1 Rookie
•
67 Posts
0
2524
December 30th, 2020 07:00
Attempting to configure LDAPS - "The certificate chain is not valid. (Error Code:0x6000947)"
Hi,
I am trying to configure a Unity VSA (5.0.5.0.5.002) to use LDAPS against two of my Windows 2019 DC's, as a test, and I am getting the error "The certificate chain is not valid. (Error Code:0x6000947)". I cannot find any directly helpful information for the specific error.
I have other applications (vCenter Server, iDRAC) that are successfully authenticating against the same DC's via LDAPS, using the same certificate chain.
The certificate chain I am trying to upload is as follows (this is from an isolated lab environment) :
| -----BEGIN CERTIFICATE----- MIIHHDCCBQSgAwIBAgITIQAAAAexH7aU2r6iOgABAAAABzANBgkqhkiG9w0BAQ0F ADBNMRMwEQYKCZImiZPyLGQBGRYDY29tMR8wHQYKCZImiZPyLGQBGRYPbW9tdXNj b25zdWx0aW5nMRUwEwYDVQQDEwxNb211c0ludGVyQ0EwHhcNMjAxMjMwMTEzNTE0 WhcNMjExMjMwMTEzNTE0WjAsMSowKAYDVQQDEyFNQy1BRERDLVYtMTAxLm1vbXVz Y29uc3VsdGluZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN R31DWNFSl1lB6FZU3+vdgyaS2rrIL976brvBjDytQpK0S7fDOaSymBT/zM71pG5K WgzycYj+jlqC6oj1n7WjZrLtVS46r84VW7SCMIYqWcxkrYOgN5pWct5yj3FHzkkQ xxhAJ5MtsXijan5NgMQsGMc0nXToQQZNARQsKYiaEo9dBNSZe8UvBoEN7jeVe5qt srr+41ip603hpmkm8TmKjReBXd1dVyo7P9Fvqa6dBU+kx86qy65hDesisegopgOQ VA4tJupg5bN9h/ITxtH53351ryN3YAN50zAuwEvd3m9VbTDTSgnwOhMkCLVF2mib BgiEHxu15TLIJxFpl0l1AgMBAAGjggMUMIIDEDAvBgkrBgEEAYI3FAIEIh4gAEQA bwBtAGEAaQBuAEMAbwBuAHQAcgBvAGwAbABlAHIwHQYDVR0lBBYwFAYIKwYBBQUH AwIGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDB4BgkqhkiG9w0BCQ8EazBpMA4G CCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwCwYJYIZIAWUDBAEqMAsGCWCG SAFlAwQBLTALBglghkgBZQMEAQIwCwYJYIZIAWUDBAEFMAcGBSsOAwIHMAoGCCqG SIb3DQMHME0GA1UdEQRGMESgHwYJKwYBBAGCNxkBoBIEEOZ3tScAettFi29pYzU7 ssGCIU1DLUFEREMtVi0xMDEubW9tdXNjb25zdWx0aW5nLmNvbTAdBgNVHQ4EFgQU RvtyWWG2q7Dth4y+rMOBAwEK7Y0wHwYDVR0jBBgwFoAUmt2jILOlUhEjuZoaOteW QCEs0bowgdsGA1UdHwSB0zCB0DCBzaCByqCBx4aBxGxkYXA6Ly8vQ049TW9tdXNJ bnRlckNBKDEpLENOPU1DLUVJQ0EtVi0xMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtl eSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bW9t