Hi
I'm having a problem connecting the RoundCube address book to my 389-DS LDAP server over SSL (port 636).
I first set up things non-encrypted (port 389) - works fine. Got all my addresses and groups, browsing ...
Then I installed a Let's Encrypt certificate on my 389-DS server. The certificate / certificate chain looks fine
on the LDAP server.
I opened a ssh session to my website account which is hosting the RoundCube webmail and tried:
openssl s_client -connect <my ldap server>:636 -showcerts </dev/null | more
and it returns the cert chain with at the end:
....
---
Server certificate
subject=/CN=<my LDAP server>
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
Acceptable client certificate CA names
/O=Digital Signature Trust Co./CN=DST Root CA X3
Client Certificate Types: RSA sign, ECDSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1
---
SSL handshake has read 3607 bytes and written 661 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA
Session-ID: 2391A453F991235060AEAD242330F4EE3D647735A5B8E73F08C4B8041362D3A5
Session-ID-ctx:
Master-Key: 9A2225DFE6DA8822364ED3401F6F96D3F25D0E73C122DD449BDE504D93F61EFDF9C36A4CFB2642D00D9251E247DAC09A
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1518783016
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
So all that is looking fine - but when I open the address book it's empty.
The RoundCube LDAP log shows:
[16-Feb-2018 05:47:04 -0600]: <59b69vl1> C: Connect [ldaps://<my LDAP server>:636]
[16-Feb-2018 05:47:04 -0600]: <59b69vl1> S: OK
[16-Feb-2018 05:47:04 -0600]: <59b69vl1> C: Bind [dn: cn=Directory Manager]
[16-Feb-2018 05:47:04 -0600]: <59b69vl1> S: Can't contact LDAP server
[16-Feb-2018 05:47:04 -0600]: <59b69vl1> C: Close
That doesn't say much, just that it is able to reach the server but can't bind/authenticate, in the LDAP server log:
[16/Feb/2018:12:47:04.601950788 +0100] conn=1040 fd=65 slot=65 SSL connection from <source IP> to <ldap IP>
[16/Feb/2018:12:47:04.633176695 +0100] conn=1040 op=-1 fd=65 closed - Peer does not recognize and trust the CA that issued your certificate.
So it looks to me that RoundCube (the peer) is not trusting the CA although things seem to be OK if I check with openssl ...
Hope someone can shed a little light on this - I spent hours in searching - no luck so far ...
