Error 1416f086 ssl routines

Hello

jimmyp82

OpenVpn Newbie
Posts: 3
Joined: Wed Jun 30, 2021 10:44 am

OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed

Hello

New to this forum and very new to openvpn. I have inherited a setup so am trying to get my head around it. We have a user which is having an issue connecting. Below is the log from the user.

Prior to this he was getting a different error about the certificate having expired.

I found that the client cert was still valid however the ca.crt and the gateway.crt on the server were both out of date. I used this command —

Code: Select all

openssl x509 -in ca.crt -days 36500 -out ca_new.crt -signkey ca.key

to sign a new ca.crt and a gateway.crt which I replaced, ie renamed the old crt and put the new ca.crt in place. I also sent the user the updated ca.crt.

After having done that however the user now gets the error below —

Code: Select all

Wed Jun 30 11:30:07 2021 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Wed Jun 30 11:30:07 2021 MANAGEMENT: >STATE:1625045407,RESOLVE,,,,,,
Wed Jun 30 11:30:07 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]XXXXXXXXX:XXXX
Wed Jun 30 11:30:07 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Jun 30 11:30:07 2021 Attempting to establish TCP connection with [AF_INET]XXXXXXXXX:XXXX [nonblock]
Wed Jun 30 11:30:07 2021 MANAGEMENT: >STATE:1625045407,TCP_CONNECT,,,,,,
Wed Jun 30 11:30:08 2021 TCP connection established with [AF_INET]XXXXXXXXX:XXXX
Wed Jun 30 11:30:08 2021 TCP_CLIENT link local: (not bound)
Wed Jun 30 11:30:08 2021 TCP_CLIENT link remote: [AF_INET]XXXXXXXXX:XXXX
Wed Jun 30 11:30:08 2021 MANAGEMENT: >STATE:1625045408,WAIT,,,,,,
Wed Jun 30 11:30:09 2021 MANAGEMENT: >STATE:1625045409,AUTH,,,,,,
Wed Jun 30 11:30:09 2021 TLS: Initial packet from [AF_INET]XXXXXXXXX:XXXX, sid=4b062365 dc720dc0
Wed Jun 30 11:30:09 2021 VERIFY OK: depth=1, C=UK, ST=UK, L=London, O=XXXXXXXXX, CN=gateway, emailAddress=XXXXXXXXX
Wed Jun 30 11:30:09 2021 VERIFY ERROR: depth=0, error=certificate signature failure: C=UK, ST=UK, L=London, O=XXXXXXX, CN=gateway, emailAddress=XXXXXXXXXXX
Wed Jun 30 11:30:09 2021 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Wed Jun 30 11:30:09 2021 TLS_ERROR: BIO read tls_read_plaintext error
Wed Jun 30 11:30:09 2021 TLS Error: TLS object -> incoming plaintext read error
Wed Jun 30 11:30:09 2021 TLS Error: TLS handshake failed
Wed Jun 30 11:30:09 2021 Fatal TLS error (check_tls_errors_co), restarting
Wed Jun 30 11:30:09 2021 SIGUSR1[soft,tls-error] received, process restarting
Wed Jun 30 11:30:09 2021 MANAGEMENT: >STATE:1625045409,RECONNECTING,tls-error,,,,,
Wed Jun 30 11:30:09 2021 Restart pause, 5 second(s)

Any help much appreciated!

Thanks
James

jimmyp82

OpenVpn Newbie
Posts: 3
Joined: Wed Jun 30, 2021 10:44 am

Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed

Post

by jimmyp82 » Thu Jul 01, 2021 8:48 am

Hello

Thanks for the reply!

So you mean everything has to be recreated again, ie CA and gateway and client crts and the keys as well?

Thanks

300000

OpenVPN Expert
Posts: 688
Joined: Tue May 01, 2012 9:30 pm

Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed

Post

by 300000 » Thu Jul 01, 2021 10:58 am

If you create new CA key so you need create new client key too . nothing you can do or there is nothing about renew certificate . what do you expect now? do it again on 10 years time then do it again . every 10 years you need to do this .

