I've been following the instructions to secure Kolab (sry cannot link but is: docs dot kolab dot org slash howtos slash secure-kolab-server dot html) and have got stuck with the 389 Directory Service LDAP section. Note: I am aware it can be skipped but I had long term plans to access the service from remote machines. Log files show Code: Peer does not recognize and trust the CA that issued your certificate Each step of the process appears to work fine. However at the end I cannot connect securely: Code: [root@mail]# ldapsearch -x -H ldaps://XXXX.XXXX.XXX.XXX -b "cn=kolab,cn=config" -D "cn=Directory Manager" -w "${passwd}" ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Standard connection seems to work fine: Code: [root@mail]# ldapsearch -x -H ldap://XXXX.XXXX.XXX.XXX -b "cn=kolab,cn=config" -D "cn=Directory Manager" -w "${passwd}" # extended LDIF # # LDAPv3 # base <cn=kolab,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # kolab, config dn: cn=kolab,cn=config objectClass: top objectClass: extensibleobject cn: kolab # XXXX.XXX.XXX, kolab, config dn: associateddomain=XXXX.XXX.XXX,cn=kolab,cn=config objectClass: top objectClass: domainrelatedobject associatedDomain: XXXX.XXX.XXX associatedDomain: localhost associatedDomain: XXXX.XXXX.XXX.XXX associatedDomain: localhost.localdomain # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 And I think an openssl connection works too: Code: [root@mail]# openssl s_client -connect localhost:636 CONNECTED(00000003) depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA verify return:1 depth=0 C = AU, CN = XXXX.XXXX.XXX.XXX, emailAddress = [email protected] verify return:1 --- Certificate chain 0 s:/C=AU/CN=XXXX.XXXX.XXX.XXX/[email protected] i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA --- Server certificate -----BEGIN CERTIFICATE----- XXXXXXXXXXXXXXx -----END CERTIFICATE----- subject=/C=AU/CN=XXXX.XXXX.XXX.XXX/[email protected] issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA --- Acceptable client certificate CA names /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- SSL handshake has read 1947 bytes and written 579 bytes --- New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES128-GCM-SHA256 Session-ID: XXXXXXXXXXXXXXXX Session-ID-ctx: Master-Key: XXXXXXXXXXXXXXXXXX Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1443403788 Timeout : 300 (sec) Verify return code: 0 (ok) --- Access log file shows following for failed ldaps connection: Code: [28/Sep/2015:11:13:38 +091800] conn=17 fd=64 slot=64 SSL connection from ::1 to ::1 [28/Sep/2015:11:13:38 +091800] conn=17 op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate. Error log shows following at startup: Code: [28/Sep/2015:10:48:23 +091800] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.) I have tried numerous things, mostly variants of either moving the various .crt, .pem and .key files to different locations and adding the CA chain block to the end of the anything I can think of. But I feel I am shooting blind and am probably doing more damage than good at this point. This is a clean recent install of CentOS 7 and Kolab. Some specific guidance on where I need to be looking would be greatly appreciated.
