I've been given a certificate by the person who runs our Active Directory server so I can use LDAPS but I can't get it to work. When verifying with openssl:
openssl s_client -connect domain.com:636 -CAfile ~/filename.pem
I just get Verify return code: 20 (unable to get local issuer certificate) every time.
I'm wondering if the server is misconfigured because I have tried to get the certificate straight from the server like this (from Ubunutu 16.04 client):
openssl s_client -host domain.com -port 636 -prexit -showcerts
And I get the same error message even with that.
Whereas if I type:
openssl s_client -host google.com -port 443 -prexit -showcerts
I get Verify return code: 0 (ok)
I've tried copying certificates into /etc/ssl/certs. I've tried using -CApath and -CAfile to give various certificates to the server.
Really I'm asking if the error code 20 in response to an openssl with -showcerts means that the server really is misconfigured or if I'm just not doing it right, because I'd hate to spend more time on the client when it's the server that's misbehaving.
openssl x509 -noout -text -in filename.pem
returns (with some redactions):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
xxxxxxxxxxxxxxxx
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=My organisation RootCA
Validity
Not Before: May 20 13:11:34 2016 GMT
Not After : May 20 13:21:34 2021 GMT
Subject: DC=org, DC=example, CN=My organisation Issuing CA
And then a load of stuff that all looks fine. That is the root certificate, is it not? It says RootCA on it, after all.
Oh yes, and if I feed that certificate in, with
openssl s_client -connect domain.com:636 -CAfile file.pem
I do get a different error message:
Verify return code: 2 (unable to get issuer certificate)
So this feels like I have one certificate but not the other.
I did get another one using nmap --ssl-cert but I don't seem to be able to get anything other than error code 20 with that.
No comments:
Post a Comment