Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783
Richard Megginson wrote:
Jeff Gamsby wrote:
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>>
>>>>> Jeff Gamsby
>>>>> Center for X-Ray Optics
>>>>> Lawrence Berkeley National Laboratory
>>>>> (510) 486-7783
>>>>>
>>>>>
>>>>>
>>>>> Richard Megginson wrote:
>>>>>> Jeff Gamsby wrote:
>>>>>>>
>>>>>>> Jeff Gamsby
>>>>>>> Center for X-Ray Optics
>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>> (510) 486-7783
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Richard Megginson wrote:
>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>> I blew away the server and installed a new one, then
I used
>>>>>>>>> the setupssl.sh script to setup SSL. The script
completed
>>>>>>>>> successfully, and the server is listening on port
636, but
>>>>>>>>> I'm back to a familiar error:
>>>>>>>>>
>>>>>>>>> ldapsearch -x -ZZ -d -1
>>>>>>>>>
>>>>>>>>> TLS trace: SSL_connect:SSLv3 read server hello A
>>>>>>>>> TLS certificate verification: depth: 1, err: 19,
subject:
>>>>>>>>> /CN=CAcert, issuer: /CN=CAcert
>>>>>>>>> TLS certificate verification: Error, self signed
certificate
>>>>>>>>> in certificate chain
>>>>>>>>> tls_write: want=7, written=7
>>>>>>>>> 0000: 15 03 01 00 02 02 30
>>>>>>>>> ......0 TLS trace: SSL3 alert
write:fatal:unknown CA
>>>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server
certificate B
>>>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server
certificate B
>>>>>>>>> TLS: can't connect.
>>>>>>>>> ldap_perror
>>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>> additional info: error:14090086:SSL
>>>>>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
>>>>>>>>>
>>>>>>>>> Shouldn't CN=CAcert be cn=fqdn?
>>>>>>>> No, no hostname validation is done on the CA cert, only
on the
>>>>>>>> LDAP server cert.
>>>>>>>>
>>>>>>>> Did you configure openldap to use the new CA cert?
>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients
>>>>>>>>
>>>>>>>
>>>>>>> Yes.
>>>>>>>
>>>>>>> This is what the access log says
>>>>>>>
>>>>>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0
tag=101
>>>>>>> nentries=0 etime=0
>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68
connection
>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT
>>>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0
tag=120
>>>>>>> nentries=0 etime=0
>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed -
Peer
>>>>>>> does not recognize and trust the CA that issued your
certificate.
>>>>>>
>>>>>> This means that the CA cert that /etc/openldap/ldap.conf is
>>>>>> using is not the cert of the CA that issued the Fedora DS server
>>>>>> cert.
>>>>> OK. I had the old cert in there.
>>>>>
>>>>> I followed the instructions and did a
>>>>>
>>>>> cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash
>>>>> -in cacert.asc`.0
>>>>>
>>>>> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still
>>>>> get the same error
>>>> But does the file /etc/openldap/cacerts/cacert.asc exist? If not,
>>>> you need to copy that file in there. I guess the docs are not
>>>> explicit enough - if you use TLS_CACERTDIR, you must have the file
>>>> <hash>.0 in the cacerts directory. If you use TLS_CACERT, you
>>>> must have the file /etc/openldap/cacerts/cacert.asc.
>>>
>>> It does exist, and I'm using TLS_CACERT
>>> /etc/openldap/cacerts/cacert.asc
>>>
>>> Same error.
>>> [02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection from
>>> 127.0.0.1 to 127.0.0.1
>>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT
>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120
>>> nentries=0 etime=0
>>> [02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer does
>>> not recognize and trust the CA that issued your certificate.
>>>
>>> I also put the same info in /etc/ldap.conf
>> That file is only used by pam_ldap and nss_ldap, so it shouldn't
>> matter.
>>>
>>> Also, here are the certs
>>>
>>> ../shared/bin/certutil -L -P slapd-server- -d .
