Project

General

Profile

Bug #6954

ldapweb.cgi should use standard CA file

Added by ben leinfelder over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
01/28/2016
Due date:
% Done:

0%

Estimated time:
Bugzilla-Id:

Description

When Nick updated the ldap.ecoinformatics.org SSL certificate to use Let's Encrypt instead of GoDaddy, the Perl script for managing accounts could not establish a TLS connection with the LDAP server. I switched to script to use the standard ca-certificates.crt file (includes all standard CAs shipped with Ubuntu) and the connection was successful. I think we should try to use the standard CA certificate file whenever possible. The current default for Metacat is this old GoDaddy CA so on any Metacat upgrades will we need to remember to switch to the standard CA file unless we change the default configuration.

Current Metacat property default value:
ldap.server.ca.certificate=WEB-INF/gd_intermediate_bundle_nceas_ldap.crt

History

#1 Updated by Jing Tao over 4 years ago

The reason we used an external ca certificate is that the old go-daddy certificate is not in the the system's default ca.

#2 Updated by Jing Tao over 4 years ago

  • Status changed from New to Resolved

We made changes on the ldap code. If users don't specify the ldap.server.ca.certificate on the metacat.properties, the code will use the default ca file /etc/ssl/certificate; if users specify that value, ldap will use that value. The default value of ldap.server.ca.certificate in metacat.properties is blank (not specify it).

Also available in: Atom PDF