Link to home
Start Free TrialLog in
Avatar of Manoj Chacko
Manoj Chacko

asked on

Trying to connect the LDAP over SSL

Hi,

I have a wordpress running on Xampp, I cannot get the LDAP to work over SSL.
Any idea how to accomplish this.

Enabling Debug I can see the following error,

TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate).


Thanks
Manoj
Avatar of Scott Silva
Scott Silva
Flag of United States of America image

To clarify... What is LDAP running on? Same server? different?  OS?
Avatar of Manoj Chacko
Manoj Chacko

ASKER

To Clarify, I am running the webserver using Xampp for windows currently on windows server 2008, only my WordPress site is running on this, ldap is run by a different group, I have the credentials and I am just doing the authentication
What is the name of the certificate on the Windows server 2008 Domain Controller? It should be the same as the FQDN of the server and it should have Server Authentication and Client Authentication enabled on the certificate. The certificate should be from a trusted CA source (not self-signed).
So heres the situation.
Name of computer/server is "X"

But I have three instance of wordpress (with three different IPs) running from this ("X","Y","Z")
Setting up LDAP over SSL now for "Y"
So when I generate the local certificate, should it be same as the "server name"
or should it have the site FQDN?
Always use FQDNs on certificates, not short names.
Tried this did not work

My error log
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 20, subject: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2, issuer: /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
Have you imported the public part of the signer's key into the the key store that the LDAP client is using?
how do you do that?
What operating system is your LDAP client running on?

Where does your LDAP client look for trusted certificates?
Looks like the LDAP client is on a Windows system.  Assuming it is using the Windows certificate store, you need to get the public cert of the CA that signed the LDAP server's cert and import it into the Windows certificate store.

Easiest way to do that is to have whomever has that to give it to you in a file with ".crt" as the suffix.  Then you put it on the Windows system where you code is and right click on the file and select "Install certificate."
The LDAP server itself is managed by different department, I created a local certificate using the windows server Active Directory Certificate Services, but did not work.

Interestingly. It used to work before I just uprgaded the XAMPP for windows to the latest version and this issue started happening.
You can't create your own certificate for somebody else's server.  LDAPS is just like any other SSL connection.

The client has to trust the certificate of the server.  It does this by having the signer's certificate in its' data store.

Looks like XAMPP uses it own certificate store, read here to see how to get the CA's certificate you need and how to install it:

https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements#Windows_Server_2003_and_2008
I tried using the  openssl s_client -showcerts -connect to connect to the server it gives me the error

 Verify return code: 20 (unable to get local issuer certificate)
Did you get anything else other than that message?
Yes similar to the google example, but in the end instead of verify ok, I get error
O.K, you got what you need.   You should have at least 2 "BEGIN CERTIFICATE/END CERTIFICATE" pairs.  You could have 3 pairs.

You want to save the output if the last "BEGIN CERTIFICATE/END CERTIFICATE" into a file.

Then issue the same command, but add "-CAfile xxxx"  where xxxx is the name of the file you save the cert into.    You should now get a zero.

If you do, then you want to follow the instruction about creating the the php.ini file and the ".pem" file
I tried that

I tried the command openssl s_client -showcerts -connect site:636 -CAFile filename.crt

I get the following error "verify return code: 2(unable to get issuer certificate)"
Than normally means there is an intermediary cert.  How many certificates were there when you did the original showcerts?

If there was 3, then try putting the last in the file and try.

Is you servers cert signed by a well know CA or is it signed by an internal CA?
Showcerts only showing 2 certs
Is your server's cert signed by a well know CA or is it signed by an internal CA?
Well known CA GlobalSign
Then can you attach the output from your showcerts and I can look to see what may be missing.