>>> CA certificate CTu,u,u
>>> server-cert u,u,u
>>> Server-Cert u,u,u
>>>
>>> Does that look right?
>> Try this:
>> ../shared/bin/certutil -L -P slapd-server- -d . -n "CA certificate"
>> -a > mycacert.asc
>>
>> diff mycacert.asc /etc/openldap/cacerts/cacert.asc
>>
>> If they are the same, then CA certificate is not the cert of the CA
>> that issued Server-Cert.
>
> They are the same.
>
> I'm not sure that I understand.
I'm not sure I understand what's going on either, but the message
"Peer does not recognize and trust the CA that issued your
certificate." means that ldapsearch did not verify your LDAP server
certificate (Server-Cert). This is usually due to one or both of the
following:
1) The value of the cn attribute in the leftmost RDN of the subjectDN
in the LDAP server cert is not the fqdn of the LDAP server host, or
the client cannot resolve it.
2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of the
CA that issued the LDAP server certificate (Server-Cert)
I'm not sure which one it is. You might try dumping out the server
certificate (../shared/bin/certutil -L -P slapd-server- -d . -n
"Server-Cert" -a > fdscert.pem) and using openssl to verify the cert e.g.
openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem
If you get an error, this means that the CA whose cert is
/etc/openldap/cacerts/cacert.asc did not issue the fedora ds server
certificate.
>
>>>
>>>>>
>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection
>>>>> from 127.0.0.1 to 127.0.0.1
>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT
>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120
>>>>> nentries=0 etime=0
>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer
>>>>> does not recognize and trust the CA that issued your certificate.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>> This is all that the errors log says
>>>>>>>> How about the access log?
>>>>>>>>>
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found
for
>>>>>>>>> cipher AES in backend userRoot, attempting to create
one...
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
>>>>>>>>> successfully generated and stored
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found
for
>>>>>>>>> cipher 3DES in backend userRoot, attempting to create
one...
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
>>>>>>>>> successfully generated and stored
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found
for
>>>>>>>>> cipher AES in backend NetscapeRoot, attempting to
create one...
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
>>>>>>>>> successfully generated and stored
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found
for
>>>>>>>>> cipher 3DES in backend NetscapeRoot, attempting to
create one...
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
>>>>>>>>> successfully generated and stored
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started.
Listening on
>>>>>>>>> All Interfaces port 389 for LDAP requests
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All
Interfaces
>>>>>>>>> port 636 for LDAPS requests
>>>>>>>>>
>>>>>>>>> Thanks for your help
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jeff Gamsby
>>>>>>>>> Center for X-Ray Optics
>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>> (510) 486-7783
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>> OK, now I have a different error.
>>>>>>>>>>>
>>>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name
-t "C,C,C" -i
>>>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>>>>>>>>>>
>>>>>>>>>>> and
>>>>>>>>>>>
>>>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash
-in
>>>>>>>>>>> ca-cert.pem`.0
>>>>>>>>>>>
>>>>>>>>>>> Now, I get this error:
>>>>>>>>>>>
>>>>>>>>>>> TLS: can't connect.
>>>>>>>>>>> ldap_perror
>>>>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>>>> additional info: Start TLS request
accepted.Server
>>>>>>>>>>> willing to negotiate SSL.
>>>>>>>>>> What OS and version are you running? RHEL3
>>>>>>>>>> /etc/openldap/ldap.conf does not like the
TLS_CACERTDIR
>>>>>>>>>> directive - you must use the TLS_CACERT directive
with the
>>>>>>>>>> full path and filename of the cacert.pem file
(e.g.
>>>>>>>>>> /etc/openldap/cacerts/cacert.pem). What does it
say in the
>>>>>>>>>> fedora ds access and error log for this request?
>>>>>>>>>>
>>>>>>>>>> For a successful startTLS request with
ldapsearch, you
>>>>>>>>>> should see something like the following in your
fedora ds
>>>>>>>>>> access log:
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64
slot=64
>>>>>>>>>> connection from 127.0.0.1 to 127.0.0.1
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT
>>>>>>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT
err=0
>>>>>>>>>> tag=120 nentries=0 etime=0
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit
AES
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND
dn=""
>>>>>>>>>> method=128 version=3
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT
err=0
>>>>>>>>>> tag=97 nentries=0 etime=0 dn=""
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH
>>>>>>>>>> base="dc=example,dc=com" scope=0
filter="(objectClass=*)"
>>>>>>>>>> attrs=ALL
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT
err=0
>>>>>>>>>> tag=101 nentries=1 etime=0
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64
closed - U1
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>> Lawrence Berkeley National
Laboratory
>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>>>> Lawrence Berkeley National
Laboratory
>>>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>>> I am trying to get
FDS 1.0.2 working in SSL mode. I
>>>>>>>>>>>>>>>>> am using a OpenSSL
CA, I have installed the Server
>>>>>>>>>>>>>>>>> Cert and the CA Cert,
can start FDS in SSL mode, but
>>>>>>>>>>>>>>>>> when I run
>>>>>>>>>>>>>>>>> ldapsearch -x -ZZ I
get TLS trace: SSL3 alert
>>>>>>>>>>>>>>>>> write:fatal:unknown
CA.
>>>>>>>>>>>>>>>> Did you follow this -
>>>>>>>>>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>>>>>> I did, but that didn't
work for me. The only thing that
>>>>>>>>>>>>>>> I did this time was generate
a request from the "Manage
>>>>>>>>>>>>>>> Certificates", sign the
request using my OpenSSL CA,
>>>>>>>>>>>>>>> and install the Server and CA
Certs. Then I turned on
>>>>>>>>>>>>>>> SSL in the Admin console, and
restarted the server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> When I followed the
instructions from the link, I
>>>>>>>>>>>>>>> couldn't even get FDS to
start in SSL mode.
>>>>>>>>>>>>>> One problem may be that
ldapsearch is trying to verify
>>>>>>>>>>>>>> the hostname in your server cert,
which is the value of
>>>>>>>>>>>>>> the cn attribute in the leftmost
RDN in your server
>>>>>>>>>>>>>> cert's subject DN. What is
the subject DN of your
>>>>>>>>>>>>>> server cert? You can use
certutil -L -n Server-Cert as
>>>>>>>>>>>>>> specified in the Howto:SSL to
print your cert.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Sorry. I missed the -P option.
>>>>>>>>>>>>>
>>>>>>>>>>>>> running ../shared/bin/certutil -L -d
. -P slapd-server-
>>>>>>>>>>>>> -n "server-cert" returns
the Subject *CN* as FQDN of FDS
>>>>>>>>>>>>> and OpenSSL CA host (ran on same
machine)
>>>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?)
option to get
>>>>>>>>>>>> some debugging info.
>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> In /etc/ldap.conf, I
have put in
>>>>>>>>>>>>>>>>> TLS_CACERT
/path/to/cert
>>>>>>>>>>>>>>>> Is this the same
/path/to/cacert.pem as below?
>>>>>>>>>>>>>>> Yes
>>>>>>>>>>>>>>>>> TLSREQCERT allow
>>>>>>>>>>>>>>>>> ssl on
>>>>>>>>>>>>>>>>> ssl start_tls
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> If I run
>>>>>>>>>>>>>>>>> openssl s_client
-connect localhost:636 -showcerts
>>>>>>>>>>>>>>>>> -state -CAfile
/path/to/cacert.pem
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> It looks OK
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Please help
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>>>>>>>>
Fedora-directory-users(a)redhat.com
>>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>>>>>>>
Fedora-directory-users(a)redhat.com
>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Fedora-directory-users mailing
list
>>>>>>>>>>>>>>
Fedora-directory-users(a)redhat.com
>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>
>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users(a)redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users(a)redhat.com
>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users(a)redhat.com
>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> ------------------------------------------------------------------------
>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users