Mailing List Archive

https://bz.apache.org/bugzilla/show_bug.cgi?id=66490

--- Comment #2 from apache@kyoshiro.org ---
Created attachment 38513
--> https://bz.apache.org/bugzilla/attachment.cgi?id=38513&action=edit
ldap debug output

Ah thanks! Didn't know about this one :)
I got a debug output that seems to point to certificate issues. Relevant bits:

attempting to connect:
connect errno: 115
ldap_int_poll: fd: 45 tm: 10
ldap_is_sock_ready: 45
ldap_ndelay_off: 45
ldap_pvt_connect: 0
TLS: only one of certfile and keyfile specified

That's odd though, as I have no issue with other services like dovecot or tools
like gnutls-cli, openssl s_client or ldapsearch.

Both key and cert are defined in slapd config:
/etc/ldap/slapd.d/cn=config.ldif:olcTLSCACertificateFile: /etc/ldap/chain.pem
/etc/ldap/slapd.d/cn=config.ldif:olcTLSCertificateFile: /etc/ldap/fullchain.pem
/etc/ldap/slapd.d/cn=config.ldif:olcTLSCertificateKeyFile:
/etc/letsencrypt/live/ldap.domain.org/privkey.pem
I also confirmed /etc/ldap/{,full}chain.pem files match the privkey.pem.

I'm not even sure if these logs point to a TLS cert issue, as errno 115 seems
to be Operation in progress, but then internet search pointed me to that same
direction.

I'm open to any idea on how to debug tihs further!
Thank you :)

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=66490

--- Comment #3 from Loïc <apache@animanova.fr> ---
Well, I finally found the issue.

Adding this line to /etc/ldap/ldap.conf solved the problem:
TLS_CACERT /etc/ldap/chain.pem

I find it a bit odd as the chain just has Let's Encrypt CA certs but well.
At least it works now :)

I also tried adding these a while ago:
LDAPTrustedGlobalCert CERT_BASE64 "/etc/ldap/chain.pem"
LDAPVerifyServerCert off

It didn't resolve my issue, but I kept that in there somehow, and maybe it was
the culprit for this specific error message in the LDAP debug log:
TLS: only one of certfile and keyfile specified

Thanks for your help!

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

https://bz.apache.org/bugzilla/show_bug.cgi?id=66490

Loïc <apache@animanova.fr> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |CLOSED

--- Comment #4 from Loïc <apache@animanova.fr> ---
Feel free to change the status if resolved/closed is not appropriate.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org