[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldapsearch returning failure to import cert

To: openldap-technical@openldap.org
Subject: ldapsearch returning failure to import cert
From: John Rouillard <rouilj@renesys.com>
Date: Wed, 20 Mar 2013 00:59:43 +0000
Content-disposition: inline
User-agent: Mutt/1.5.20 (2009-06-14)

Hi all:

I am running Scientific Linux 6 (a Red Hat enterprise
repackage). Until recently these machines were interacting fine with
our ldap setup. We use a self signed cert for the ldap servers and
deploy the CA cert in /etc/openldap/cacert.pem.

However after the last series of updates ldapsearch has been failing
in an interesting way and our sssd caching daemons are failing to
connect to our ldaps servers. I am hoping that they are both having the
same issue.

The relevant installed packages are:

  openldap-2.4.23-26.el6_3.2.x86_64
  openssl-1.0.0-27.el6_4.2.x86_64
  nss-util-3.14.0.0-2.el6.x86_64
  nss-3.14.0.0-12.el6.x86_64

I am using the command (lightly obscured):

  ldapsearch -d -1 -v -x -b
     uid=user,ou=people,dc=staff,dc=example,dc=com -D
     uid=user,ou=people,dc=staff,dc=example,dc=com -W -H
     ldaps://auth.staff.example.com/

This fails with the error:

  TLS: error: connect - force handshake failure: errno 21 - moznss error
-8054
  TLS: can't connect: TLS error -8054:You are attempting to import a
  cert with the same issuer/serial as an existing cert, but that is not
  the same cert..
  ldap_err2string
  ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Where is ldapsearch "importing" a cert? Where is it getting its other
certs from? I ran strace on ldapsearch and the only cert file I can
see it accessing is /etc/openldap/cacert.pem as specified in
/etc/openldap/ldap.conf (not counting the /usr/lib64/libnssckbi.so
file). The cert in cacert.pem is identical to the one retrieved by
running:

   openssl s_client -connect auth.staff.example.com:636 </dev/null \
    2>/dev/null | sed -ne '/BEGIN CERTIFICATE/,/END CERTIFICATE/p'

Here is where it gets a little more interesting:

I have a previous CA cert (that used an md5 message digest).  If I
install that as the CA, ldapsearch works for 2 of my 3 ldap servers.

I have used openssl x509 -in ... -text to compare the certificates for
my 3 ldap server and they look identical except where they shouldn't
be (subject name, subject name digests...). The issuer, issuer digest
... fields are the same.

If I use

  openssl verify -CAfile /etc/openldap/cacert.pem -purpose sslserver
      -issuer_checks ldap

where ldap is the cert retrieved using s_client it validates for all
three servers regardless of whether the CAfile is the older md5 or
newer cert.

Just to add more into the mix, our CentOS 5 boxes have no issues
with any of the servers (IIUC they have an entirely different tls/cert
level since they do not use Mozilla nss).

Thanks for any insight or questions as the answer didn't come to me
while I was writing this email 8-).

--
                                -- rouilj

John Rouillard       System Administrator
Renesys Corporation  603-244-9084 (cell)  603-643-9300 x 111

Follow-Ups:
- Re: ldapsearch returning failure to import cert
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: Problems with authentication against OpenlDAP
Next by Date: Re: ldapsearch returning failure to import cert
Index(es):
- Chronological
- Thread