LDAPS or LDAP+StartTLS connection fails due missing CA certificate
Applies to
- ONTAP
- LDAP servers
- Active Directory
- SSL/TLS protocol
Issue
- EMS:
secd.ldap.noServers: None of the LDAP servers configured for Vserver (VS1) are currently accessible via the network for LDAP service type (Service: LDAP (Active Directory), Operation: SiteDiscovery).
secd.ldap.noServers: None of the LDAP servers configured for Vserver (VS1) are currently accessible via the network for LDAP service type (Service: LDAP (Active Directory), Operation: MapNetbiosDomainToADDomain).
- SECD:
[ 74] Successfully connected to ip x.x.x.x, port 389 using TCP
[ 87] Required certificate with CA ClientAccessRootCA is not installed
[ 87] Unable to start TLS: Connect error
[ 87] Additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)
- CA certificate used to sign the certificate provided by the LDAP server is installed in ONTAP:
- Packet trace can show the full certificate chain provided by the client.
- One is the certificate of the of the host itself (LDAPserverhostname, issued by issuer CA),
- Other, an intermediate certificate (Issuer CA issued by Root CA).
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 2911
Handshake Protocol: Server Hello
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 2587
Certificates Length: 2584
Certificates (2584 bytes)
Certificate Length: 1208
Certificate: 308204b43082039ca0030201020213160000802cf3c5747b… (id-at-commonName=LDAPserverhostname)
signedCertificate
version: v3 (2)
serialNumber: 0x160000802cf3c5747b5475eb2100000000802c
signature (sha256WithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 3 items (id-at-commonName=Issuer CA )
validity
subject: rdnSequence (0)
subjectPublicKeyInfo
extensions: 9 items
algorithmIdentifier (sha256WithRSAEncryption)
Padding: 0
encrypted: d403151937a2904d0405e5fe7be043a51969650e43cc27e0…
Certificate Length: 1370
Certificate: 308205563082033ea00302010211114500000002578509d7… (id-at-commonName=Issuer CA )
signedCertificate
version: v3 (2)
serialNumber: 0x4500000002578509d77c523cae000000000002
signature (sha256WithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 3 items (id-at-commonName=Root CA)