dXNjb25zdWx0aW5nLERDPWNvbT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jh c2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcYGCCsGAQUFBwEB BIG5MIG2MIGzBggrBgEFBQcwAoaBpmxkYXA6Ly8vQ049TW9tdXNJbnRlckNBLENO PUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D b25maWd1cmF0aW9uLERDPW1vbXVzY29uc3VsdGluZyxEQz1jb20/Y0FDZXJ0aWZp Y2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwDQYJ KoZIhvcNAQENBQADggIBAC+YBsZKOwDdUcGILLRHX8vy08goUeLuFMU5Y2xnz+Q8 46nx/QotBOwxhPPakJgBxle50YW8Ng09KYlG4wMV3YyLtqg+KoguV1iiKehYzMYt JuMRK++tRMIomtnPqItKvJ85UXd/UC2Fe24G3nsnG9cp+zGI6n56UTJOLqt3cm+u XudlvmQrFrh7AvzDoc1FR55nu3kZ8AgaURA4W4d7QPAjQI1FUEteg0HdVoPyXawO 3X6U4rw0BKUuEzztC6D5GcBWTojo74sHmzmtXWmb/CuaHiGBboKc4i9UWjX4mbTZ cK6YJrbdjDR6S2gdtHvdvOwwTa7GgNjgnl3nVBIdkn2oUcyEFjgPQT3kZVHNFCSq PSshWioOxP6gXvCmvr7pDnavZr8niKiYVLvgAIftTf6EwtGPZ88lC9dl6PYhwB6a 24QfGY77VV5jazyIqMqS3K8GcICsHQg14sBP/52XF6kQcjJK4f2skRuNnE7ahVnO vwvhXuEnuUXlsIpIq6MJSgfZIknSdHR4mbY5WZ/7xiGo1vA/90I+uRBzQtBzbPuK EGMVwLYw79ygKnj27nsc+mntxKuJVGs20LFKlxXZrM9HI3NxJoxbhCLdwregd9c5 lSV16P4oji8/zpKQLrOBjqJDIoO94STEWb/CYjtSmLzAmMpqptOVe9PirLhiv3eW -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGbTCCBFWgAwIBAgITZAAAAARec1qtfHcGRwAAAAAABDANBgkqhkiG9w0BAQ0F ADAWMRQwEgYDVQQDEwtNb211c1Jvb3RDQTAeFw0yMDEyMzAxMDQ5MjNaFw0zNTEy MzAxMDU5MjNaME0xEzARBgoJkiaJk/IsZAEZFgNjb20xHzAdBgoJkiaJk/IsZAEZ Fg9tb211c2NvbnN1bHRpbmcxFTATBgNVBAMTDE1vbXVzSW50ZXJDQTCCAiIwDQYJ KoZIhvcNAQEBBQADggIPADCCAgoCggIBANopWRqcL/bqYFRqiP2wnB1NX51J2jAd BSC0hs76LkSMzkFAMT0bviIP+prpDcEJLTEmKeCDG+PFPExEbdRdg7Mhu/v6NlIe mRNfR14CXG0Nske/+HFiiSJg0qsZC095QFOzADX2mf+Y6jWipBUEBKlXVegvLCTz BCxTqMNV4RWJyOIlEnwaiMcMaiRbBhDpJwACx7wf9l9/bsnkZo3KdXvdw/RpjgUz 81wD316wqMiQBAGpK6dBba8c/x2l+S3EIm6ZVorz3X0WPufjJB6bUteiNu0xoEB7 Xm93OGfaLwKnkEaNuWDORwRs2rWNvrItLIvwSlVyegTFVDIKGUJcLnSfP5yjLsDT PAERuvA4BONrPpNxyFGTSi9kgfgMyspmq6sk5fyZhZ6Hxf108qINpr0ZDOq30baI 3lda4sdw5/Nw5AQzZGARcZECTCKZ03yEWnB2J2BkBRTBXGBmdFfc8DcJeTt3aPqc mIavO3q+M3UIm8yCYoS7Hphr2+f6R61Se6o68Uxopmg+fwI/px36BDMmjT3YGiib tSnCvtdpCdKIwqAWOCl+o5Cm7HLt4mnU0tPTWQJcmW5DX8pSvmLfj9gtQEBYwXCa gS9pJdT2OicHfN9cnL1j4dwc9mKXr70uXy5p/kaTIMQyoFQUr8cHNLNAykkE07tb Nwmi+OHOCbNRAgMBAAGjggF7MIIBdzASBgkrBgEEAYI3FQEEBQIDAQABMCMGCSsG AQQBgjcVAgQWBBRttWvk8xv3DQR9OJxYD069hGN0tjAdBgNVHQ4EFgQUmt2jILOl UhEjuZoaOteWQCEs0bowGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYDVR0P BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUMuO4ZnvfSmBYY9Hg KzCh9VSDQaEwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL21jLWVpY2Etdi0xMDEu bW9tdXNjb25zdWx0aW5nLmNvbS9DZXJ0RW5yb2xsL01vbXVzUm9vdENBLmNybDBt BggrBgEFBQcBAQRhMF8wXQYIKwYBBQUHMAKGUWh0dHA6Ly9tYy1laWNhLXYtMTAx Lm1vbXVzY29uc3VsdGluZy5jb20vQ2VydEVucm9sbC9NQy1PUkNBLVYtMTAxX01v bXVzUm9vdENBLmNydDANBgkqhkiG9w0BAQ0FAAOCAgEAfQ96X/+cId6zRSa1NyMR rE+pp3izxD9V6Cz5VkVLYYM6AyrrDCJ+mszoR0pqse2iWtL67DwNWhg6THwaR5FZ CTzFfXtqdlrUBrTTe1T8TUhBWzGZKa445pIpXB8y+V+Pv0m0BWxyENs7I43IR51R 6MALfIjif+yp/OxntreA99pFf87X7mMT+TsnnFI48sslDjjMiww17Uqdt+ESvtc+ w/YGhKCmJL+KZ+SdW2ptLL2sqv6XCB3UmdhJJGB0/+MscbRrmmukXh7DBVUd+sSF f87rLo8HWXuZd0Z389/lG//D36YoIchw7e22OJVbE4xOprcYgqunBpAWY7GM4mgM O8EZeYxKQCHwzu8gjVryRthOwo1V0AmpFjCtau0pZxy2QQaFFwpgmlgKGOJrsrcG bh+tGAIXgcXZEFE03kKtn4gUXkQEHoGP++YYCyZLN6fywycgA/H87y7ZU+83Ugoy blGSXS65hEiKV0wRveoWU6cWymeYqUb+xF+Bf4jsHbsR/GAWDidwWdgy4jYDzE7Q Po73ZIWpC85AsB5dDV5kV5tOr9hzi6RT4miu7Xgcwpa9sjDlHvQ3N5LtloyLGavb gBFJgGTjiEAE/Xt27l2z630cTL3CX46HUoao4CI+C7+I5UPtaVBUHcFYSF1cmEOT oFtZc/fmzbOa/+/yDjo0CQE= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFCTCCAvGgAwIBAgIQG1EkjOnIO7RLTdtgqhEZbjANBgkqhkiG9w0BAQ0FADAW MRQwEgYDVQQDEwtNb211c1Jvb3RDQTAgFw0yMDEyMjkyMjMxNDBaGA8yMDUwMTIy OTIyNDEzN1owFjEUMBIGA1UEAxMLTW9tdXNSb290Q0EwggIiMA0GCSqGSIb3DQEB AQUAA4ICDwAwggIKAoICAQCk6RJMZufvddYDWJGllP+lpqMy4XnpRGJO5btXUf71 pFOKu4Zh1lGPkwLh19zI/Pwj61sAkMZm1Hw1Wd3XtglIPpmz0lPiETgbRGOVLUmu i6TLg4nM6FrjsZa4GFAMpqrs/3ar/LKJ8tH9ixgdylTCvOxbJ1CHC+xYmbvK7Fpp NNgV0PUu5HEJqhojI9HE7s1is+rxzB2/zm1cScKXdDRSdzb7hnuUXk/K2nWEOGnj bZARwR/4D8UBFDBUGC9qRs+ZWsZzhOYihtufrGsTFQawlUchEyWuL3KGIY1kUifr 3p2bVJx2BOP7iLkRt4S5ZsgW4r+WTjqXDcddZU6u41JA7tPchtEyoDFAxVxzuZKL 5Yx2X0L6X8n4siGI/5s3L/fDN9v/ofsOAtkgs5AD80eqGf7W6o3YLTKNT6KH5Z/Y IOi75RsIsDyUWe5YqxS7+HXBD86YC/TRUTnaD+/9G1fzX00efGMyfnRaAIRN/SVy EkmdjQK9IegR+KLUW96TRbkfr1QROT+U1GbhFRI/tYu6aGScJjwBlKlwsT3xLt0L QcCQ/GiwCHE67a94eh7tPmEDUVDGrFQz/OMMcbrq8kzwCgzbbL6wsrDPiij3g0Nq