You should be able to go to GlobalSign's website and if  you know what level/type of cert you purchased they should have a file for you to download with everything you need.
apache\bin>openssl s_client -showcerts -connect [Our ldap server address]:636
CONNECTED(0000016C)
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - S
HA256 - G2
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/businessCategory=Private Organization/serialNumber=354000/jurisdictionC=US
/jurisdictionST=Pennsylvania/C=US/ST=Pennsylvania/L=Philadelphia/street=1801 Nor
th Broad Street/O=Temple University/CN=[Our ldap server address]
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2

-----BEGIN CERTIFICATE-----

Cert Values

-----END CERTIFICATE-----
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2

   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
-----BEGIN CERTIFICATE-----

Cert Values

-----END CERTIFICATE-----
---
Server certificate
subject=/businessCategory=Private Organization/serialNumber=354000/jurisdictionC
=US/jurisdictionST=Pennsylvania/C=US/ST=Pennsylvania/L=Philadelphia/street=1801
North Broad Street/O=Temple University/CN=[Our ldap server address]
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 -
G2
---
No client certificate CA names sent
---
SSL handshake has read 3417 bytes and written 675 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-SHA256
    Session-ID: 39DB9807B7915877AF8FD68A7915626C6E1FEBC7578BB0A749E39C5DEDC98322

    Session-ID-ctx:
    Master-Key: (Key text)
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1464797751
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
I need the whole thing, including the the stuff between the BEGIN/END.
apache\bin>openssl s_client -showcerts -connect [Our ldap server address]:636
CONNECTED(0000016C)
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - S
HA256 - G2
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/businessCategory=Private Organization/serialNumber=354000/jurisdictionC=US
/jurisdictionST=Pennsylvania/C=US/ST=Pennsylvania/L=Philadelphia/street=1801 Nor
th Broad Street/O=Temple University/CN=[Our ldap server address]
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2

