Failing to trust Yunohost's LDAP server TLS certificate

limace42 · January 15, 2023, 5:59pm

Hello,

I am currently trying to use the OpenLDAP server configured by Yunohost 11.0.11 (amd64) to authenticate desktop users (through sssd-ldap) on the same internal network as the Yunohost server.

Before going into sssd, I started to open the 636 port of the server, so that the clients will connect with LDAPS:

yunohost firewall allow TCP 636

Then, on a test client host, I downloaded the certificate of Yunohost for LDAPS:

openssl s_client -connect <yunohost_server>:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > /etc/ssl/certs/ldapcacert.crt

But when I wanted to check the certificate of the server was trusted, it was a failure:

openssl s_client -connect <yunohost_server>:636 -CAfile /etc/ssl/certs/ldapcacert.crt

displayed:

CONNECTED(00000003)
depth=0 CN = yunohost.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = yunohost.org
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = yunohost.org
verify return:1
---
Certificate chain
 0 s:CN = yunohost.org
   i:CN = yunohost.org, O = yunohost
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 22 14:45:48 2022 GMT; NotAfter: Nov 21 14:45:48 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDrjCCApagAwIBAgITBue0K3IWa1sJaW+1RqP6sSV19TANBgkqhkiG9w0BAQsF
ADAqMRUwEwYDVQQDEwx5dW5vaG9zdC5vcmcxETAPBgNVBAoTCHl1bm9ob3N0MB4X
...
AjI0/CS3FFNxqPZ/V36Xz9U+Spf6NLZYYdK8OniU4wRO160sCE2YFEJfQb6PRcF+
xtmcqHmpvWxtdVG8BhABTdSiZS0nto56rfuVYTb94Cu7Sg==
-----END CERTIFICATE-----
subject=CN = yunohost.org
issuer=CN = yunohost.org, O = yunohost
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1502 bytes and written 394 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---

During my trials, I tried to connect to the server by its IP, by its internal name, and even by yunohost.org after I added an entry with this name and the server IP in /etc/hosts.

How can I fix this issue with trusting the TLS certificate for LDAP that appears to be configured by Yunohost ?

Thanks!