Univention Bugzilla – Bug 47858
univention-adsearch does not find certificates
Last modified: 2020-07-15 17:03:29 CEST
root@ucsdc1:/tmp# univention-adsearch cn=user Traceback (most recent call last): File "/usr/sbin/univention-adsearch", line 198, in <module> lo.start_tls_s() File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 609, in start_tls_s return self._ldap_call(self._l.start_tls_s) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) ldap.CONNECT_ERROR: {'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get issuer certificate)', 'desc': 'Connect error'} But certificate exists and is referenced: root@ucsdc1:/etc/univention/connector/ad# ll insgesamt 320 -rw------- 1 root root 1306 Mai 23 2016 ad_cert_20160523_142543.pem -rw------- 1 root root 2009 Jan 5 2017 ad_cert_20170105_121042.pem [...] root@ucsdc1:/etc/univention/connector/ad# ucr search connector/ad connector/ad/autostart: yes connector/ad/ldap/base: DC=ltbbg1,DC=lvnbb,DC=de connector/ad/ldap/binddn: ucsdc1$ connector/ad/ldap/bindpw: /etc/machine.secret connector/ad/ldap/certificate: /etc/univention/connector/ad/ad_cert_20170105_121042.pem Verfied the certificate is valid.
A workaround has been implemented on 4.3-1 but it should be fixed properly to be update safe. root@ucsdc1:~# diff -Nur /usr/sbin/univention-adsearch univention-adsearch --- /usr/sbin/univention-adsearch 2018-06-15 12:21:37.000000000 +0200 +++ univention-adsearch 2018-07-05 21:39:11.084541168 +0200 @@ -184,7 +184,8 @@ if login_pw[-1] == '\n': login_pw = login_pw[:-1] -ca_file = configRegistry.get('%s/ad/ldap/certificate' % CONFIGBASENAME) +# ca_file = configRegistry.get('%s/ad/ldap/certificate' % CONFIGBASENAME) +ca_file = '/var/cache/univention-ad-connector/CAcert-connector.pem' start_tls = 2 if configRegistry.is_true('%s/ad/ldap/ssl' % CONFIGBASENAME, True) else 0 if start_tls and ca_file:
How do the two files * /etc/univention/connector/ad/ad_cert_20170105_121042.pem * /var/cache/univention-ad-connector/CAcert-connector.pem relate to each other? In the initial bug report you write that the first path is correct and the certificate valid but then the workaround is to use a different path?
(In reply to Arvid Requate from comment #2) > How do the two files > > * /etc/univention/connector/ad/ad_cert_20170105_121042.pem This is the "Landtag Brandenburg AD Sub CA"-Certificate which is a Sub CA from the UCS Root CA. openssl x509 -in /etc/univention/connector/ad/ad_cert_20170105_121042.pem -fingerprint SHA1 Fingerprint=2B:A5:C2:3C:E1:89:C0:36:E5:E7:A6:5F:E0:07:BB:7F:0F:50:BB:22 > * /var/cache/univention-ad-connector/CAcert-connector.pem This is the UCS Root certificate. openssl x509 -in /var/cache/univention-ad-connector/CAcert-connector.pem -fingerprint SHA1 Fingerprint=18:FB:91:D1:B2:CD:8B:8F:75:50:50:39:67:AF:1F:70:D3:40:4E:96 openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -fingerprint SHA1 Fingerprint=18:FB:91:D1:B2:CD:8B:8F:75:50:50:39:67:AF:1F:70:D3:40:4E:96
This leads also to a non functional behavior of the NAGIOS-Module for the AD-Connector: ADCONNECTOR CRITICAL: Could not connect to AD server!
Our Windows servers get their certificates from the Microsoft Certificate Service running on 2012R2 server. This Microsoft CA is a Sub CA of the Univention Root CA.
b0a4897230 | make univention-adsearch use the certificate chain file ff06c509da | Advisory
edaf5f922e | Fix a variable name 3042c14056 | Advisory
OK - ad connector setup with SSL OK - ca file bundle * rm /var/cache/univention-ad-connector/CAcert-connector.pem * univention-adsearch cn=Administrator * openssl crl2pkcs7 -nocrl -certfile CAcert-connector.pem | openssl pkcs7 -print_certs -noout subject=/C=DE/ST=DE/L=DE/O=home/OU=Univention Corporate Server/CN=Univention Corporate Server Root CA (ID=Y3SMfZae)/emailAddress=ssl@four.three issuer=/C=DE/ST=DE/L=DE/O=home/OU=Univention Corporate Server/CN=Univention Corporate Server Root CA (ID=Y3SMfZae)/emailAddress=ssl@four.three subject=/DC=test/DC=w2k12/CN=w2k12-WIN-M1LHUHEJFSI-CA issuer=/DC=test/DC=w2k12/CN=w2k12-WIN-M1LHUHEJFSI-CA OK - YAMl
<http://errata.software-univention.de/ucs/4.3/289.html>