On 2024-02-21 09:45, Johnnie W Adams wrote:
So I've got a very puzzling situation. Just today, when I
look at
sssd with systemctl status, I get this error:*Could not start TLS
encryption. error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
(self signed certificate in certificate chain)*
However, when I run openssl s_client -showcerts
-connectldap.example.com:636 <
https://ldap.example.com:636/>, it shows
a completely valid, not-self-signed certificate chain.
Technically, all TLS chains terminate in a self-signed cert. The only
question is whether or not any of those certs appear in your trust DB.
To be clear, if you run "openssl s_client -showcerts -connect
ldap.example.com:636 < /dev/null | grep ^Verify", you get "Verify return
code: 0 (ok)"?
If the CA is in your trust DB, then it's possible that the trust DB is
mis-labeled, since sssd runs in a confined domain, while openssl does
not. So, if you run "restorecon -rv /etc/pki", does that print any
output that indicates that it changed labels? If so, does that fix the
problem with sssd?