OpenLDAP: unable to get local issuer certificate.

Question

OpenLDAP: unable to get local issuer certificate.

Closed this issue a year ago · 2 comments

Discussed in #465

^{Originally posted by pappapo July 29, 2023}
If anyone have a recipe to have this plugin and nagios working with ldap please let me know.
We have check_ssl_cert working just fine with http, smtp etc., but unable to get it to work with OpenLDAP, it seems OpenLDAP works different from all the other protocols. Also, other SSL check plugins does not complain when checking same ldap hosts.

Thank you in advance,
Per

[olcTLSCACertificatePath]
[olcTLSCACertificateFile]
[olcTLSCertificateFile]
[olcTLSCertificateKeyFile]

are all properly defined and all clients can access the directory with TLS.

The command will return

"Cannot verify certificate: unable to get local issuer certificate, unable to verify the first certificate"

openssl s_client -showcerts -verify 5 -connect db.nethead.se:389 
verify depth is 2
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 317 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Answer 1 · 2023-07-30T08:57:40.000Z

The ROOT_CA variable is correctly set but then empty when calling s_client

Answer 2 · 2023-07-30T09:40:08.000Z

I was not able to reproduce the problem with a current version. Can you please try with the latest release?