"TLS: peer cert untrusted or revoked (0x82)" error in Hardy's version of ldap-utils

I am seeing this same issue. Let me know if there is any information I can provide that would be helpful, but my output is basically the same as what Karl has already posted.

And for those interested, you can work around the issue with the following option in ldap.conf:

TLS_REQCERT allow

...however, this is insecure as it ignores certificate verification errors and just continues with the connection anyway.

Do you have all of the necessary CA certificates in /etc/ssl/certs/ca-certificates.crt ?

As noted in the section about TLS in the Openldap Admin guide:

  If the signing CA was not a top-level (root) CA, certificates for the entire sequence of CA's from the signing CA to the top-level CA should be present. Multiple certificates are simply appended to the file; the order is not significant.

Thanks, for the info. Putting the missing cert in /etc/ssl/certs/ca-certificates.crt and adding:

TLS_CACERT /etc/ssl/certs/ca-certificates.crt

...to my ldap.conf fixed the connection problem for me. Any idea as to why my setup was working in Gutsy? Previously, I only had:

TLS_CACERTDIR /usr/share/ca-certificates/mozilla

in my ldap.conf and had no issues until upgrading to Hardy. Could it be that before only the CA cert was being checked and not the entire chain? The CA is Verisign and the cert is present in the /usr/share/ca-certificates/mozilla directory.

Also, is /etc/ssl/certs/ca-certificates.crt the place to put additional certs? Is this file ever auto-generated or overwritten by anything else?

Perhaps because gnutls openldap doesn't seem to support the TLS_CACERTDIR option (bug #242313)?

On Fri, Aug 29, 2008 at 07:17:09PM -0000, Gary Wilson wrote:
> in my ldap.conf and had no issues until upgrading to Hardy. Could it be
> that before only the CA cert was being checked and not the entire chain?
> The CA is Verisign and the cert is present in the /usr/share/ca-
> certificates/mozilla directory.

Gutsy openldap is compiled with openssl, while Hardy's ldap is compiled
with gnutls.

>
> Also, is /etc/ssl/certs/ca-certificates.crt the place to put additional
> certs? Is this file ever auto-generated or overwritten by anything
> else?
>

This file is auto-generated by update-ca-certificates from the
ca-certificates package.

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Just noting that this bug (or something with a similar effect) is still present in Intrepid.

As Karl mentions, this seems to be a problem in Intrepid as well, but I think it worked some time ago. Some changes last month that should affect this?

What I've done to test this:

* my /etc/ldap/ldap.conf has:
TLS_REQCERT demand
TLS_CACERT /etc/ldap/certs.txt

* if I try using ldapsearch (-d 253) I get: TLS: peer cert untrusted or revoked (0x82)

* my /etc/ldap/certs.txt file has the certificate of the CA

* if I use gnutls-cli to check the same ldap-server ("gnutls-cli --print-cert -p 636 --x509cafile /etc/ldap/certs.txt <hostname>") I get: Peer's certificate is trusted

@anders:
Is your CA certificate a X509 v1 cert? If so you may encounter bug 305264.

@Karl:
Do you still see the issue if you put *all* the CA certs in the CA cert file?

We'd like to figure out what's causing this bug for you, but we haven't heard back from you in a while. Could you please provide the requested information? Thanks!

Sorry about no response. Since I reported problem on this issue I've upgraded my machine to Karmic. A new test now seems to give expected result, so in my case this seems to be resolved.

My CA certificate was indeed a x509 v1 cert, so I guess you're correct when pointing to bug 305264.

Hi,

I think I have exactly the same problem. I have set up Ubuntu 8.04 (uptodate) as ldap-Client, and after I run "getent passwd" on that client, the connection to the ldap-Server is refused:

TLS: peer cert untrusted or revoked (0x102)

My ldap.conf has the following entry:

URI ldaps://ldap-01.example.com/
...
TLS_CACERT /etc/ldap/ssl/cacert.pem
DEBUG 1

When I add the line TLS_REQCERT allow, everything is just working fine, but this is no solution for me for security reasons.

The command
openssl s_client -host ldap-01.example.com -port 636 -CAfile /etc/ldap/ssl/cacert.pem
returns:
...
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol : TLSv1
    Cipher : AES256-SHA
    ...
    Timeout : 300 (sec)
    Verify return code: 0 (ok)
---

so, the local cacert.pem should be the correct CACertificate.

Further I have set up Suse Linux Enterprise 10 SP2 as another ldap-client with exactly the same ldap-configuration (without the line TLS_REQCERT allow), and everything works fine there.

As I'm bound to Ubuntu LTS versions, I cannot switch to another version like Karmic or so. So I would be very pleased if somebody could help me out.

