OID ldapbind Using -U 2 to AD Fails with " SSL handshake failed" and openssl Shows Error "verify error:num=20:unable to get local issuer certificate"
(Doc ID 2737730.1)
Last updated on AUGUST 08, 2022
Applies to:
Oracle Internet Directory - Version 9.0.4 and laterInformation in this document applies to any platform.
Symptoms
Oracle Internet Directory (OID), all versions.
ldapbind fails with the following message when connecting to an Active Directory (AD) LDAP instance:
./ldapbind -h <OID_HOSTNAME> -D <OID_ADMIN> -q -p <OID_SSL_PORT> -U 2 -W "file:/<PATH_TO_WALLET_DIRECTORY>" -Q
SSL handshake failed
OpenSSL also shows an error when when connecting to the same Active Directory (AD) LDAP instance:
# openssl s_client -connect <AD_HOSTNAME>:<AD_SSL_PORT> -showcerts
CONNECTED(<CONNECTION_NUMBER>)
depth=0 <CERTIFICATE_SUBJECT_OF_ROOT_CERTIFICATE>
verify error:num=20:unable to get local issuer certificate <<<<<<<<<<<<<<<<<<<<<<<<<< Error Seen
verify return:1
depth=0 <CERTIFICATE_SUBJECT_OF_OID_SERVER_CERTIFICATE>
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain <CERTIFICATE_DETAILS>
...<etc>...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: <SESSION_ID>
Session-ID-ctx:
Master-Key: <KEY>
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1606869695
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
read:errno=104
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| References |