User avatar

openvpn_inc

OpenVPN Inc.
Posts: 1137
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed

Post

by openvpn_inc » Thu Jul 01, 2021 3:36 pm

300000 wrote: ↑

Thu Jul 01, 2021 10:58 am


If you create new CA key so you need create new client key too . nothing you can do or there is nothing about renew certificate . what do you expect now? do it again on 10 years time then do it again . every 10 years you need to do this .

10 years is just long enough to forget how to do it. :)

Strictly speaking, a new CA certificate means you need a new set of certificates, not keys. Existing keys (CA, server and clients) can generate new CSRs (certificate signing requests) to be signed by the CA and create the new certificates.

If the CA is creating the keys for the users, this distinction might not be important to you. But when my own 10-year CA cert expired I kept the same keys.

Regards, rob0

Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

TinCanTech

OpenVPN Protagonist
Posts: 11142
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed

Post

by TinCanTech » Thu Jul 01, 2021 4:46 pm

openvpn_inc wrote: ↑

Thu Jul 01, 2021 3:36 pm


when my own 10-year CA cert expired I kept the same keys

That is fine for you but is probably not a good idea for most average users.

It is not documented by any openvpn articles that I’ve seen and even Easy-RSA does not have anything solid to follow ..

jimmyp82

OpenVpn Newbie
Posts: 3
Joined: Wed Jun 30, 2021 10:44 am

Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed

Post

by jimmyp82 » Fri Jul 02, 2021 12:05 pm

Hello

I got a bit further, now testing with a new client i have setup on a laptop however getting this —

Fri Jul 02 04:59:12 2021 WARNING: —ns-cert-type is DEPRECATED. Use —remote-cert-tls instead.
Fri Jul 02 04:59:12 2021 MANAGEMENT: >STATE:1625227152,RESOLVE,,,,,,
Fri Jul 02 04:59:12 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XX:1194
Fri Jul 02 04:59:12 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Jul 02 04:59:12 2021 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XX:1194 [nonblock]
Fri Jul 02 04:59:12 2021 MANAGEMENT: >STATE:1625227152,TCP_CONNECT,,,,,,
Fri Jul 02 05:01:13 2021 TCP: connect to [AF_INET]XXX.XXX.XXX.XX1194 failed: Unknown error
Fri Jul 02 05:01:13 2021 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Fri Jul 02 05:01:13 2021 MANAGEMENT: >STATE:1625227273,RECONNECTING,init_instance,,,,,
Fri Jul 02 05:01:13 2021 Restart pause, 5 second(s)
Fri Jul 02 05:01:18 2021 WARNING: —ns-cert-type is DEPRECATED. Use —remote-cert-tls instead.
Fri Jul 02 05:01:18 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XX:1194
Fri Jul 02 05:01:18 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Jul 02 05:01:18 2021 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XX:1194 [nonblock]
Fri Jul 02 05:01:18 2021 MANAGEMENT: >STATE:1625227278,TCP_CONNECT,,,,,,

User avatar

openvpn_inc

OpenVPN Inc.
Posts: 1137
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed

Post

by openvpn_inc » Sat Jul 03, 2021 1:19 pm

jimmyp82 wrote: ↑

Fri Jul 02, 2021 12:05 pm


Hello

I got a bit further, now testing with a new client i have setup on a laptop however getting this —

Fri Jul 02 04:59:12 2021 WARNING: —ns-cert-type is DEPRECATED. Use —remote-cert-tls instead.

Fix this, that should be easy enough to do, see the manual and look for «—remote-cert-tls«.

jimmyp82 wrote: ↑

Fri Jul 02, 2021 12:05 pm


Fri Jul 02 04:59:12 2021 MANAGEMENT: >STATE:1625227152,RESOLVE,,,,,,
Fri Jul 02 04:59:12 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XX:1194
Fri Jul 02 04:59:12 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Jul 02 04:59:12 2021 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XX:1194 [nonblock]
Fri Jul 02 04:59:12 2021 MANAGEMENT: >STATE:1625227152,TCP_CONNECT,,,,,,
Fri Jul 02 05:01:13 2021 TCP: connect to [AF_INET]XXX.XXX.XXX.XX1194 failed: Unknown error

Here you have a TCP connection failing for an unknown reason. It’s unfortunate that more information could not be logged, but openvpn simply could not determine the actual failure. If the connection is not established, the problem almost surely lies outside of openvpn.

Our IRC channel /topic says, «The problem is your firewall, really.» That’s the chief suspect here, and note that it could be a firewall anywhere along the way between (or on client and server. Look at other tools like tcpdump(1) to see more about what the problem might be. Your nc(1) or netcat(1) utility can help you test.

I should add, TCP is generally not recommended for openvpn. It should normally only be used when getting through silly firewalls that you don’t control. Packet loss of a TCP stream inside another TCP stream rapidly snowballs into more and more packets being repeated at both levels. UDP is ideal for things like this.

I hope this helps, good luck. Regards, rob0

Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Источник

My composer.json:

Output of composer diagnose:

When I run this command:
composer diagnose

I get the following output:
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com rate limit: FAIL
[ComposerDownloaderTransportException] The «https://api.github.com/rate_limit» file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint:
Dev Public Key Fingerprint:
OK
Checking composer version: OK
Composer version: 1.9.0
PHP version: 7.3.8
PHP binary path: C:xamppphpphp.exe

And I expected this to happen:

Checking github.com rate limit: FAIL
[ComposerDownloaderTransportException] The «https://api.github.com/rate_limit» file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed

Источник


0

1

/** Centos 7 **/

Всем привет.

Конфигурация /etc/openvpn/server.conf:

port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key  # This file should be kept secret
dh /etc/openvpn/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-crypt /etc/openvpn/myvpn.tlsauth
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
remote-cert-eku "TLS Web Client Authentication"

Запуск VPN-сервера:

[root@201197 ~]# openvpn /etc/openvpn/server.conf
Fri Apr  5 17:45:14 2019 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Fri Apr  5 17:45:14 2019 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
Fri Apr  5 17:45:14 2019 Diffie-Hellman initialized with 2048 bit key
Fri Apr  5 17:45:14 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Apr  5 17:45:14 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Apr  5 17:45:14 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Apr  5 17:45:14 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Apr  5 17:45:14 2019 TUN/TAP device tun0 opened
Fri Apr  5 17:45:14 2019 TUN/TAP TX queue length set to 100
Fri Apr  5 17:45:14 2019 /sbin/ip link set dev tun0 up mtu 1500
Fri Apr  5 17:45:14 2019 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Fri Apr  5 17:45:14 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Apr  5 17:45:14 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Apr  5 17:45:14 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Fri Apr  5 17:45:14 2019 UDPv4 link remote: [AF_UNSPEC]
Fri Apr  5 17:45:14 2019 GID set to nobody
Fri Apr  5 17:45:14 2019 UID set to nobody
Fri Apr  5 17:45:14 2019 MULTI: multi_init called, r=256 v=256
Fri Apr  5 17:45:14 2019 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Fri Apr  5 17:45:14 2019 IFCONFIG POOL LIST
Fri Apr  5 17:45:14 2019 Initialization Sequence Completed

Висит минут 5 и далее:

Fri Apr  5 17:49:22 2019 188.170.175.91:3712 TLS: Initial packet from [AF_INET]188.170.175.91:3712, sid=a6471a08 704d2771
Fri Apr  5 17:49:28 2019 188.170.175.91:3712 TLS: new session incoming connection from [AF_INET]188.170.175.91:3712
Fri Apr  5 17:49:33 2019 188.170.175.91:3712 TLS: new session incoming connection from [AF_INET]188.170.175.91:3712

