -D 'CN=me,DC=myhost,DC=com' -x -W -Z
or Python
import ldap con = ldap.initialize('ldaps://myhost.com') dn = 'CN=me,DC=myhost,DC=com' pw = 'password' con.simple_bind_s(dn, pw)
results in:
ldap_start_tls: Connect error (-11) additional info: TLS error -8179:Peer's Certificate issuer is not recognized.
Does this mean that I need to find my company's ldap server's public certificate and install it somewhere, for example, /etc/openldap/certs? Or, does it mean that I need to tell my company's ldap server to approve my public certificate?
openssl s_client -connect myhost.com:636
This dumps a certificate, but at the end says:
Verify return code: 20 (unable to get local issuer certificate)
Again, I'm unsure if this means that I need the ldap server's certs or vice versa.
I did try to see the certificate chain like this:
openssl s_client -showcerts -connect myhost.com:636
I copied the certificates in order and made a file like so, named cert.pem:
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
I tried this:
openssl s_client -connect myhost.com:636 -cert /path/to/cert.pem
but it failed with:
unable to load client certificate private key file 140503604590408:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703: Expecting: ANY PRIVATE KEY
(I also tried -CAfile and -CApath on this, but I received the
unable to get local issuer certificate
.)I recreated the pem file but this time included my server's private key, and cert, followed by the ldap server's certs, but received the same error (
Verify return code: 20 (unable to get local issuer certificate)
) again.Am I creating these certificate files incorrectly?
-
Matthew Moisen about 8 yearsWe run the non-ssl ldap on the default 389, and SSL ldap on the default 636. I tried
openssl s_client
to connect to the non-ssl port and it failed witherrno=104
, presumably because it doesn't use SSL. -
Christopher Schultz over 7 yearsHad you used the output of
openssl s_client
, you would not have had to convert fromDER
toPEM
.