OpenLDAP: unable to get local issuer certificate.

[matteocorti]

Discussed in https://github.com/matteocorti/check_ssl_cert/discussions/465

^{Originally posted by **pappapo** July 29, 2023} If anyone have a recipe to have this plugin and nagios working with ldap please let me know. We have check_ssl_cert working just fine with http, smtp etc., but unable to get it to work with OpenLDAP, it seems OpenLDAP works different from all the other protocols. Also, other SSL check plugins does not complain when checking same ldap hosts. Thank you in advance, Per ``` [olcTLSCACertificatePath] [olcTLSCACertificateFile] [olcTLSCertificateFile] [olcTLSCertificateKeyFile] ``` are all properly defined and all clients can access the directory with TLS. The command will return ``` "Cannot verify certificate: unable to get local issuer certificate, unable to verify the first certificate" openssl s_client -showcerts -verify 5 -connect db.nethead.se:389 verify depth is 2 CONNECTED(00000003) write:errno=0 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 317 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ```

[matteocorti]

The ROOT_CA variable is correctly set but then empty when calling s_client

[matteocorti]

I was not able to reproduce the problem with a current version. Can you please try with the latest release?