Jérôme BECOT wrote: > Hello, > > We have a couple of old ldap servers (Debian 7/openldap 2.4.31) on which we > try to replace the certificates. On these servers we have a bundled > configuration:
Presumably since that's a Debian build it was built using GnuTLS. I suggest you try using gnutls-cli with your PEM file and see what works or doesn't work. > > # config > dn: cn=config > olcTLSCACertificateFile: /etc/ldap/tls/multi.deverywa.re.pem > olcTLSCertificateFile: /etc/ldap/tls/multi.deverywa.re.pem > olcTLSCertificateKeyFile: /etc/ldap/tls/multi.deverywa.re.pem > > The file is a bundle containing both the certificates (wildcard and it's > issuer) and the key. Until this year we just had to upload the new bundle and > restart > slapd. This year Gandi changed their signing certificate but it is still > issued by UserTrust. But OpenLDAP refuses to use it now. > > We tried to set LogLevel to any, but nothing really showed in the log. On the > server side: > > slapd[9217]: connection_read(16): TLS accept failure error=-1 id=1041, closing > > On the client side (localhost): > > openssl s_client -connect localhost:636 -servername ldap.deverywa.re > CONNECTED(00000003) > 140365161965224:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:177: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 315 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1695652388 > Timeout : 300 (sec) > Verify return code: 0 (ok) > > We still use 2048 RSA key to generate the certificates. We have checked > permissions and it is fine. How could I debug what's wrong on the server side > ? > > Thank you > > -- > *Jérôme BECOT* > Ingénieur DevOps Infrastructure > > Téléphone fixe: 01 82 28 37 06 > Mobile : +33 757 173 193 > Deveryware - 43 rue Taitbout - 75009 PARIS > https://www.deveryware.com <https://www.deveryware.com> > > Deveryware_Logo > <https://www.deveryware.com> -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
