On 11/16/2020 12:08 AM, Paul B. Henson wrote:
I just updated one of my servers running 6.7 to 6.8, and am having a problem with openldap. I have the intermediate cert and root CA in a file referenced by the openldap config:TLSCACertificateFile /etc/openldap/cabundle.crt Under 6.7 with the openldap port from that version, this results in the chain being served: Certificate chain 0 s:CN = ldap-netsvc.pbhware.com i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 2 s:O = Digital Signature Trust Co., CN = DST Root CA X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 However, under 6.8 with the newer openldap 2.4.53 port, only the server cert itself is being served, not the intermediate or root: Certificate chain 0 s:CN = ldap-netsvc.pbhware.com i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 This of course causes clients to fail to validate the server cert :(. I'm running openldap 2.4.53 on other operating systems and as far as I know there's no change in behavior with it. So I'm guessing there's an interoperability issue between openbsd libressl and openldap that's causing this problem? Do I need to configure something differently? Any other suggestions? Thanks much...
I remember seeing this commit recently. Not sure if this is your problem or not.
https://marc.info/?l=openbsd-cvs&m=160511882917510&w=2
