ldapsearch fails with error "Peer's certificate issuer has been marked as not trusted by the user"
Issue
- When trying to execute ldapsearch, we get the following error:
[root@server ~]# ldapsearch -x -H ldaps://host.example.com -b "dc=example,dc=org" -d 1
ldap_url_parse_ext(ldaps://host.example.com)
ldap_create
ldap_url_parse_ext(ldaps://host.example.com:636/??base)
....
ldap_connect_to_host: TCP host.example.com:636
ldap_connect_to_host: Trying 10.80.1.201:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: loaded CA certificate file /etc/pki/tls/certs/slapd.crt.
TLS: certificate [CN=host.example.com,OU=FOO,O=Internal CA,L=test,ST=GE,C=US] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 21 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
- SSSD fails to connect to ldap server with the following error.
sssd[be[default]]: Could not start TLS encryption. TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
Environment
- Red Hat Enterprise Linux 6
- openldap
- sssd
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.