Troubleshooting LDAPS Connection Failures: Wildcard Certificates and Trust Store Issues in CentOS 6.5


2 views

When working with LDAPS connections across different Linux distributions, I've encountered a particularly puzzling scenario where:

  • Ubuntu 13.10: Works flawlessly
  • SLES: No issues observed
  • CentOS 6.5: Fails with ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

The initial theory about wildcard certificates causing the issue may not be entirely accurate. While some older systems did have issues with wildcard certs in the past, modern implementations (like what's in Ubuntu and SLES) typically handle them correctly. The debug output (-d1 flag) reveals more specific problems:

TLS: cannot open certdb '/etc/openldap', error -8018:Unknown PKCS #11 error.
TLS: could not get info about the CA certificate directory /etc/openldap/cacerts - error -5950:File not found.
TLS: certificate [CN=DigiCert High Assurance EV Root CA,...] is not valid - error -8172

CentOS 6.5 is failing because:

  1. The system cannot locate the certificate database at /etc/openldap
  2. The DigiCert root CA isn't trusted by default in CentOS 6.5's NSS database
  3. The OpenLDAP libraries in CentOS 6.5 use NSS rather than OpenSSL

Here's how to properly fix this without compromising security:

# Install the DigiCert root certificate
wget https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt
certutil -A -n "DigiCert High Assurance EV Root CA" \
  -t "CT,C,C" -i DigiCertHighAssuranceEVRootCA.crt \
  -d /etc/openldap/cacerts

# Verify the certificate was added correctly
certutil -L -d /etc/openldap/cacerts

# Alternative: Add to system-wide NSS database
certutil -A -n "DigiCert High Assurance EV Root CA" \
  -t "CT,C,C" -i DigiCertHighAssuranceEVRootCA.crt \
  -d sql:/etc/pki/nssdb

If you still encounter issues, consider these alternatives:

# 1. Use OpenSSL-based tools instead of NSS
yum install openldap-clients openssl

# 2. Specify the CA certificate explicitly
ldapsearch -x -H ldaps://ldapserver [...] \
  -ZZ -o ldif-wrap=no \
  -o tls_cacert=/etc/pki/tls/certs/ca-bundle.crt

# 3. Update the ldap.conf properly
echo "TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt" >> /etc/openldap/ldap.conf
echo "TLS_REQCERT demand" >> /etc/openldap/ldap.conf

After implementing any solution, verify with:

openssl s_client -connect ldapserver:636 -showcerts < /dev/null | \
  openssl x509 -noout -text | grep -i issuer

ldapsearch -x -H ldaps://ldapserver [...] -d1 | grep -i tls
  • Never use TLS_REQCERT never in production
  • Standardize on either NSS or OpenSSL across all systems
  • Consider creating internal CA for enterprise environments
  • Document certificate management procedures for all supported distros

When implementing LDAPS with Novell eDirectory 8.8, we encountered inconsistent behavior across different Linux distributions. While Ubuntu 13.10 and SLES worked perfectly with our DigiCert wildcard certificate, CentOS 6.5 stubbornly refused connections with the error:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

The debug output (-d1 flag) revealed critical insights:

TLS: cannot open certdb '/etc/openldap', error -8018:Unknown PKCS #11 error.
TLS: could not get info about the CA certificate directory /etc/openldap/cacerts
TLS: certificate [CN=DigiCert High Assurance EV Root CA,...] is not valid - error -8172

This indicates CentOS's OpenLDAP implementation couldn't locate or properly evaluate the certificate store, unlike other distributions.

The primary issues were:

  • Different TLS/SSL library implementations across distributions (OpenSSL vs NSS)
  • CentOS 6.5's outdated certificate store
  • Potential wildcard certificate validation quirks

Instead of using TLS_REQCERT never, implement these steps:

  1. Update the CA certificates bundle: 
    yum update ca-certificates
  2. Manually import the DigiCert root CA: 
    wget https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt
openssl x509 -inform DER -in DigiCertHighAssuranceEVRootCA.crt -out /etc/pki/tls/certs/DigiCertHighAssuranceEVRootCA.pem
update-ca-trust
  3. Configure OpenLDAP properly: 
    echo "TLS_CACERT /etc/pki/tls/certs/DigiCertHighAssuranceEVRootCA.pem" >> /etc/openldap/ldap.conf
echo "TLS_CACERTDIR /etc/pki/tls/certs" >> /etc/openldap/ldap.conf

For environments where certificate pinning is preferred:

# Verify certificate fingerprint directly
openssl s_client -connect ldap.example.org:636 -showcerts 2>/dev/null | openssl x509 -fingerprint -noout

# Then add this to ldap.conf
TLS_REQCERT demand
TLS_CERTCHECK on

Use this comprehensive test command:

ldapsearch -ZZ -d1 -H ldaps://ldap.example.org \
-b 'ou=active,ou=people,dc=example,dc=org' \
-D 'cn=admin,dc=example,dc=org' -W "cn=username"

The -ZZ flag forces StartTLS while -d1 provides debugging output.