You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The intermediate cert on our private PKI expired and had to be replaced on our domain controllers. The domain controllers properly show the new intermediate CA being presented on an openssl s_client connection on a Linux system which trusts the root CA and the [expired] .
However an ldaps connection established on that Linux server with
ldapobject = ldap.initialize(config['url'])
# Set LDAP options for better debugging
ldapobject.set_option(ldap.OPT_REFERRALS, 0)
ldapobject.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
# Attempt bind
ldapobject.simple_bind_s(config['bind_dn'], config['bind_password'])
fails with an error that the certificate chain is not valid.
So it is checking the locally trusted but expired Intermediate CA certificate instead of using the valid Intermediate certificate provided by the ldaps server.
The intermediate cert on our private PKI expired and had to be replaced on our domain controllers. The domain controllers properly show the new intermediate CA being presented on an openssl s_client connection on a Linux system which trusts the root CA and the [expired] .
However an ldaps connection established on that Linux server with
fails with an error that the certificate chain is not valid.
{'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': 'error:0A000086:SSL routines::certificate verify failed (certificate has expired)'}
So it is checking the locally trusted but expired Intermediate CA certificate instead of using the valid Intermediate certificate provided by the ldaps server.