-----BEGIN CERTIFICATE-----
MIIIKDCCBxCgAwIBAgIMcYPITD3d5uenbS7FMA0GCSqGSIb3DQEBCwUAMGIxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTgwNgYDVQQDEy9H
bG9iYWxTaWduIEV4dGVuZGVkIFZhbGlkYXRpb24gQ0EgLSBTSEEyNTYgLSBHMjAe
Fw0xNjA1MTEyMTQ2MDlaFw0xODA2MzAyMDMxMDJaMIH5MR0wGwYDVQQPDBRQcml2
YXRlIE9yZ2FuaXphdGlvbjEPMA0GA1UEBRMGMzU0MDAwMRMwEQYLKwYBBAGCNzwC
AQMTAlVTMR0wGwYLKwYBBAGCNzwCAQITDFBlbm5zeWx2YW5pYTELMAkGA1UEBhMC
VVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEVMBMGA1UEBxMMUGhpbGFkZWxwaGlh
MSAwHgYDVQQJExcxODAxIE5vcnRoIEJyb2FkIFN0cmVldDEaMBgGA1UEChMRVGVt
cGxlIFVuaXZlcnNpdHkxGjAYBgNVBAMTEWxkYXAtci50ZW1wbGUuZWR1MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyJGgZb5kUbiU5zxfUN8wJOwMy3v1
MzC80MD/ZC5hNvJ83gzmP9PG/24gXgM6MXHE/HrKBs6L5SdOjazrvuRhz9aT76HV
SVoeoCxJQtSR4mh9YSP19oI3Q1RGJcwNQ0ILImg3TEh5SVH0mgp52L7RgqA9m2wT
YMM6ZZXiRH8MjYot0W569rvijjmAfE0p2hjXZ2nkVUdpnUMsuCpqaj48ZnTR4HjX
1OqgyUhWotiV4+Vw3mATqbklG//H5Q0zry4C01uFardXAyGKkcdCHEEDdudyyKA4
wYr9NDVc/HhPppoQlisSBG0vLCOVHQ/0onI+Qkg/IYJiByYGI1/5WHiB5wIDAQAB
o4IERDCCBEAwDgYDVR0PAQH/BAQDAgWgMIGUBggrBgEFBQcBAQSBhzCBhDBHBggr
BgEFBQcwAoY7aHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3Nl
eHRlbmR2YWxzaGEyZzJyMi5jcnQwOQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwMi5n
bG9iYWxzaWduLmNvbS9nc2V4dGVuZHZhbHNoYTJnMjBVBgNVHSAETjBMMEEGCSsG
AQQBoDIBATA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNv
bS9yZXBvc2l0b3J5LzAHBgVngQwBATAJBgNVHRMEAjAAMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3MvZ3NleHRlbmR2YWxzaGEy
ZzIuY3JsMBwGA1UdEQQVMBOCEWxkYXAtci50ZW1wbGUuZWR1MB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUuJG2BKv4c1rY3hlLWWXZYFdA
9FcwHwYDVR0jBBgwFoAU2kB3Q2Uc+P6n4/Rkgj5NQxMiMQIwggJxBgorBgEEAdZ5
AgQCBIICYQSCAl0CWwB2AGj2mPgfZIK+OozuuSgdTPxxUV1nk9RE0QpnrLtPT/vE
AAABVKHIy90AAAQDAEcwRQIhALfJuNYnqH58XKdjqI3b8bY/uVxtzGhbsxq8kYXY
BiErAiBAkiaqVqRV5BznbGsXRafcP978nKTPTP3e3kYG1pIeJwB3AKS5CZC0GFgU
h7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABVKHI0YsAAAQDAEgwRgIhAIHFiB5u
F035bevPhvekX5AnsTAhiO373LRbkTE1e4zBAiEA3aAdWXDv9ak/T+PGgmUp4XnL
tsv1UhcYU37qWcvAIZkAdgB0YbSgnPs9QddRWVdbLnZJpEWo0ncJsMxWSmSCt+tB
owAAAVShyNvrAAAEAwBHMEUCIAYFoFM9HeMIl1YHd7Qt5CC3NJ4wpv6mYB82dml5
7RzkAiEAiwZrP2gj90E0iIcQboAfS34DiY41wS5r9Xun+ZDxVP8AdwDuS723dc5g
uuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAVShyORwAAAEAwBIMEYCIQCKSao4
8PkcUVUvKJTcGNjWYLEtM6/GnRTOZHEYB6PLugIhANhU4t4oAGQyP6X58BHaCTiA
YgrKVNuxML/ToX7B/dQ9AHcAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ
0N0AAAFUocjo8wAABAMASDBGAiEA+q+1pDMA8bGP9MsM9Ib1C7pvIEnhVXzUh1JK
QayRq0oCIQClM3+3bJEGxtkk/qiDA9gajgX2X3dUDhmb8o9q4oURajANBgkqhkiG
9w0BAQsFAAOCAQEAka68FVI26WdqFwoHL/bDPM794oXrk77hlihI6PlBBPxKuSyr
uStsE2fzQH4dTtcUadUJXVxmHwTYPPVtgXTzhoQUFxGePJxsb0/2VjA/vJs7zxX0
oCTVogBp052zsoPztX2vk5sYQ1kf3eg8f0j4n0IJxGpcNvl1IoSmdC+mv6HtM3xV
F/u5dK+1rVlYIUkslwojMriLfRk5yzGhWD1+Jrv+fzcH0V2/mnfn6unmHuHagawt
qJWt4tYMmGs1beWukQ0t1dcsiESC8fUniIIM9f3Y46LV2zoxyHDjOrudNSM1eY2v
KEmuq8QgyiXjvx3aJ3a9Pd5GUiVIjgNrUNLZyA==
-----END CERTIFICATE-----
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2

