Fixing “SSL3_GET_SERVER_CERTIFICATE” Error for Self-Signed LDAP SSL Certificates on Ubuntu 12.04


5 views

When configuring OpenLDAP with self-signed certificates on Ubuntu 12.04, you'll typically encounter the TLS verification error:

TLS certificate verification: Error, self signed certificate in certificate chain
TLS: can't connect.
ldap_start_tls: Connect error (-11)
    additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

This occurs because the client strictly validates certificates by default, rejecting self-signed ones.

Here's the proper way to configure your LDAP client to accept self-signed certificates:

1. ldap.conf Configuration

# /etc/ldap/ldap.conf
BASE    dc=example,dc=com
URI     ldaps://ldap.example.com

# Critical SSL settings
TLS_CACERT      /etc/ssl/certs/cacert.pem
TLS_REQCERT     allow

2. Alternative: Environment Variable Override

For testing purposes, you can temporarily bypass certificate verification:

LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://ldap.example.com -b dc=example,dc=com

Ensure you've completed these steps on the server side:

# Verify certificate permissions
ls -l /etc/ssl/certs/cacert.pem
chmod 644 /etc/ssl/certs/cacert.pem

# Confirm slapd is listening on ldaps
netstat -tulnp | grep slapd

Use these commands to diagnose connection issues:

# Verbose TLS debugging
ldapsearch -d 1 -H ldaps://ldap.example.com -b dc=example,dc=com -x

# Test certificate separately
openssl s_client -connect ldap.example.com:636 -showcerts

For production environments, consider:

# Install cert in system trust store
sudo cp cacert.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates

# Then modify ldap.conf:
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT     demand
  • Certificate chain incompleteness
  • Mismatched hostnames in cert
  • Incorrect time/date settings
  • Firewall blocking port 636

When dealing with OpenLDAP SSL/TLS connections, the certificate validation process is particularly strict. The error message TLS certificate verification: Error, self signed certificate in certificate chain indicates the client-side OpenLDAP utilities (like ldapsearch) are rejecting your self-signed certificate despite your configuration attempts.

For Ubuntu 12.04's OpenLDAP implementation, there are three key files that must be properly configured:

# /etc/ldap/ldap.conf (client configuration)
BASE    dc=example,dc=local
URI     ldaps://ldap.example.local
TLS_CACERT /etc/ssl/certs/cacert.pem
TLS_REQCERT never

Note we're using never instead of allow for testing purposes. The certificate file must be:

  • In PEM format
  • World-readable (chmod 644)
  • Containing the complete certificate chain if applicable

Your slapd configuration needs these essential directives in cn=config (or slapd.conf if using legacy config):

olcTLSCACertificateFile: /etc/ssl/certs/ca.pem
olcTLSCertificateFile: /etc/ssl/certs/server.pem
olcTLSCertificateKeyFile: /etc/ssl/private/server.key
olcTLSCipherSuite: HIGH:-SSLv2
olcTLSVerifyClient: never

Here's how to properly generate a self-signed certificate that OpenLDAP will accept:

openssl req -newkey rsa:2048 -nodes -keyout server.key -x509 -days 365 -out server.crt \
  -subj "/C=US/ST=California/L=San Francisco/O=Example/CN=ldap.example.local"

Combine the key and certificate:

cat server.key server.crt > server.pem
chmod 400 server.pem
chown openldap:openldap server.pem

Use these commands to diagnose SSL issues:

# Verify certificate chain
openssl verify -CAfile /etc/ssl/certs/cacert.pem /etc/ssl/certs/server.pem

# Test SSL connectivity
openssl s_client -connect ldap.example.local:636 -showcerts -CAfile /etc/ssl/certs/cacert.pem

# Verbose LDAP search
ldapsearch -x -H ldaps://ldap.example.local -b dc=example,dc=local \
  -d 63 -ZZ -D "cn=admin,dc=example,dc=local" -W
  • Certificate Subject Alternative Names (SANs) must match the LDAP server's hostname
  • Time synchronization issues can cause certificate validation failures
  • Mixed usage of ldap:// with -ZZ versus ldaps:// can produce different behaviors
  • AppArmor might block access to certificate files in non-standard locations

Run this command to verify all components are working together:

ldapsearch -x -H ldaps://ldap.example.local -b dc=example,dc=local \
  -ZZ -d 1 -v -W -D "cn=admin,dc=example,dc=local"

If you still encounter issues, temporarily set TLS_REQCERT never in ldap.conf to isolate whether the problem is certificate-related or a different configuration issue.