Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783
Richard Megginson wrote:
Jeff Gamsby wrote:
> I blew away the server and installed a new one, then I used the
> setupssl.sh script to setup SSL. The script completed successfully,
> and the server is listening on port 636, but I'm back to a familiar
> error:
>
> ldapsearch -x -ZZ -d -1
>
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 1, err: 19, subject: /CN=CAcert,
> issuer: /CN=CAcert
> TLS certificate verification: Error, self signed certificate in
> certificate chain
> tls_write: want=7, written=7
> 0000: 15 03 01 00 02 02 30
> ......0 TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (-11)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> Shouldn't CN=CAcert be cn=fqdn?
No, no hostname validation is done on the CA cert, only on the LDAP
server cert.
Did you configure openldap to use the new CA cert?
http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients
Yes.
This is what the access log says
[02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101
nentries=0 etime=0
[02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection from
127.0.0.1 to 127.0.0.1
[02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer does not
recognize and trust the CA that issued your certificate.
>
> This is all that the errors log says
How about the access log?
>
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES
> in backend userRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES
> in backend userRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES
> in backend NetscapeRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES
> in backend NetscapeRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All
> Interfaces port 389 for LDAP requests
> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port 636
> for LDAPS requests
>
> Thanks for your help
>
>
>
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>> OK, now I have a different error.
>>>
>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i
>>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>>
>>> and
>>>
>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0
>>>
>>> Now, I get this error:
>>>
>>> TLS: can't connect.
>>> ldap_perror
>>> ldap_start_tls: Connect error (-11)
>>> additional info: Start TLS request accepted.Server willing
>>> to negotiate SSL.
>> What OS and version are you running? RHEL3 /etc/openldap/ldap.conf
>> does not like the TLS_CACERTDIR directive - you must use the
>> TLS_CACERT directive with the full path and filename of the
>> cacert.pem file (e.g. /etc/openldap/cacerts/cacert.pem). What does
>> it say in the fedora ds access and error log for this request?
>>
>> For a successful startTLS request with ldapsearch, you should see
>> something like the following in your fedora ds access log:
>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from
>> 127.0.0.1 to 127.0.0.1
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT
>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120
>> nentries=0 etime=0
>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128
>> version=3
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97
>> nentries=0 etime=0 dn=""
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH
>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)"
attrs=ALL
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101
>> nentries=1 etime=0
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1
>>
>>>
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>>
>>>>> Jeff Gamsby
>>>>> Center for X-Ray Optics
>>>>> Lawrence Berkeley National Laboratory
>>>>> (510) 486-7783
>>>>>
>>>>>
>>>>>
>>>>> Richard Megginson wrote:
>>>>>> Jeff Gamsby wrote:
>>>>>>>
>>>>>>> Jeff Gamsby
>>>>>>> Center for X-Ray Optics
>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>> (510) 486-7783
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Richard Megginson wrote:
>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I
am using
>>>>>>>>> a OpenSSL CA, I have installed the Server Cert and
the CA
>>>>>>>>> Cert, can start FDS in SSL mode, but when I run
>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert
>>>>>>>>> write:fatal:unknown CA.
>>>>>>>> Did you follow this -
>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>> I did, but that didn't work for me. The only thing that I
did
>>>>>>> this time was generate a request from the "Manage
>>>>>>> Certificates", sign the request using my OpenSSL CA, and
>>>>>>> install the Server and CA Certs. Then I turned on SSL in the
>>>>>>> Admin console, and restarted the server.
>>>>>>>
>>>>>>> When I followed the instructions from the link, I
couldn't even
>>>>>>> get FDS to start in SSL mode.
>>>>>> One problem may be that ldapsearch is trying to verify the
>>>>>> hostname in your server cert, which is the value of the cn
>>>>>> attribute in the leftmost RDN in your server cert's subject
DN.
>>>>>> What is the subject DN of your server cert? You can use
>>>>>> certutil -L -n Server-Cert as specified in the Howto:SSL to
>>>>>> print your cert.
>>>>>
>>>>> Sorry. I missed the -P option.
>>>>>
>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n
>>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and
OpenSSL
>>>>> CA host (ran on same machine)
>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some
>>>> debugging info.
>>>>>
>>>>>>>>>
>>>>>>>>> In /etc/ldap.conf, I have put in
>>>>>>>>> TLS_CACERT /path/to/cert
>>>>>>>> Is this the same /path/to/cacert.pem as below?
>>>>>>> Yes
>>>>>>>>> TLSREQCERT allow
>>>>>>>>> ssl on
>>>>>>>>> ssl start_tls
>>>>>>>>>
>>>>>>>>> If I run
>>>>>>>>> openssl s_client -connect localhost:636 -showcerts
-state
>>>>>>>>> -CAfile /path/to/cacert.pem
>>>>>>>>>
>>>>>>>>> It looks OK
>>>>>>>>>
>>>>>>>>> Please help
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>>
>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users(a)redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users(a)redhat.com
>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users(a)redhat.com
>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> ------------------------------------------------------------------------
>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users