Failing to trust Yunohost's LDAP server TLS certificate

Hello,

I am currently trying to use the OpenLDAP server configured by Yunohost 11.0.11 (amd64) to authenticate desktop users (through sssd-ldap) on the same internal network as the Yunohost server.

Before going into sssd, I started to open the 636 port of the server, so that the clients will connect with LDAPS:

yunohost firewall allow TCP 636

Then, on a test client host, I downloaded the certificate of Yunohost for LDAPS:

openssl s_client -connect <yunohost_server>:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > /etc/ssl/certs/ldapcacert.crt

But when I wanted to check the certificate of the server was trusted, it was a failure:

openssl s_client -connect <yunohost_server>:636 -CAfile /etc/ssl/certs/ldapcacert.crt

displayed:

CONNECTED(00000003)
depth=0 CN = yunohost.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = yunohost.org
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = yunohost.org
verify return:1
---
Certificate chain
 0 s:CN = yunohost.org
   i:CN = yunohost.org, O = yunohost
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 22 14:45:48 2022 GMT; NotAfter: Nov 21 14:45:48 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDrjCCApagAwIBAgITBue0K3IWa1sJaW+1RqP6sSV19TANBgkqhkiG9w0BAQsF
ADAqMRUwEwYDVQQDEwx5dW5vaG9zdC5vcmcxETAPBgNVBAoTCHl1bm9ob3N0MB4X
...
AjI0/CS3FFNxqPZ/V36Xz9U+Spf6NLZYYdK8OniU4wRO160sCE2YFEJfQb6PRcF+
xtmcqHmpvWxtdVG8BhABTdSiZS0nto56rfuVYTb94Cu7Sg==
-----END CERTIFICATE-----
subject=CN = yunohost.org
issuer=CN = yunohost.org, O = yunohost
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1502 bytes and written 394 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---

During my trials, I tried to connect to the server by its IP, by its internal name, and even by yunohost.org after I added an entry with this name and the server IP in /etc/hosts.

How can I fix this issue with trusting the TLS certificate for LDAP that appears to be configured by Yunohost ?

Thanks!

I think that you can’t as it’s a self signed certificate. If you replace the port 636 by HTTPS 443 then is should confirm that the exposed one can be validated

this actualy work in yunohost YNH 13 that uses sssd because ldap_tls_reqcert = allow and ldaps:// in use.

certificate is self-signed for yunohost.org created at install and then won’t match the domain but allow does accept unverified certificates. Still communication will be ciphered.

found here Frequently Asked Questions — SSSD documentation indications that self-signed certificates are not supported by sssd_ldap

( If the LDAP server is self-signed (or for testing purposes while awaiting a response from the server administrator), the config option ldap_tls_reqcert = never can be added to the sssd.conf, which will tell SSSD to blindly trust the certificate provided by the LDAP server. This is a security risk. It is possible for an attacker to run a man-in-the-middle attack if your clients are not properly validating certificates against a CA. Do not set this option in production. )

And according to [Help] Does SSSD still work properly if the self signed certificate on server-side is expired? · Issue #4826 · SSSD/sssd · GitHub explanation it look like it is not that well documented since user believe it is possible to do so, while it fails if check is requested…

sssd_ldap uses openldap library. openldap can accomodate some self-signed CA but not self-signed certificates, it is required to have a ca then sign certificate with it.
See OpenLDAP Faq-O-Matic: How do I use TLS/SSL? how to create your own CA :
Using Certificates: As noted in the Admin Guide, first you need a CA certificate.