При попытке подключиться с клиента (Windows 10), запуск с правами Администратора, в журнале:

Fri Apr 05 17:49:22 2019 NOTE: --user option is not implemented on Windows
Fri Apr 05 17:49:22 2019 NOTE: --group option is not implemented on Windows
Fri Apr 05 17:49:22 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 21 2019
Fri Apr 05 17:49:22 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Apr 05 17:49:22 2019 library versions: OpenSSL 1.1.0j  20 Nov 2018, LZO 2.10
Enter Management Password:
Fri Apr 05 17:49:22 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]89.223.27.230:1194
Fri Apr 05 17:49:22 2019 UDP link local (bound): [AF_INET][undef]:1194
Fri Apr 05 17:49:22 2019 UDP link remote: [AF_INET]89.223.27.230:1194
Fri Apr 05 17:49:23 2019 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Fri Apr 05 17:49:23 2019 TLS_ERROR: BIO read tls_read_plaintext error
Fri Apr 05 17:49:23 2019 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 05 17:49:23 2019 TLS Error: TLS handshake failed
Fri Apr 05 17:49:23 2019 SIGUSR1[soft,tls-error] received, process restarting
Fri Apr 05 17:49:28 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]89.223.27.230:1194

Подскажите пжл, в чем может быть дело?

Источник

Steps

  • How to retrieve the CA root certificate from an LDAP server 
  • How to run the test using ldapsearch utility

The ldapsearch client is included in the openldap-client package.  If it is not already installed on your server,  use the following command to install it 

Red Hat Enterprise Linux (RHEL)

 yum install openldap-clients -y 

For Ubuntu 

Retrieving the SSL certificate: 

* You may have the option of requesting a copy of the LDAP’s root signing certificate directly from the LDAP administrator. If you obtain the certificate that way, skip this section. 

* You can retrieve the  LDAP’s root signing certificate using the openssl s_client, which is described in this section 

 Using the -showcerts option of s_client we can show all certificates the LDAP server sends during a handshake, including the issuing and intermediate certificates:

 

The following command will split the certificate and create multiple cert file. Replace the LDAPserver:port and the name of the output file  .

openssl s_client -showcerts -verify 5 -connect bluepages.ibm.com:636  < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/)    {a++}; out="bluePage-cert"a".pem"; print >out}'

verify depth is 5
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust TLS RSA CA G1
verify return:1
depth=0 C = US, ST = New York, L = Armonk, O = INTERNATIONAL BUSINESS MACHINES CORPORATION, CN = bluepages.ibm.com
verify return:1
DONE
 

You will find multiple .pem files in the current directory. 

ls -l

-rw-r—r— 1 root root 2508 Dec 14 17:13 bluePage-cert1.pem
-rw-r—r— 1 root root 1639 Dec 14 17:13 bluePage-cert2.pem
-rw-r—r— 1 root root 1294 Dec 14 17:13 bluePage-cert3.pem

Verify and find the root ca certificate file to use for the ldapsearch to connect to the LDAP server.  

 

for cert in *.pem; do openssl verify -show_chain $cert ; done

C = US, ST = New York, L = Armonk, O = INTERNATIONAL BUSINESS MACHINES CORPORATION, CN = bluepages.ibm.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error bluePage-cert1.pem: verification failed

bluePage-cert2.pem: OK
Chain:
depth=0: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust TLS RSA CA G1 (untrusted)
depth=1: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2

bluePage-cert3.pem: OK
Chain:
depth=0: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2

 In the above example, bluePage-cert3.pem contains the «DigiCert Global Root G2» .  Find the root ca for your LDAP server; it will typically be the final certificate in the chain presented by the LDAP server.

Configure the ldapsearch client to use the cert you created: 

The «/etc/openldap/ldap.conf» configuration file is used for client applications that use the OpenLDAP libraries. This includes ldapadd, ldapsearch, Evolution, and so on.

