CA root certificate is ignored

CharlesB · May 11, 2017, 3:42pm

Hello,

I am trying to set a certificate check with the LDAP server. I have grabbed the CA certificate and checked that TLS connection is fine with:
openssl s_client -connect ldap.server.corp:636 -state -CAfile /etc/ssl/certs/cafile.pem

Following documentation I set the line
TLS_CACERT /etc/ssl/certs/cafile.pem
in /etc/ldap/ldap.conf

But when I test with Rhodecode I get the error at authentication:

File "/opt/rhodecode/store/9q264m389m52myrgjanjivaab4192bva-python2.7-rhodecode-enterprise-ce-4.7.2/lib/python2.7/site-packages/rhodecode/authentication/plugins/auth_ldap.py", line 434, in auth
    (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)
  File "/opt/rhodecode/store/9q264m389m52myrgjanjivaab4192bva-python2.7-rhodecode-enterprise-ce-4.7.2/lib/python2.7/site-packages/rhodecode/authentication/plugins/auth_ldap.py", line 329, in authenticate_ldap
    "server, org_exc:%s" % org_exc)
LdapConnectionError: LDAP can't access authentication server, org_exc:Traceback (most recent call last):
  File "/opt/rhodecode/store/9q264m389m52myrgjanjivaab4192bva-python2.7-rhodecode-enterprise-ce-4.7.2/lib/python2.7/site-packages/rhodecode/authentication/plugins/auth_ldap.py", line 294, in authenticate_ldap
    server = self._get_ldap_server()
  File "/opt/rhodecode/store/9q264m389m52myrgjanjivaab4192bva-python2.7-rhodecode-enterprise-ce-4.7.2/lib/python2.7/site-packages/rhodecode/authentication/plugins/auth_ldap.py", line 250, in _get_ldap_server
    server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)
  File "/opt/rhodecode/store/bfglg8a00j1d78vhxca94g2gp2ggaji5-python2.7-python-ldap-2.4.19/lib/python2.7/site-packages/ldap/ldapobject.py", line 214, in simple_bind_s
    msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
  File "/opt/rhodecode/store/bfglg8a00j1d78vhxca94g2gp2ggaji5-python2.7-python-ldap-2.4.19/lib/python2.7/site-packages/ldap/ldapobject.py", line 208, in simple_bind
    return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
  File "/opt/rhodecode/store/bfglg8a00j1d78vhxca94g2gp2ggaji5-python2.7-python-ldap-2.4.19/lib/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
SERVER_DOWN: {'desc': "Can't contact LDAP server", 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)'}

The error is the same as the one that I get when running openssl without -CAfile argument, so it looks like the TLS_CACERT setting isn’t taken into account.

Is there another way to tell Rhodecode to use my CA file?

rhodecode-support · May 11, 2017, 4:35pm

Hi Charles,

RhodeCode uses it’s own additional .pem file in all python calls, so importing remote repositories, or LDAP authentication.
This file can be found in: /home/USER/.rccontrol-profile/etc/ca-bundle.crt you can extend it with your custom cert to make a self-signed work.

Also LDAP itself uses this: https://code.rhodecode.com/rhodecode-enterprise-ce/files/tip/rhodecode/authentication/plugins/auth_ldap.py#L228

So by default it’s /etc/openldap/cacerts

Hope it helps

CharlesB · May 12, 2017, 8:16am

Hi Marcin,

Thanks, using it works using ~/.rccontrol-profile/etc/ca-bundle.crt! The documentation is worth being updated to mention this possibility.
Best,
Charles

rhodecode-support · May 12, 2017, 9:07am

Thanks for confirmation, we already added info to LDAP plugin about that, and also exposed location of it in web-interface.