LDAPS and chain of certificates

I try to set up authentication through Active Directory. My problem is in connection using LDAPS. We have our own CA service and all certificates are issued by one of them. So we have root CA, then Sub CA which issues all certs. Certs for domain controllers also are enrolled from Sub CA automatically.
With this config of my realm authentication works:

  active_directory:
    ad1:
      order: 2 
      domain_name: domain.local
      url: ldaps://dc01.domain.local:636, ldaps://dc02.domain.local:636
      load_balance:
        type: "failover" 
      ssl:
        certificate_authorities: [ "cert/root_ca.crt", "cert/sub_ca.crt" ]
        verification_mode: none

I had to insert verification_mode: none because if I delete this string authentication breaks and I get this error

[2020-10-01T19:07:32,749][WARN ][o.e.c.s.DiagnosticTrustManager] [node] failed to establish trust with server at [dc01.domain.local];
the server provided a certificate with subject name [CN=dc01.domain.local] and fingerprint [81b774a1e91159cc43f036a5b90571afd6038061];
the certificate has subject alternative names [DNS:dc01.domain.local];
the certificate is issued by [CN=SubCA,DC=domain,DC=local];
the certificate is signed by (subject [CN=SubCA,DC=domain,DC=local] fingerprint [ab278873cc4c7da08dcb0c0e87c0d7bcc7e6357c] {trusted issuer}) which is issued by [CN=Root CA,O=domain,C=local] (but that issuer certificate was not provided in the chain);
the issuing certificate with fingerprint [21be9ae0cca9af097ee70a1754e1c1c5b23ef035] is trusted in this ssl context ([xpack.security.authc.realms.active_directory.ad1.ssl])
sun.security.validator.ValidatorException: KeyUsage does not allow digital signatures
[2020-10-01T19:07:32,753][WARN ][o.e.x.s.a.AuthenticationService] [node] Authentication to realm ad1failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server dc01.domain.local:636:  
IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'dc01.domain.local:636' because an unexpected error was encountered during validation processing:  SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))'))

But at the same time I use these two certificates [ "cert/root_ca.crt", "cert/sub_ca.crt" ] in other sections of elasticsearch.yml without any problems

xpack.security.transport.ssl.certificate_authorities: [ "cert/root_ca.crt", "cert/sub_ca.crt ]
xpack.security.http.ssl.certificate_authorities: [ "cert/root_ca.crt", "cert/sub_ca.crt" ] 

Why elasticsearch says that issuer certificate was not provided in the chain when it was provided exactly?

This is what causes the issue, not the certificate trust per se. The certificate that has been generated from your CA is lacking the appropriate keyUsage extension values (digitalSignature) and as such several TLS ciphers that depend on digital signature verification can't be used. Your options are :

  • Get a proper certificate from your CA for the AD controller

  • Configure a TLS cipher that could work even now , something without one of the following: ("DHE_DSS", "DHE_RSA", "ECDHE_ECDSA", "ECDHE_RSA") from this list , i.e.:

      ssl:
          cipher_suites: ["TLS_AES_128_GCM_SHA256"]
    

Also I want to add that we have two certificates in the personal store with Server Authentication (OID: 1.3.6.1.5.5.7.3.1) and wrong one was chosen.
This problem described in this article, see Active Directory Domain Services Certificate Storage.