Trying to connect to LDAPS (Windows active directory) but keep receiving Verify return code: 20 (unable to get local issuer certificate) error
I've been given a certificate by the person who runs our Active Directory server so I can use LDAPS but I can't get it to work. When verifying with openssl:
openssl s_client -connect domain.com:636 -CAfile ~/filename.pem
I just get Verify return code: 20 (unable to get local issuer certificate) every time.
I'm wondering if the server is misconfigured because I have tried to get the certificate straight from the server like this (from Ubunutu 16.04 client):
openssl s_client -host domain.com -port 636 -prexit -showcerts
And I get the same error message even with that.
Whereas if I type:
openssl s_client -host google.com -port 443 -prexit -showcerts
I get Verify return code: 0 (ok)
I've tried copying certificates into /etc/ssl/certs. I've tried using -CApath and -CAfile to give various certificates to the server.
Really I'm asking if the error code 20 in response to an openssl with -showcerts means that the server really is misconfigured or if I'm just not doing it right, because I'd hate to spend more time on the client when it's the server that's misbehaving.
openssl x509 -noout -text -in filename.pem
returns (with some redactions):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
xxxxxxxxxxxxxxxx
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=My organisation RootCA
Validity
Not Before: May 20 13:11:34 2016 GMT
Not After : May 20 13:21:34 2021 GMT
Subject: DC=org, DC=example, CN=My organisation Issuing CA
And then a load of stuff that all looks fine. That is the root certificate, is it not? It says RootCA on it, after all.
Oh yes, and if I feed that certificate in, with
openssl s_client -connect domain.com:636 -CAfile file.pem
I do get a different error message:
Verify return code: 2 (unable to get issuer certificate)
So this feels like I have one certificate but not the other.
I did get another one using nmap --ssl-cert but I don't seem to be able to get anything other than error code 20 with that.
Ech ginn dovun aus datt Dir eng Datei mat engem eenzege root CA-Zert kritt hutt fir den TLS-Servercert ze validéieren. Gitt sécher datt et ASCII-gepanzert base64-kodéiert ass (och PEM).
Normalerweis benotzt eng Zertifikautoritéit de Schlëssel vum Root CA net fir direkt en ëffentleche Schlëssel vum TLS Server z'ënnerschreiwen. Aus Sécherheetsgrënn benotzt een en Zwëschen CA, och dacks als Ausgab CA genannt, fir dat.
Elo muss den TLS Client déi ganz CA Zertkette verifizéieren an et brauch Zougang zu mëttlerer CA Zert a Root CA Zert.
An Fall vun engem gutt konfiguréierte TLS Server braucht Dir nëmmen de Root CA Cert an enger lokaler Datei well de Server den Zwëschen CA Cert während TLS Connect schéckt. Awer e puer TLS Server sinn net gutt konfiguréiert.
Dir sollt gesinn, wat mat
openssl s_client -connect ldap.example.com:636 -showcerts
geschitt wéi Dir et scho gemaach hutt.
Wann Dir net de Root CA Zert hutt, da frot déi Persoun, déi den Zwëschen CA Zert huet fir Iech.
Oder wann Dir eng Windows Workstation an dësem AD Domain hutt, ass et e bësse wahrscheinlech datt Dir de Root CA Cert am Vertrauensgeschäft vun Ärer Windows Installatioun fannt.
Dat ass de Rootzertifikat, ass et net? Et seet ëmmerhin RootCA drop.
Issuer: CN=My organisation RootCA
Validity
Not Before: May 20 13:11:34 2016 GMT
Not After : May 20 13:21:34 2021 GMT
Subject: DC=org, DC=example, CN=My organisation Issuing CA
Nee, dëst ass net de Rootsertifikaat, et gëtt just vum Root-Zertifika ënnerschriwwen. Dir braucht e Certificat dee sou ausgesäit:
Issuer: CN=My organisation RootCA
Subject: CN=My organisation RootCA
An anere Wierder, béid Emittent a Sujet mussen Äre RootCA sinn.
Wéi et méiglecherweis op der Windows Maschinn erstallt gouf, gitt op de Certificatmanager an exportéiert de Root CA (just de Certificat, Dir braucht de Schlëssel net).