Centos

讓 CentOS 6 信任來自 AD 的證書

  • June 24, 2013

我試圖讓我的 CentOS 伺服器信任我從活動目錄伺服器安裝的證書(我之前將 .cer 轉換為 .pem。)

當我嘗試連接時,調試資訊是:

[root@web1 cacerts]# ldapsearch -d1 -v -D SOMEDN\pretenduser01 -w SOMEPASSWORD  -H ldaps://1.2.3.4:636 -x
ldap_url_parse_ext(ldaps://1.2.3.4:636)
ldap_initialize( ldaps://1.2.3.4/??base )
ldap_create
ldap_url_parse_ext(ldaps://1.2.3.4:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 1.2.3.4:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 1.2.3.4:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/cacerts prefix .
TLS: loaded CA certificate file /etc/openldap/cacerts/some_pem_file.pem.
TLS: certificate [CN=SRV-DC3-RG.hiddendomain.co.uk] is not valid - error -8179:Peer's Certificate issuer is not recognized..
TLS: error: connect - force handshake failure: errno 21 - moznss error -8179
TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized..
ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

我真的不知道解決這個問題的下一步是什麼。我可以在沒有 SSL 的情況下很好地連接,但這並不是很好:)

您需要信任為您提供的證書籤名的證書。通常這將是您可以從執行 AD CS 的電腦的證書儲存中獲取的信任根(CA 證書),儘管它也可能是一個中間(在這種情況下應該呈現整個鏈,因此信任根是仍然是值得信賴的人)。您應該能夠簡單地將證書連接到末尾/etc/openldap/cacerts/some_pem_file.pem並讓事情正常進行。

引用自:https://serverfault.com/questions/518036