It’s been quite a while since I’ve updated this blog, but not because we’ve run out of problems – most of the issues were either too complex to document them in a simple article, too confidential to be allowed to be documented here, or both. And I’ve been pretty busy fighting bugs, too, leaving close to no time for getting updates into this blog. So to set a new starting point, here’s a smaller recent issue.
While migrating a PHP application to a newly set up server platform, an issue with non-working connections to a back-end LDAP server turned up. The application just reported some generic problem, while the log revealed a bit more information:
Unable to start TLS and unable to fetch rootDSE entry to see if TLS is supported: Can't contact LDAP server
Fortunately, the LDAP server wasn’t down nor malfunctioning, and fortunately invoking “ldapsearch” to verify the state of the LDAP server (of course invoked on the server running the PHP application) gave an immediate hint at the root cause:
# ldapsearch -Wx -ZZ -h ldap.example.com -b "dc=example,dc=com" "(objectClass=*)" ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain) #
Indeed, the LDAP server was configured to use a certificate that was issued by an internal Certification Authority, the latter using a self-signed certificate. But that’s nothing new and the CA certificate was available on the server where we called “ldapsearch”, so what’s the deal? Continue reading