The "unable to get issuer certificate" part really means it, and this has been quite a common issue for either LDAPS or STARTTLS, about a missing cert or missing trust flag in the PKI chain of trust of the issuer, and it is usually solved by a "trust anchor" command for the system, or a certutil -A in the LDAP NSS db directory, .
For the operating system point of view with a LDAP client, a"-d 4" added to ldapsearch, or a strace could show in which directory or key store the issuer is not trusted.
Does a "trust anchor some.ca.cert.pem.txt" help?
On Tue, May 23, 2023 at 3:30 AM Jakob Moser <firstname.lastname@example.org> wrote:
A similar problem seems to have been posted on Server Fault:
It uses Implict TLS instead of STARTTLS, but apart from that shows the same symptoms, I believe.
Sadly, Server Fault has so far also been unable to figure out what the problem is.
389-users mailing list -- email@example.com
To unsubscribe send an email to firstname.lastname@example.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://email@example.com
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue