Debian 10, OpenLDAP, LetsEncrypt, Error 80 trying to add

Question

...I have never had so much trouble enabling secure communications.

I believe this to be a valid CA cert chain for Let's Encrypt

The contents of /etc/ssl/le/ca-chain.pem

-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

I can run other LDAP commands that succeed, so the server is up and responding.

The CA cert chain file is owned by openldap:openldap and has r-xr--r-- permissions. The directory has similar ownership and permissions except it is traversable by all, r-xr-xr-x.

The contents of /root/tmp/secureldap.conf:

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/le/ca-chain.pem

The command I am trying to execute:

ldapmodify -H ldapi:/// -Y EXTERNAL -f /root/tmp/secureldap.conf -d "-1"

Aaaaand, it's a fail.

ldap_url_parse_ext(ldapi:///)
ldap_create
ldap_url_parse_ext(ldapi:///??base)
ldap_sasl_interactive_bind: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_path
ldap_new_socket: 4
ldap_connect_to_path: Trying /var/run/slapd/ldapi
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_ndelay_off: 4
ldap_int_sasl_open: host=auth.example.net
SASL/EXTERNAL authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x5621fef74de0 ptr=0x5621fef74de0 end=0x5621fef74dfa len=26
  0000:  30 18 02 01 01 60 13 02  01 03 04 00 a3 0c 04 08   0....`..........  
  0010:  45 58 54 45 52 4e 41 4c  04 00                     EXTERNAL..        
ber_scanf fmt ({i) ber:
ber_dump: buf=0x5621fef74de0 ptr=0x5621fef74de5 end=0x5621fef74dfa len=21
  0000:  60 13 02 01 03 04 00 a3  0c 04 08 45 58 54 45 52   `..........EXTER  
  0010:  4e 41 4c 04 00                                     NAL..             
ber_flush2: 26 bytes to sd 4
  0000:  30 18 02 01 01 60 13 02  01 03 04 00 a3 0c 04 08   0....`..........  
  0010:  45 58 54 45 52 4e 41 4c  04 00                     EXTERNAL..        
ldap_write: want=26, written=26
  0000:  30 18 02 01 01 60 13 02  01 03 04 00 a3 0c 04 08   0....`..........  
  0010:  45 58 54 45 52 4e 41 4c  04 00                     EXTERNAL..        
ldap_msgfree
ldap_result ld 0x5621fef72c50 msgid 1
wait4msg ld 0x5621fef72c50 msgid 1 (infinite timeout)
wait4msg continue ld 0x5621fef72c50 msgid 1 all 1
** ld 0x5621fef72c50 Connections:
* host: (null)  port: 0  (default)
  refcnt: 2  status: Connected
  last used: Thu Apr 29 17:51:59 2021


** ld 0x5621fef72c50 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x5621fef72c50 request count 1 (abandoned 0)
** ld 0x5621fef72c50 Response Queue:
   Empty
  ld 0x5621fef72c50 response count 0
ldap_chkResponseList ld 0x5621fef72c50 msgid 1 all 1
ldap_chkResponseList returns ld 0x5621fef72c50 NULL
ldap_int_select
read1msg: ld 0x5621fef72c50 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 0c 02 01 01 61 07 0a                            0....a..          
ldap_read: want=6, got=6
  0000:  01 00 04 00 04 00                                  ......            
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x5621fef5c100 ptr=0x5621fef5c100 end=0x5621fef5c10c len=12
  0000:  02 01 01 61 07 0a 01 00  04 00 04 00               ...a........      
read1msg: ld 0x5621fef72c50 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x5621fef5c100 ptr=0x5621fef5c103 end=0x5621fef5c10c len=9
  0000:  61 07 0a 01 00 04 00 04  00                        a........         
read1msg: ld 0x5621fef72c50 0 new referrals
read1msg:  mark request completed, ld 0x5621fef72c50 msgid 1
request done: ld 0x5621fef72c50 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: EXTERNAL
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x5621fef5c100 ptr=0x5621fef5c103 end=0x5621fef5c10c len=9
  0000:  61 07 0a 01 00 04 00 04  00                        a........         
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x5621fef5c100 ptr=0x5621fef5c103 end=0x5621fef5c10c len=9
  0000:  61 07 0a 01 00 04 00 04  00                        a........         
ber_scanf fmt (}) ber:
ber_dump: buf=0x5621fef5c100 ptr=0x5621fef5c10c end=0x5621fef5c10c len=0

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_msgfree
modifying entry "cn=config"
ldap_modify_ext
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x5621fef77220 ptr=0x5621fef77220 end=0x5621fef7727d len=93
  0000:  30 5b 02 01 02 66 56 04  09 63 6e 3d 63 6f 6e 66   0[...fV..cn=conf  
  0010:  69 67 30 49 30 47 0a 01  00 30 42 04 17 6f 6c 63   ig0I0G...0B..olc  
  0020:  54 4c 53 43 41 43 65 72  74 69 66 69 63 61 74 65   TLSCACertificate  
  0030:  46 69 6c 65 31 27 04 25  2f 65 74 63 2f 73 73 6c   File1'.%/etc/ssl  
  0040:  2f 32 30 32 31 2d 77 69  6c 64 63 61 72 64 2d 63   /etc/ssl/le/ca-c    
  0050:  65 72 74 2f 63 68 61 69  6e 2e 70 65 6d            hain.pem          
ber_scanf fmt ({) ber:
ber_dump: buf=0x5621fef77220 ptr=0x5621fef77225 end=0x5621fef7727d len=88
  0000:  66 56 04 09 63 6e 3d 63  6f 6e 66 69 67 30 49 30   fV..cn=config0I0  
  0010:  47 0a 01 00 30 42 04 17  6f 6c 63 54 4c 53 43 41   G...0B..olcTLSCA  
  0020:  43 65 72 74 69 66 69 63  61 74 65 46 69 6c 65 31   CertificateFile1  
  0030:  27 04 25 2f 65 74 63 2f  73 73 6c 2f 32 30 32 31   '.%/etc/ssl/le/c  
  0040:  2d 77 69 6c 64 63 61 72  64 2d 63 65 72 74 2f 63   a-chain.pem       
  0050:  68 61 69 6e 2e 70 65 6d                                              
ber_flush2: 93 bytes to sd 4
  0000:  30 5b 02 01 02 66 56 04  09 63 6e 3d 63 6f 6e 66   0[...fV..cn=conf  
  0010:  69 67 30 49 30 47 0a 01  00 30 42 04 17 6f 6c 63   ig0I0G...0B..olc  
  0020:  54 4c 53 43 41 43 65 72  74 69 66 69 63 61 74 65   TLSCACertificate  
  0030:  46 69 6c 65 31 27 04 25  2f 65 74 63 2f 73 73 6c   File1'.%/etc/ssl  
  0040:  2f 32 30 32 31 2d 77 69  6c 64 63 61 72 64 2d 63   /le/ca-chain.pem  
  0050:  65 72 74 2f 63 68 61 69  6e 2e 70 65 6d                             
ldap_write: want=93, written=93
  0000:  30 5b 02 01 02 66 56 04  09 63 6e 3d 63 6f 6e 66   0[...fV..cn=conf  
  0010:  69 67 30 49 30 47 0a 01  00 30 42 04 17 6f 6c 63   ig0I0G...0B..olc  
  0020:  54 4c 53 43 41 43 65 72  74 69 66 69 63 61 74 65   TLSCACertificate  
  0030:  46 69 6c 65 31 27 04 25  2f 65 74 63 2f 73 73 6c   File1'.%/etc/ssl  
  0040:  2f 32 30 32 31 2d 77 69  6c 64 63 61 72 64 2d 63   /le/ca-chain.pem    
  0050:  65 72 74 2f 63 68 61 69  6e 2e 70 65 6d                              
ldap_result ld 0x5621fef72c50 msgid 2
wait4msg ld 0x5621fef72c50 msgid 2 (timeout 100000 usec)
wait4msg continue ld 0x5621fef72c50 msgid 2 all 1
** ld 0x5621fef72c50 Connections:
* host: (null)  port: 0  (default)
  refcnt: 2  status: Connected
  last used: Thu Apr 29 17:51:59 2021


** ld 0x5621fef72c50 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x5621fef72c50 request count 1 (abandoned 0)
** ld 0x5621fef72c50 Response Queue:
   Empty
  ld 0x5621fef72c50 response count 0
ldap_chkResponseList ld 0x5621fef72c50 msgid 2 all 1
ldap_chkResponseList returns ld 0x5621fef72c50 NULL
ldap_int_select
read1msg: ld 0x5621fef72c50 msgid 2 all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 0c 02 01 02 67 07 0a                            0....g..          
ldap_read: want=6, got=6
  0000:  01 50 04 00 04 00                                  .P....            
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x5621fef5b440 ptr=0x5621fef5b440 end=0x5621fef5b44c len=12
  0000:  02 01 02 67 07 0a 01 50  04 00 04 00               ...g...P....      
read1msg: ld 0x5621fef72c50 msgid 2 message type modify
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x5621fef5b440 ptr=0x5621fef5b443 end=0x5621fef5b44c len=9
  0000:  67 07 0a 01 50 04 00 04  00                        g...P....         
read1msg: ld 0x5621fef72c50 0 new referrals
read1msg:  mark request completed, ld 0x5621fef72c50 msgid 2
request done: ld 0x5621fef72c50 msgid 2
res_errno: 80, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x5621fef5b440 ptr=0x5621fef5b443 end=0x5621fef5b44c len=9
  0000:  67 07 0a 01 50 04 00 04  00                        g...P....         
ber_scanf fmt (}) ber:
ber_dump: buf=0x5621fef5b440 ptr=0x5621fef5b44c end=0x5621fef5b44c len=0

ldap_msgfree
ldap_err2string
ldap_modify: Other (e.g., implementation specific) error (80)

ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 4
  0000:  30 05 02 01 03 42 00                               0....B.           
ldap_write: want=7, written=7
  0000:  30 05 02 01 03 42 00                               0....B.           
ldap_free_connection: actually freed

I tried to keep it small-- adding just the TLS certificate CA chain should be a very specific atomic thing to add and get right.

nmap says slapd/LDAP is listening on port 636.

root@auth:/etc/ssl/le/# grep -rn "ldaps" /etc
/etc/services:186:ldaps         636/tcp                         # LDAP over SSL
/etc/services:187:ldaps         636/udp
/etc/default/slapd:20:# service requests on TCP-port 636 (ldaps) and requests via unix
/etc/default/slapd:24:SLAPD_SERVICES="ldaps:/// ldapi:/// ldap:///"

root@auth:/etc/ssl/le/# nmap auth.example.net
Starting Nmap 7.70 ( https://nmap.org ) at 2021-04-29 18:26 UTC
Nmap scan report for auth.example.net (10.0.1.100)
Host is up (0.000029s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
389/tcp open  ldap
636/tcp open  ldapssl

Nmap done: 1 IP address (1 host up) scanned in 1.73 seconds

I did try "replace" before I tried "add" after the changetype line in /root/tmp/secureldap.conf.

I did the apparmor thing.

root@auth:/etc/apparmor.d# grep -rn ldap /etc/apparmor.d
/etc/apparmor.d/abstractions/nameservice:75:  # ldap
/etc/apparmor.d/abstractions/nameservice:76:  #include <abstractions/ldapclient>
/etc/apparmor.d/abstractions/nis:13:  # portmapper may ask root processes to do nis/ldap at low ports
/etc/apparmor.d/abstractions/ldapclient:11:  # files required by LDAP clients (e.g. nss_ldap/pam_ldap)
/etc/apparmor.d/abstractions/ldapclient:12:  /etc/ldap.conf            r,
/etc/apparmor.d/abstractions/ldapclient:13:  /etc/ldap.secret          r,
/etc/apparmor.d/abstractions/ldapclient:14:  /etc/openldap/*           r,
/etc/apparmor.d/abstractions/ldapclient:15:  /etc/openldap/cacerts/*   r,
root@auth:/etc/apparmor.d# tail /etc/apparmor.d/local/usr.sbin.slapd 
/etc/ssl/le/ r,
/etc/ssl/le/* r

It is starting to get really disappointing being stuck in this one spot. Even worse-- I don't know how to read the error message. Error 80 with nothing else is next to useless to me.

Answer 1

I wiped the machine and retried my steps with a new specific auth.example.com SSL cert instead of a wildcard *.example.com cert and it was accepted for all three required configurations of chain, key, and cert. I would like to share with what steps went wrong before posting the above question-- but, I don't have anything that would satisfy myself to give you.

The only thing I am aware of that I did different was using a cert for the FQDN (auth.example.com) instead of a wildcard cert (*.example.com).

THAT MAY NOT BE THE ISSUE! IT COULD COMPLETELY BE SOMETHING ELSE!