We have setup LDAPS with a public certficate
Signature Algorithm: sha256WithRSAEncryption
Issuer: (CA ID: 105493)
commonName = Sectigo RSA Domain Validation Secure Server CA
organizationName = Sectigo Limited
localityName = Salford
stateOrProvinceName = Greater Manchester
countryName = GB
Validity
Not Before: Sep 3 00:00:00 2019 GMT
Not After : Sep 2 23:59:59 2021 GMT
Subject:
commonName = dc-1.ad.example.com
organizationalUnitName = PositiveSSL
organizationalUnitName = Domain Control Validated
So it is still valid.
Today morning, we found that the LDAPS connection to the server do not work anymore:
# openssl s_client -connect dc-1.ad.example.com:636
CONNECTED(00000003)
depth=0 CN = dc-1.ad.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = dc-1.ad.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = dc-1.ad.example.com
We realized, that the AD seemed to have issued a self signed certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1d:00:00:00:*redacted*
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC = com, DC = example, DC = ad, CN = ad-DC-1-CA
Validity
Not Before: May 31 01:21:28 2021 GMT
Not After : May 31 01:21:28 2022 GMT
To fix this, we removed the self signed certificate from the certificate storage on the active directory server.
Now, around 12 hours later, the same thing happend again and such a self signed certificate replaced the offical one:
Not Before: May 31 13:40:04 2021 GMT
Did somebody see this phaenomena? What can be the reason?
EDIT
Here the official cert:
X509v3 Subject Alternative Name:
DNS:dc-1.ad.example.com, DNS:www.dc-1.ad.example.com
Here the automatically generated one:
X509v3 Subject Alternative Name:
othername:<unsupported>, DNS:dc-1.ad.example.com
0 Answers