mqWwW38blvTI/qFREQI/c8HaukpSYgRnv+966DBeGyozZgoBQEuoA/ccpkcGANiw gQIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E FgQUMuO4ZnvfSmBYY9HgKzCh9VSDQaEwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZI hvcNAQENBQADggIBAGCuwfxG8e6BkGd2K1kwYUGMXKzYBzdRbR4nK4W2cCWRqa3T Xc90MMra8Qx7E4osHXBe3Y/8Vy8jN/otftIzKzHV5qcY2BJC/wafgrF/9HtLtqPt pApibKT/qH4l4oq/Xid/IzA/n6rTi/sxQLLbuVJf0bdCqbCB4lAAiNQgoCNHQR9l aow52Ioq0+a4wT63YtC9SM7zBaD6gpsBlOyo0Vi1doYiuSlQFT3I1d8t/z1PIDeC 07JVBQX3qJ1C7LL6stsnxirKC5Pe3pq/FBxYwbi/gMFuupWKUb6Q7Eanc97shbdf 4ypO3Jo5a+KPulWja5mJrtJMEeUdoFnPORfsUdYYvkZfj4hQ6ERKtXbvNv3w60iT /T8oZGNMJ0qJOJz///ryrA4q1zyD8D8FW7+atR+EEoky4NgIQ5iB+mVTZOMSVBRs yRjXZIoNmM6mdcCwQccZ0Re9F3NHY0x7+7RX14vGfmBSZv1bWGkbsJ1wdwf7/m4m Y6Nk4rVutSGI/VlZ4nGtu9KLY0T91gqi9lN/HXB8OCrJZ47YRsy6fW2LsUotRRQ/ e20hb+LFSwzxNH6RjSzg4SlZjGuEybuANv/ABXfyEy2CquoXY6JWpoZLqBTlTVyb E7et1Hf3WL+9QeP62II26843wH9xwGZaUGCpqrp3Y4JJKqjxFDtY9P3E4mij -----END CERTIFICATE----- |
Questions:
1) What issue exactly does Error Code:0x6000947 allude to? As far as I can see the certificate chain is good; so is it a key size or signature/hash type issue? I am using the same root/intermediate CA pair to sign the Unity webserver certificate for the UI and that works just fine.
2) I have collected the Unity's 'Service Information', but once I untar it all, there are 100's of different log files. Is there a specific log file I should be looking at for LDAP configuration issues? Can I increase the level of logging in the short term to capture more detail?
3) My W2K19 DC's each present different certificates for LDAP; assuming I can fix the chain issue, can I upload multiple server certificate chains or does the Unity expect all LDAPS servers to use the SAME certificate chain?
Any help or advice will be appreciated.
Thanks,
M
No Events found!
DELL-Josh Cr
Moderator
•
9.2K Posts
2
December 31st, 2020 06:00
Hi M,
When creating the certificate chain, do not use the server certificate itself. Only use the intermediate CA certificate(s) and the root certificate.
mc1903
1 Rookie
•
67 Posts
0
December 31st, 2020 07:00
Thank you @DELL-Josh Cr that has worked for me.
