ldapsearch fails with error "Peer's certificate issuer has been marked as not trusted by the user"

Solution Verified - Updated -

Issue

  • When trying to execute ldapsearch, we get the following error:
[root@server ~]# ldapsearch -x -H ldaps://host.example.com -b "dc=example,dc=org" -d 1
ldap_url_parse_ext(ldaps://host.example.com)
ldap_create
ldap_url_parse_ext(ldaps://host.example.com:636/??base)
....
ldap_connect_to_host: TCP host.example.com:636
ldap_connect_to_host: Trying 10.80.1.201:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: loaded CA certificate file /etc/pki/tls/certs/slapd.crt.
TLS: certificate [CN=host.example.com,OU=FOO,O=Internal CA,L=test,ST=GE,C=US] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 21 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
  • SSSD fails to connect to ldap server with the following error.
sssd[be[default]]: Could not start TLS encryption. TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.

Environment

  • Red Hat Enterprise Linux 6
  • openldap
  • sssd

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In