openldap: TLS: error: tlsm_PR_Recv returned 0 - error 22:Invalid argument

Question

We're experiencing an issue with openldap. It seems like 2 days ago the certificates expired. So new ones were generated. They look fine.

When I do an ldapsearch I get the following:

[root@xxx certs]# ldapsearch -H ldaps://xxx -D "cn=xxx,dc=xxx,dc=xxx" -W -b "ou=people,dc=xxx,dc=xxx" -d255 -v -x
ldap_url_parse_ext(ldaps://xxx)
ldap_initialize( ldaps://xxx:636/??base )
ldap_create
ldap_url_parse_ext(ldaps://xxx:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP xxx:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying xxx:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: loaded CA certificate file /etc/pki/tls/certs/xxx.pem.
tls_write: want=157, written=157
  0000:  16 03 01 00 98 01 00 00  94 03 01 fd bf cb 8f 48   ...............H
  0010:  0b ef 1e c6 6e f3 b6 50  87 74 9e 2e 21 74 2d b6   ....n..P.t..!t-.
  0020:  a2 e9 49 90 72 56 1a a8  58 54 24 00 00 54 c0 0a   ..I.rV..XT$..T..
  0030:  c0 09 c0 13 c0 14 c0 08  c0 12 c0 07 c0 11 00 33   ...............3
  0040:  00 32 00 45 00 44 00 39  00 38 00 88 00 87 00 16   .2.E.D.9.8......
  0050:  00 13 00 66 c0 04 c0 0e  c0 05 c0 0f c0 03 c0 0d   ...f............
  0060:  c0 02 c0 0c 00 2f 00 41  00 35 00 84 00 96 00 0a   ...../.A.5......
  0070:  00 05 00 04 00 15 00 12  00 09 00 64 00 62 00 03   ...........d.b..
  0080:  00 06 01 00 00 17 ff 01  00 01 00 00 0a 00 08 00   ................
  0090:  06 00 17 00 18 00 19 00  0b 00 02 01 00            .............
tls_read: want=5, got=0

TLS: error: tlsm_PR_Recv returned 0 - error 22:Invalid argument
TLS: error: connect - force handshake failure: errno 22 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I believe the config to be correct. THe cacert pem file stays the same, the cert and key pem files have been added in the same directory and slapd.conf and ldap.conf have been updated to point to those.

Not sure if using openssl s_client -connect should open an SSL connection or not. It seems like no SSL certificate is returned at all. I also tried changing the config back to the original (so the old certs are used) but that shows the same behavior (these are expired so that might explain in that case). From what I've seen in the docs a valid server certificate is necessary.

Note that this is a sync ldap setup.

Debugging is cranked up to the maximum and the only thing that seems relevant is connection_read(13): TLS accept failure error=-1 id=1055, closing ... conn=1055 fd=13 closed (TLS negotiation failure)

Thanks in advance for any help on this!

Answer 1

So after spending too much time trying, then posting and then think: maybe there are other places where this certificate is configured.

I went into /etc/openldap and grepped for the occurence of pem. There were also matches in slap.d (I never worked with ldap before so I thought this was something you would configure in 1 config and not 5 different places with the same values). Edit all occurences and restart slapd service... now works (after the caching is expired).

This is one of the worst error messages I've ever seen. And nothing specific to this in the logs either while debugging is on it's max.

Hope it helps someone else!