Cheers
M
ravinderkodan88
1 Message
0
June 15th, 2022 06:00
Hi, I am getting same error. I have just uploaded root certificate, it is accepting the file but connection is getting failed. Tried to add CA certificate in-between but then it says incomplete chain.
Please assist.
DELL-Sam L
Moderator
•
7.5K Posts
0
June 15th, 2022 08:00
Hello ravinderkodan88,
Here are the links to a couple of kb’s that maybe of assistance.
https://dell.to/3b4DO6c
https://dell.to/3NUqyzn
Gregory.Wille
2 Posts
0
September 7th, 2023 16:31
Steps
Ask Certificate Sysadmin for the site's Certificates for ..
Root.cer
Intermediate-CA.cer
ldap-server1.cer
ldap-server2.cer
Save the Certificates files on a host that has openssl installed (Linux or WSL), to do the testing.
Create ca-root-bundle certificate file
cp Intermediate-CA.cer ca-root-bundle.cer
cat Root.cer >> ca-root-bundle.ver
Verify the Intermediate-CA and Root Certificate Trusted chain, that created the ldap server Certificates
openssl verify -CAfile ca-root-bundle.cer ldap-server1.cer
openssl verify -CAfile ca-root-bundle.cer ldap-server2.cer
If both return ok
then
Update the "Distinguished Name" with the user name that will connect to the ldap server(s)
Enter the "Password" Use the Characters 0-9, a-z, A-Z, !#^*_-=+
Don't use these Linux Control characters for the password `()"@'$&/\
The "Verify Connection" will fail, as those characters will interfere with Windows GUI to Linux translation.
Select LDAPS Protocol to use port 636, (This requires the Trusted Intermediate-CA-Root-Bundle Certificate)
Select "Add" under Server Address, and Enter the LDAP server FQDN without the end dot or IP Address
Select "Upload Certificate" and Upload the ca-root-bundle.cer file
Select "Apply" the changes.
Select "Verify Connection"
Select "Close"
See Updated Del KB Article
Dell Unity: Error when trying to configure LDAPS: The certificate chain is not valid. (Error Code:0x6000947) (User Correctable)
https://www.dell.com/support/kbdoc/en-us/000081361
(edited)
Gregory.Wille
2 Posts
0
September 7th, 2023 17:25
The Certificate chain above, has three Certificates
Extract them into three different certificates
The first certificate is ldap server as cert1-ldap.cer
The second certificate is ca server as cert2-ca.cer
The third certificate is root server as cert3-root.cer
By the way, check the certificate dates, as today is Sep 7, 2023, as they may have expired with the new 90 day rule.
$ openssl x509 -startdate -enddate -noout -in cert1-ldap.cer
notBefore=Dec 30 11:35:14 2020 GMT
notAfter=Dec 30 11:35:14 2021 GMT
$ openssl x509 -startdate -enddate -noout -in cert2-ca.cer
notBefore=Dec 30 10:49:23 2020 GMT
notAfter=Dec 30 10:59:23 2035 GMT
$ openssl x509 -startdate -enddate -noout -in cert3-root.cer
notBefore=Dec 29 22:31:40 2020 GMT
notAfter=Dec 29 22:41:37 2050 GMT
$ cp cert2-ca.cer ca-root-bundle.cer
$ cat cert3-root.cer >> ca-root-bundle.cer
$ openssl verify -CAfile ca-root-bundle.cer cert1-ldap.cer
CN = MC-ADDC-V-101.momusconsulting.com
error 10 at 0 depth lookup: certificate has expired
error cert1-ldap.cer: verification failed
$ date
Thu Sep 7 12:57:40 EDT 2023
$ sudo date --set='2021-02-02'
[sudo] password for user:
Wed Feb 2 00:00:00 EST 2021
$ openssl verify -CAfile ca-root-bundle.cer cert1-ldap.cer
cert1-ldap.cer: OK
NOTE: If the Date was still Feb 2 2021, this would work..
Select "Upload Certificate" and upload the ca-root-bundle.cer file
I hope that explains.
Thank you