Certificate issue after upgrade in the LDAP module - Let's Encrypt certs not working either
Kaya Saman
kayasaman at optiplex-networks.com
Thu Mar 30 01:47:10 UTC 2023
On 3/30/23 00:55, Kaya Saman via Freeradius-Users wrote:
>
> On 3/29/23 23:59, Alan DeKok wrote:
>> On Mar 30, 2023, at 12:02 AM, Kaya Saman via Freeradius-Users
>> <freeradius-users at lists.freeradius.org> wrote:
>>> I'm using StartTLS in OpenLDAP so FR got provisioned eons ago with a
>>> working setup which has been flawless for may years, I created an
>>> raddb/ldap folder where I put my ldap TLS certs. I performed an
>>> upgrade recently and then noticed that some services had gone down.
>>> This is the relevant output of radiusd -X:
>>>
>>> rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending
>>> slots used
>>> rlm_ldap (ldap): Connecting to ldap://fqdn:389
>>> TLS certificate verification: Error, self signed certificate
>>> TLS: can't connect: error:1416F086:SSL
>>> routines:tls_process_server_certificate:certificate verify failed
>>> (self signed certificate).
>> Unfortunately that message is coming from libldap. So for some
>> reason, libldap doesn't like the certificate.
>>
>> You may need to add the CA to the global certificate store on the
>> machine running LDAP. Or update the LDAP server configuration to
>> trust the CA which FreeRADIUS is using.
>>
>> Alan DeKok.
>>
> Thanks Alan, I'll give it a shot!
>
>
> Hope you've been well in the meantime... it has been ages :-)
>
>
> Best Regards,
>
>
> Kaya
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Hmm.... I just feel like I bypassed the problem and not solved it?
I tested the certificate in ldap and and it seemed to work? Maybe I ran
the incorrect test - I'm going to have to dig deeper and check on this one!
From ldap my reading lead me to use the test command: ldapwhoami -H
ldaps:// -x -ZZ which basically returned "anonymous" and apparently this
is correct. I still need to read more on ldap though to find if things
are actually ok or not.
For now I added this to the ldap module which at least has FR working again:
require_cert = 'allow'
It's a temporary band aide I'm certain as I trust the FR output:
TLS certificate verification: Error, self signed certificate
TLS certificate verification: Error, self signed certificate
TLS certificate verification: Error, self signed certificate
TLS certificate verification: Error, self signed certificate
TLS certificate verification: Error, self signed certificate
Grrrr what a PITA sigh....
Hopefully I'll get this fixed properly and soon :-S
More information about the Freeradius-Users
mailing list