 
Add the cert filename including the full path in ldap.config file. You can use TLS_CACERT or TLSCACERTDIR directive.

The TLS_CACERT directive specifies a file containing certificates for all of the Certificate Authorities the client will recognize.  (  TLS_CACERT      /etc/openldap/certs/bluePage-cert3.pem )
The TLSCACERTDIR directive Specifies the path of a directory that contains Certificate Authority certificates in separate individual files.    ( TLSCACERTDIR  /etc/ssl/certs )

The TLS_CACERT is always used before TLS_CACERTDIR.` 

For the connection test use the TLS_CACSRT directive and add the full path of the ca certificate  

 

vi /etc/openldap/ldap.conf

…..

TLS_CACERT      /etc/openldap/certs/bluePage-cert3.pem
 …..

 

Test the certificate using the ldapsearch command 

ldapsearch -H  ldaps://bluepages.ibm.com:636 -d 1 -b o=ibm.com -D ""  -s base "(&(emailAddress=%v)(objectclass=ePerson))"

   Where  -H URI     LDAP Uniform Resource Identifier(s)
          -d level   set LDAP debugging level to `level’
          -b basedn  base dn for search
          -D binddn  bind DN
          -s scope   search scope one of base, one, sub or children

          

If the correct cert is added to the ldap config file  The out out will be `result: 0 Success` 

ldapsearch -H  ldaps://bluepages.ibm.com:636 -b o=ibm.com -D ""  -s base "(&(emailAddress=%v)(objectclass=ePerson))"

# extended LDIF
# LDAPv3
# base <o=ibm.com> with scope baseObject
# filter: (&(emailAddress=%v)(objectclass=ePerson))
# requesting: ALL
# search result

search: 2
result: 0 Success

# numResponses: 1

If you use the wrong certificate output will be 

ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

You can use the  «-d 1»  option to debug the ldapsearch  connection and certificate issue 

ldapsearch -d 1 -H  ldaps://bluepages.ibm.com:636  -b o=ibm.com -D ""  -s base "(&(emailAddress=%v)(objectclass=ePerson))"

 output for debug levl 1 

 
ldap_url_parse_ext(ldaps://bluepages.ibm.com:636)
ldap_create
ldap_url_parse_ext(ldaps://bluepages.ibm.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP bluepages.ibm.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 9.57.182.78:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2, issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
TLS certificate verification: Error, self signed certificate in certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can’t connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)
[root@spmtestquotaocp423-inf 333]#
[root@spmtestquotaocp423-inf 333]# ldapsearch -H  ldaps://bluepages.ibm.com:636  -b o=ibm.com -D «»  -s base «(&(emailAddress=%v)(objectclass=ePerson))» -d 1
ldap_url_parse_ext(ldaps://bluepages.ibm.com:636)
ldap_create
ldap_url_parse_ext(ldaps://bluepages.ibm.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP bluepages.ibm.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 9.57.182.78:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2, issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
TLS certificate verification: Error, self signed certificate in certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can’t connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)
«`

[{«Line of Business»:{«code»:»LOB45″,»label»:»Automation»},»Business Unit»:{«code»:»BU053″,»label»:»Cloud & Data Platform»},»Product»:{«code»:»SSBS6K»,»label»:»IBM Cloud Private»},»ARM Category»:[{«code»:»a8m0z0000001kKAAAY»,»label»:»CommonServices->Security->LDAP»}],»ARM Case Number»:»TS004632088″,»Platform»:[{«code»:»PF016″,»label»:»Linux»}],»Version»:»All Version(s)»}]

Источник

Понравилась статья? Поделить с друзьями:
  • Error 14094410 ssl
  • Error 14 filesystem compatibility error cannot read whole file
  • Error 14090086 ssl
  • Error 1396 hy000 operation drop user failed for
  • Error 1409 parsec