The "unable to get issuer certificate" part really means it, and this has been quite a common issue for either LDAPS or STARTTLS, about a missing cert or missing trust flag in the PKI chain of trust of the issuer, and it is usually solved by a "trust anchor" command for the system, or a certutil -A in the LDAP NSS db directory, .

For the operating system point of view with a LDAP client, a"-d 4" added to ldapsearch, or a strace could show in which directory or key store the issuer is not trusted.

Does a "trust anchor some.ca.cert.pem.txt" help?

Thanks,

On Tue, May 23, 2023 at 3:30 AM Jakob Moser <lms0m27i@duck.com> wrote:

A similar problem seems to have been posted on Server Fault:

https://serverfault.com/questions/1131289/ldap-replication-to-server-with-lets-encrypt-certificate-fails-unable-to-get

It uses Implict TLS instead of STARTTLS, but apart from that shows the same symptoms, I believe.
Sadly, Server Fault has so far also been unable to figure out what the problem is.

Regards
Jakob
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue