[Samba] Problem with intermediate certificate (tls cafile)

Christopher Cox chriscox at endlessnow.com
Thu Aug 6 16:15:03 UTC 2020

On 8/6/20 10:43 AM, Nick Howitt via samba wrote:
> If I were guessing, based on some experience with certificate usage in other 
> apps, concatenate your certificate and intermediate certificates into a single 
> file which is then your "tls certfile" then point "tls cafile" to your issuers 
> proper CA or just to your distro's CA bundle, e.g /etc/pki/tls/certs/ca-bundle.crt.
> Nick
> On 06/08/2020 16:36, MAS Jean-Louis via samba wrote:
>> Nobody has any clues about the tls cafile ?
>> Regards
>> Le 04/08/2020 à 15:18, MAS Jean-Louis via samba a écrit :
>>> I have several samba servers on Debian 10 all using :
>>> samba          2:4.9.5+dfsg-5+deb10u1 amd64
>>> I use tls cafile, tls certfile and tls keyfile with certificates from
>>> Sectigo (https://cert-manager.com)
>>> And when checking my connexion from the samba server, or from outside,
>>> I've got "unable to verify the first certificate" even if tls_cafile is
>>> provided in smb.conf.
>>> What is wrong ?
>>> # checking my connexion
>>> openssl s_client -showcerts -connect localhost:636

Just a side note.  When "checking" a certificate you need to ideally use a valid 
name known for the certificate.  And "localhost" isn't going to be it.

More information about the samba mailing list