Thanks

On Wed, Jan 13, 2010 at 03:21:50PM -0000, gdowle wrote:
> Hi,
>
> I think I have exactly the same problem. I have set up Ubuntu 8.04
> (uptodate) as ldap-Client, and after I run "getent passwd" on that
> client, the connection to the ldap-Server is refused:
>
> TLS: peer cert untrusted or revoked (0x102)
>

Could you provide the information outlined in the following wiki page:

https://wiki.ubuntu.com/DebuggingOpenldap#SSL%20connections%20failure

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Ok, I solved my problem now.

My cacert.pem was a x509 v3 certificate, with Signature Algorithm: md5WithRSAEncryption. With that cacert I got a "Verification failed" from the gnutls-cli command (but not from the openssl command like posted above).

After creating a new x509 v3 cacert.pem with Signature Algorithm: sha1WithRSAEncryption, the gnutls-cli command succeeds with "Peer's certificate is trusted", and the ldap authentication works fine now on my Ubuntu 8.04 machine.

Software:
dpkg-query -W -f='${Package} ${Version} ${Source} ${Status}\n' | egrep 'slapd|ldap|gnutls'
gnutls-bin 2.0.4-1ubuntu2.6 gnutls13 install ok installed
ldap-auth-client 0.5 install ok installed
ldap-auth-config 0.5 ldap-auth-client install ok installed
ldap-utils 2.4.9-0ubuntu0.8.04.1 openldap2.3 install ok installed
libcurl3-gnutls 7.18.0-1ubuntu2.2 curl install ok installed
libgnutls13 2.0.4-1ubuntu2.6 gnutls13 install ok installed
libldap-2.4-2 2.4.9-0ubuntu0.8.04.1 openldap2.3 install ok installed
libnss-ldap 258-1ubuntu3 install ok installed
libpam-ldap 184-2ubuntu2 install ok installed

I'm trying to figure out what's wrong with my OpenLDAP setup. I have the same problem that gdowle had, but I'm already using an x509 V3 CA Certificate using sha1WithRSAEncryption as a Signing Algorithm. Here's some relevant information:

openssl s_client -connect serv1.myorganization.com:636 -showcerts -CAfile
/etc/openldap/ssl/cacert.pem

The output is a bunch of certificate information and then at the end:

New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol : TLSv1
    Cipher : AES256-SHA
    Session-ID: 816212B370246B17944C3E6F39017C8413643AF164EFC3EDD240CD751D370FFB
    Session-ID-ctx:
    Master-Key: 5970251BDBD2A821813659ECCF6FA2A04EF13C8D386817E15F093475488B510AFDF984D850C5B1ADA776067D8D879F91
    Key-Arg : None
    Start Time: 1266594131
    Timeout : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

but this does not work:

gnutls-cli --print-cert -p 636 --x509cafile /etc/openldap/ssl/cacert.pem
serv1.myorganization.com

Connecting to 'XXX.XXX.XXX.XXX:636'...
- Certificate type: X.509
 - Got a certificate list of 2 certificates.
 - Certificate[0] info:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

 # The hostname in the certificate matches 'serv1.myorganization.com'.
 # valid since: Tue Apr 28 10:55:23 EDT 2009
 # expires at: Fri Apr 26 10:55:23 EDT 2019
 # fingerprint: B1:A0:5F:02:C0:72:BE:2C:7F:AC:3E:B1:05:74:93:A1
 # Subject's DN: ...

 - Certificate[1] info:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

# valid since: Tue Apr 28 10:46:26 EDT 2009
 # expires at: Fri Apr 26 10:46:26 EDT 2019
 # fingerprint: 0D:1C:D5:AA:BC:3B:23:4F:95:51:1C:7F:78:1D:49:B7
 # Subject's DN:...

- Peer's certificate is NOT trusted
- Version: TLS 1.0
- Key Exchange: RSA
- Cipher: AES 256 CBC
- MAC: SHA
- Compression: DEFLATE
*** Verifying server certificate failed...

I thought that this bug might have been relevant, but gdowle's fix was to create an x509 v3 certificate using the Signature
Algorithm sha1With RSAEncryption, but that's what we have already...

openssl x509 -in /etc/openldap/ssl/cacert.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer:...
        Validity
            Not Before: Apr 28 14:46:26 2009 GMT
            Not After : Apr 26 14:46:26 2019 GMT
        Subject: ...
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit): ...
                Exponent: ...
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                3D:B9:10:D1:81:97:38:04:6C:5D:7C:6C:6C:7B:FE:8B:DF:BA:E3:B4
            X509v3 Authority Key Identifier:
                keyid:3D:B9:10:D1:81:97:38:04:6C:5D:7C:6C:6C:7B:FE:8B:DF:BA:E3:B4

    Signature Algorithm: sha1WithRSAEncryption

One thing that worries me is this:
        X509v3 extensions:
            X509v3 Basic Constraints:
    ...

[Expired for openldap (Ubuntu) because there has been no activity for 60 days.]