Certificate problem connecting to AD

WSchanz · August 10, 2023, 9:39am

Please help with this problem:

: tail -f /var/log/univention/connector-ad-status.log
return self._ldap_call(self._l.start_tls_s)
File “/usr/lib/python3/dist-packages/ldap/ldapobject.py”, line 329, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File “/usr/lib/python3/dist-packages/ldap/compat.py”, line 44, in reraise
raise exc_value
File “/usr/lib/python3/dist-packages/ldap/ldapobject.py”, line 313, in _ldap_call
result = func(*args,**kwargs)
ldap.CONNECT_ERROR: {‘desc’: ‘Connect error’, ‘info’: ‘error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (EE certificate key too weak)’}

This error results in preventing only one user from logging into Kopano Webapp. Logging into Univention Portal works.
I have checked all used certificates for weak ciphers without an issue.
Any hints?

WSchanz · August 10, 2023, 12:27pm

Found that the AD certificate exported from AD failed the verification with openssl.

openssl verify $(ucr get connector/ad/ldap/certificate)

CN = IBMMN-MMN20161-CA
error 18 at 0 depth lookup: self signed certificate
error /etc/univention/connector/ad/ad_cert_20230810_081926.pem: verification failed

Here is the excerpt from certificate:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
41:99:f0:aa:d0:98:fe:96:48:6d:55:52:24:e5:f4:a5
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = IBMMN-MMN20161-CA
Validity
Not Before: Jan 15 07:40:26 2017 GMT
Not After : Jan 7 07:40:26 2057 GMT
Subject: CN = IBMMN-MMN20161-CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
…
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
34:C4:1A:AC:8D:DA:67:CB:DC:2C:60:56:68:01:06:2E:79:17:EB:99
Signature Algorithm: sha256WithRSAEncryption
…
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----

I don’t know what is wrong with the certificate?

jlk · August 10, 2023, 4:48pm

Hey WSchanz,

the solution is mentioned in this article: Problem: AD-Connector doesn't start due to SSL problems

Best regards
Jan-Luca

WSchanz · August 11, 2023, 11:30am

Many thanks for this tip! Had to renew the self signed CA-certificate in AD after changing the certificate template.
It works now again.