Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783
Richard Megginson wrote:
> Jeff Gamsby wrote:
>>
>> Jeff Gamsby
>> Center for X-Ray Optics
>> Lawrence Berkeley National Laboratory
>> (510) 486-7783
>>
>>
>>
>> Richard Megginson wrote:
>>> Jeff Gamsby wrote:
>>>> I blew away the server and installed a new one, then I used the
>>>> setupssl.sh script to setup SSL. The script completed
>>>> successfully, and the server is listening on port 636, but I'm
>>>> back to a familiar error:
>>>>
>>>> ldapsearch -x -ZZ -d -1
>>>>
>>>> TLS trace: SSL_connect:SSLv3 read server hello A
>>>> TLS certificate verification: depth: 1, err: 19, subject:
>>>> /CN=CAcert, issuer: /CN=CAcert
>>>> TLS certificate verification: Error, self signed certificate in
>>>> certificate chain
>>>> tls_write: want=7, written=7
>>>> 0000: 15 03 01 00 02 02 30
>>>> ......0 TLS trace: SSL3 alert write:fatal:unknown CA
>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>>>> TLS: can't connect.
>>>> ldap_perror
>>>> ldap_start_tls: Connect error (-11)
>>>> additional info: error:14090086:SSL
>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>>
>>>> Shouldn't CN=CAcert be cn=fqdn?
>>> No, no hostname validation is done on the CA cert, only on the LDAP
>>> server cert.
>>>
>>> Did you configure openldap to use the new CA cert?
>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients
>>>
>>
>> Yes.
>>
>> This is what the access log says
>>
>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101
>> nentries=0 etime=0
>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection from
>> 127.0.0.1 to 127.0.0.1
>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT
>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120
>> nentries=0 etime=0
>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer does
>> not recognize and trust the CA that issued your certificate.
>
> This means that the CA cert that /etc/openldap/ldap.conf is using is
> not the cert of the CA that issued the Fedora DS server cert.
OK. I had the old cert in there.
I followed the instructions and did a
cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in
cacert.asc`.0
and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still get
the same error
But does the file /etc/openldap/cacerts/cacert.asc exist? If not,
you
need to copy that file in there. I guess the docs are not explicit
enough - if you use TLS_CACERTDIR, you must have the file <hash>.0 in
the cacerts directory. If you use TLS_CACERT, you must have the file
/etc/openldap/cacerts/cacert.asc.
[02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection from
127.0.0.1 to 127.0.0.1
[02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer does
not recognize and trust the CA that issued your certificate.
>>>
>>>>
>>>> This is all that the errors log says
>>> How about the access log?
>>>>
>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher
>>>> AES in backend userRoot, attempting to create one...
>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully
>>>> generated and stored
>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher
>>>> 3DES in backend userRoot, attempting to create one...
>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully
>>>> generated and stored
>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher
>>>> AES in backend NetscapeRoot, attempting to create one...
>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully
>>>> generated and stored
>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher
>>>> 3DES in backend NetscapeRoot, attempting to create one...
>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully
>>>> generated and stored
>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All
>>>> Interfaces port 389 for LDAP requests
>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port
>>>> 636 for LDAPS requests
>>>>
>>>> Thanks for your help
>>>>
>>>>
>>>>
>>>>
>>>> Jeff Gamsby
>>>> Center for X-Ray Optics
>>>> Lawrence Berkeley National Laboratory
>>>> (510) 486-7783
>>>>
>>>>
>>>>
>>>> Richard Megginson wrote:
>>>>> Jeff Gamsby wrote:
>>>>>> OK, now I have a different error.
>>>>>>
>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C"
-i
>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>>>>>
>>>>>> and
>>>>>>
>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0
>>>>>>
>>>>>> Now, I get this error:
>>>>>>
>>>>>> TLS: can't connect.
>>>>>> ldap_perror
>>>>>> ldap_start_tls: Connect error (-11)
>>>>>> additional info: Start TLS request accepted.Server
>>>>>> willing to negotiate SSL.
>>>>> What OS and version are you running? RHEL3
>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR directive
>>>>> - you must use the TLS_CACERT directive with the full path and
>>>>> filename of the cacert.pem file (e.g.
>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the
>>>>> fedora ds access and error log for this request?
>>>>>
>>>>> For a successful startTLS request with ldapsearch, you should see
>>>>> something like the following in your fedora ds access log:
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection
>>>>> from 127.0.0.1 to 127.0.0.1
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT
>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120
>>>>> nentries=0 etime=0
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn=""
method=128
>>>>> version=3
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97
>>>>> nentries=0 etime=0 dn=""
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH
>>>>> base="dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101
>>>>> nentries=1 etime=0
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1
>>>>>
>>>>>>
>>>>>>
>>>>>> Jeff Gamsby
>>>>>> Center for X-Ray Optics
>>>>>> Lawrence Berkeley National Laboratory
>>>>>> (510) 486-7783
>>>>>>
>>>>>>
>>>>>>
>>>>>> Richard Megginson wrote:
>>>>>>> Jeff Gamsby wrote:
>>>>>>>>
>>>>>>>> Jeff Gamsby
>>>>>>>> Center for X-Ray Optics
>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>> (510) 486-7783
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Richard Megginson wrote:
>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>
>>>>>>>>>> Jeff Gamsby
>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>> (510) 486-7783
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in
SSL mode. I am
>>>>>>>>>>>> using a OpenSSL CA, I have installed the
Server Cert and
>>>>>>>>>>>> the CA Cert, can start FDS in SSL mode,
but when I run
>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3
alert
>>>>>>>>>>>> write:fatal:unknown CA.
>>>>>>>>>>> Did you follow this -
>>>>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>> I did, but that didn't work for me. The only
thing that I
>>>>>>>>>> did this time was generate a request from the
"Manage
>>>>>>>>>> Certificates", sign the request using my
OpenSSL CA, and
>>>>>>>>>> install the Server and CA Certs. Then I turned on
SSL in the
>>>>>>>>>> Admin console, and restarted the server.
>>>>>>>>>>
>>>>>>>>>> When I followed the instructions from the link, I
couldn't
>>>>>>>>>> even get FDS to start in SSL mode.
>>>>>>>>> One problem may be that ldapsearch is trying to
verify the
>>>>>>>>> hostname in your server cert, which is the value of
the cn
>>>>>>>>> attribute in the leftmost RDN in your server
cert's subject
>>>>>>>>> DN. What is the subject DN of your server cert? You
can use
>>>>>>>>> certutil -L -n Server-Cert as specified in the
Howto:SSL to
>>>>>>>>> print your cert.
>>>>>>>>
>>>>>>>> Sorry. I missed the -P option.
>>>>>>>>
>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server-
-n
>>>>>>>> "server-cert" returns the Subject *CN* as FQDN
of FDS and
>>>>>>>> OpenSSL CA host (ran on same machine)
>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some
>>>>>>> debugging info.
>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> In /etc/ldap.conf, I have put in
>>>>>>>>>>>> TLS_CACERT /path/to/cert
>>>>>>>>>>> Is this the same /path/to/cacert.pem as
below?
>>>>>>>>>> Yes
>>>>>>>>>>>> TLSREQCERT allow
>>>>>>>>>>>> ssl on
>>>>>>>>>>>> ssl start_tls
>>>>>>>>>>>>
>>>>>>>>>>>> If I run
>>>>>>>>>>>> openssl s_client -connect localhost:636
-showcerts -state
>>>>>>>>>>>> -CAfile /path/to/cacert.pem
>>>>>>>>>>>>
>>>>>>>>>>>> It looks OK
>>>>>>>>>>>>
>>>>>>>>>>>> Please help
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks
>>>>>>>>>>>>
>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>
------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users(a)redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users(a)redhat.com
>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>> ------------------------------------------------------------------------
>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users(a)redhat.com
>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users