Centos
讓 CentOS 6 信任來自 AD 的證書
我試圖讓我的 CentOS 伺服器信任我從活動目錄伺服器安裝的證書(我之前將 .cer 轉換為 .pem。)
當我嘗試連接時,調試資訊是:
[root@web1 cacerts]# ldapsearch -d1 -v -D SOMEDN\pretenduser01 -w SOMEPASSWORD -H ldaps://1.2.3.4:636 -x ldap_url_parse_ext(ldaps://1.2.3.4:636) ldap_initialize( ldaps://1.2.3.4/??base ) ldap_create ldap_url_parse_ext(ldaps://1.2.3.4:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 1.2.3.4:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 1.2.3.4:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: using moznss security dir /etc/openldap/cacerts prefix . TLS: loaded CA certificate file /etc/openldap/cacerts/some_pem_file.pem. TLS: certificate [CN=SRV-DC3-RG.hiddendomain.co.uk] is not valid - error -8179:Peer's Certificate issuer is not recognized.. TLS: error: connect - force handshake failure: errno 21 - moznss error -8179 TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized.. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
我真的不知道解決這個問題的下一步是什麼。我可以在沒有 SSL 的情況下很好地連接,但這並不是很好:)
您需要信任為您提供的證書籤名的證書。通常這將是您可以從執行 AD CS 的電腦的證書儲存中獲取的信任根(CA 證書),儘管它也可能是一個中間(在這種情況下應該呈現整個鏈,因此信任根是仍然是值得信賴的人)。您應該能夠簡單地將證書連接到末尾
/etc/openldap/cacerts/some_pem_file.pem
並讓事情正常進行。