Certificate issue after upgrade in the LDAP module - Let's Encrypt certs not working either

Kaya Saman kayasaman at optiplex-networks.com
Wed Mar 29 15:02:32 UTC 2023

Hi everyone,

it's been ages!! Unfortunately my health took a downturn and I have not 
been keeping up with anything and now finding myself needing to upgrade 
many almost archaic builds now.

What was working on a previous version of FR seems to have stopped and 
now FR is complaining at me :-(

I'm using StartTLS in OpenLDAP so FR got provisioned eons ago with a 
working setup which has been flawless for may years, I created an 
raddb/ldap folder where I put my ldap TLS certs. I performed an upgrade 
recently and then noticed that some services had gone down. This is the 
relevant output of radiusd -X:

rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending 
slots used
rlm_ldap (ldap): Connecting to ldap://fqdn:389
TLS certificate verification: Error, self signed certificate
TLS: can't connect: error:1416F086:SSL 
routines:tls_process_server_certificate:certificate verify failed (self 
signed certificate).
rlm_ldap (ldap): Could not start TLS: Connect error
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/usr/local/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for 
module "ldap"

my ldap module in FR contains these lines:

                 start_tls = yes

                 #ca_file        = /etc/ssl/cert.crt
                 ca_file        = /usr/local/etc/raddb/ldap/cert.pem

                 #ca_path        = /etc/ssl/
                 ca_path = /usr/local/etc/raddb/ldap/
                 #certificate_file = /etc/ssl/cert.crt
                 certificate_file = /usr/local/etc/raddb/ldap/cert.pem
                 #private_key_file = /etc/ssl/cert.key
                 private_key_file = /usr/local/etc/raddb/ldap/privkey.pem

Originally I had a cert.crt and cert.key file which I believe I 
generated using openssl?  Judging from the records in the shell history 
I think it was something like this that I used:

cd /etc/ssl
openssl genrsa -out cert.key 1024
openssl req -new -key cert.key -out cert.csr
openssl x509 -req -in cert.csr -days 365 -signkey cert.key -out cert.crt
openssl x509 -req -in cert.csr -days 365 -signkey cert.key -out cert.crt

of which I tried regenerating using the exact same lines as I thought 
originally that the cert had expired.

 From the radd -X error it's obvious that it doesn't like the 
certificate as it was self signed. As I'm not using a certificate 
provider since this is in my home lab, I thought about using Let's 
Encrypt so I manually generated certificates using the certbot tool.

Unfortunately the error from radd -X is the same and is calling the 
certificate "self signed". I think the culprit is that LE doesn't have a 
CA associated with it.

Does anyone have any advice on how to either get FR working with my 
certificates or would my only options be to either turn TLS in OpenLDAP 
off or to use an authoritative signing body?

Many thanks in advance.


More information about the Freeradius-Users mailing list