   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
-----BEGIN CERTIFICATE-----
MIIEXTCCA0WgAwIBAgILBAAAAAABRE7wSlUwDQYJKoZIhvcNAQELBQAwTDEgMB4G
A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTQwMjIwMTAwMDAwWhcNMjExMjE1
MDgwMDAwWjBiMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1z
YTE4MDYGA1UEAxMvR2xvYmFsU2lnbiBFeHRlbmRlZCBWYWxpZGF0aW9uIENBIC0g
U0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCj6qHS
w0nl9xxdr8OSQq+KPNzvTOYvXwwrn4pQMGbvTshPIUr25/JOG4xTV7CeyFv3uEZV
sxrtwmr+9BvsSEYOj+D74JEZ35kYby5Rr9r2mspkb5lUEHTqPMiqgE1DN/vIpH8F
nTeSvZgANVqvu1t0FQ68vMbpt4bn7q5NSwRMK6C0ZUi4wzrNdbs3yUrAARHZvz8V
hmAZazQgRvWGZg8k9Mxin5+eHf0QpJle8EHrsJT/LLM21usdpxdf385qd8eaxDJj
pwat8xIbnTByWQvrcusq0nd7kXfbAPzYb/Uv2HrFDDqge16Q852EWcgB2ZE3VuU6
U5OtYEknJdnh2oLXAgMBAAGjggEoMIIBJDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0T
AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU2kB3Q2Uc+P6n4/Rkgj5NQxMiMQIwRwYD
VR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2Jh
bHNpZ24uY29tL3JlcG9zaXRvcnkvMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9j
cmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC1yMi5jcmwwPQYIKwYBBQUHAQEEMTAvMC0G
CCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290cjIwHwYD
VR0jBBgwFoAUm+IHV2ccHsBqBt5ZtJot39wZhi4wDQYJKoZIhvcNAQELBQADggEB
AEDvEpCDdJaK+Tq6m1lKM9PvTBMrtZHLyZbtbvVsZPHGhLJGWVpYglLxNKBUQWQg
q9hXO9QUdHEYNswTwcdwwPVFZg5xroevkpTrcUAJ9Mx39xuThYpKrjOF5nSu9RCm
PslZg8P5XJb5KPc0e+k4xpE8T3FYdf7hVnV2zUDEFUA5qUH9ZBAPl4UH6Hlk0FtN
TJsnl9NzXpJ+H0jiyrkFl07vLBxrTYpfeFOVzQI5wi/maU/2cdGZtX9tIN5Dj9sA
G6M7N97RP23ztpB2Haydb4RPJJQJduCdqE33TTePpC9fS0HkSRaXzHtsrxHKllQJ
iyRRrl3tovG7UxBNl/oadwM=
-----END CERTIFICATE-----
---
Server certificate
subject=/businessCategory=Private Organization/serialNumber=354000/jurisdictionC
=US/jurisdictionST=Pennsylvania/C=US/ST=Pennsylvania/L=Philadelphia/street=1801
North Broad Street/O=Temple University/CN=[Our ldap server address]
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 -
G2
---
No client certificate CA names sent
---
SSL handshake has read 3417 bytes and written 675 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-SHA256
    Session-ID: 39DB9807B7915877AF8FD68A7915626C6E1FEBC7578BB0A749E39C5DEDC98322

    Session-ID-ctx:
    Master-Key: (Key text)
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1464797751
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
SOLUTION
Avatar of giltjr
giltjr
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
When I tried to verify it, it seemed to work . I get  Verify return code: 0 (ok)

How do I install this.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
So as stated on the above site, I saved the go.txt as crt generated a Pem and copied it to openldap/sysconf/ folder and copied the path to ldap.conf. restarted the server error is still there
Are you using PHP to make the LDAP calls?
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
What version of xammp are you running?
Latest version XAMPP 7.0.6

I am guessing this the cause of all this problem, location for the ldap.conf might have changed?
It was working fine right before the update and I had the ldap.conf in c:/openldap/sysconf/ldap.conf
That was it, It was the location, created a new folder in xampp/apache/
called %SYSCONFDIR% and copied over ldap.conf here.
and it worked.

Thanks a lot
Works, It was the location mainly
You may want to make a note, because it looks like the most recent version of XAMMP may have "fixed" that issue and expect the files to be in the openldap/sysconf/, I think.

I installed the lastest XAAMP and the dll file that seems to control where PHP looks for things does not have %SYSCONFDIR% in the file path.
Ok, will keep that in mind during upgrade