LDAP Cert update fails

ldap

#1

Hi,
We are facing issue with LDAP cert update. OwnCloud fails to use updated LDAP certs and still alerts that certs are expired.
What we already did:

  1. Put certs into /etc/pki/ca-trust/source/anchors/ and /etc/openldap/certs
  2. Ran update-ca-trust extract
  3. Restarted apache server
  4. ldap.conf looks like
    TLS_CACERTDIR /etc/openldap/certs
    TLS_CACERT /etc/openldap/certs/ldapscert.pem
    SASL_NOCANON on

Certs are fine, on other services ldaps works as expected and openssl check returns OK
# openssl verify -verbose /etc/openldap/certs/full_cert.pem
/etc/openldap/certs/full_cert.pem: OK
# openssl x509 -enddate -noout -in full_cert.pem
notAfter=Aug 22 12:00:00 2019 GMT

But connection to ldap server fails as:
# openssl s_client -connect ldap.service:636
CONNECTED(00000003)
depth=2 C = BM, O = nnn, CN = Trust Anchor Root CA G2
verify return:1
depth=1 C = xx, O = yy, CN = Devices Sub CA V5 G2
verify return:1
depth=0 C = xx, O = yy, CN = ldap.service
verify error:num=10:certificate has expired
notAfter=Sep 6 12:06:00 2018 GMT
verify return:1
depth=0 C = xx, O = yy, CN = ldap.service
notAfter=Sep 6 12:06:00 2018 GMT
verify return:1

Is there a way how to force OwnCloud to use updated certs?
Thank you in advance.


#2

Hey,

if this call is already reporting the expired certificate:

[quote=“viktorijab, post:1, topic:16142”]openssl s_client -connect ldap.service:636

verify error:num=10:certificate has expired
[/quote]

then i’m not sure how much you can do here from ownCloud side?