I blew away the server and installed a new one, then I used the
setupssl.sh script to setup SSL. The script completed successfully, and
the server is listening on port 636, but I'm back to a familiar error:
ldapsearch -x -ZZ -d -1
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject: /CN=CAcert,
issuer: /CN=CAcert
TLS certificate verification: Error, self signed certificate in
certificate chain
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30
......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Shouldn't CN=CAcert be cn=fqdn?
This is all that the errors log says
[02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES in
backend userRoot, attempting to create one...
[02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully generated
and stored
[02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES in
backend userRoot, attempting to create one...
[02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully
generated and stored
[02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES in
backend NetscapeRoot, attempting to create one...
[02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully generated
and stored
[02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES in
backend NetscapeRoot, attempting to create one...
[02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully
generated and stored
[02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All
Interfaces port 389 for LDAP requests
[02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port 636 for
LDAPS requests
Thanks for your help
Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783
Richard Megginson wrote:
> Jeff Gamsby wrote:
>> OK, now I have a different error.
>>
>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i
>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>
>> and
>>
>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0
>>
>> Now, I get this error:
>>
>> TLS: can't connect.
>> ldap_perror
>> ldap_start_tls: Connect error (-11)
>> additional info: Start TLS request accepted.Server willing to
>> negotiate SSL.
> What OS and version are you running? RHEL3 /etc/openldap/ldap.conf
> does not like the TLS_CACERTDIR directive - you must use the
> TLS_CACERT directive with the full path and filename of the cacert.pem
> file (e.g. /etc/openldap/cacerts/cacert.pem). What does it say in the
> fedora ds access and error log for this request?
>
> For a successful startTLS request with ldapsearch, you should see
> something like the following in your fedora ds access log:
> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from
> 127.0.0.1 to 127.0.0.1
> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120
> nentries=0 etime=0
> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 version=3
> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97
> nentries=0 etime=0 dn=""
> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH
> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101
> nentries=1 etime=0
> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1
>
>>
>>
>> Jeff Gamsby
>> Center for X-Ray Optics
>> Lawrence Berkeley National Laboratory
>> (510) 486-7783
>>
>>
>>
>> Richard Megginson wrote:
>>> Jeff Gamsby wrote:
>>>>
>>>> Jeff Gamsby
>>>> Center for X-Ray Optics
>>>> Lawrence Berkeley National Laboratory
>>>> (510) 486-7783
>>>>
>>>>
>>>>
>>>> Richard Megginson wrote:
>>>>> Jeff Gamsby wrote:
>>>>>>
>>>>>> Jeff Gamsby
>>>>>> Center for X-Ray Optics
>>>>>> Lawrence Berkeley National Laboratory
>>>>>> (510) 486-7783
>>>>>>
>>>>>>
>>>>>>
>>>>>> Richard Megginson wrote:
>>>>>>> Jeff Gamsby wrote:
>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using a
>>>>>>>> OpenSSL CA, I have installed the Server Cert and the CA Cert,
>>>>>>>> can start FDS in SSL mode, but when I run
>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert
>>>>>>>> write:fatal:unknown CA.
>>>>>>> Did you follow this -
>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>> I did, but that didn't work for me. The only thing that I did
>>>>>> this time was generate a request from the "Manage Certificates",
>>>>>> sign the request using my OpenSSL CA, and install the Server and
>>>>>> CA Certs. Then I turned on SSL in the Admin console, and
>>>>>> restarted the server.
>>>>>>
>>>>>> When I followed the instructions from the link, I couldn't even
>>>>>> get FDS to start in SSL mode.
>>>>> One problem may be that ldapsearch is trying to verify the
>>>>> hostname in your server cert, which is the value of the cn
>>>>> attribute in the leftmost RDN in your server cert's subject DN.
>>>>> What is the subject DN of your server cert? You can use certutil
>>>>> -L -n Server-Cert as specified in the Howto:SSL to print your cert.
>>>>
>>>> Sorry. I missed the -P option.
>>>>
>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n
>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and OpenSSL
>>>> CA host (ran on same machine)
>>> Hmm - try ldapsearch with the -v (or -d?) option to get some
>>> debugging info.
>>>>
>>>>>>>>
>>>>>>>> In /etc/ldap.conf, I have put in
>>>>>>>> TLS_CACERT /path/to/cert
>>>>>>> Is this the same /path/to/cacert.pem as below?
>>>>>> Yes
>>>>>>>> TLSREQCERT allow
>>>>>>>> ssl on
>>>>>>>> ssl start_tls
>>>>>>>>
>>>>>>>> If I run
>>>>>>>> openssl s_client -connect localhost:636 -showcerts -state
>>>>>>>> -CAfile /path/to/cacert.pem
>>>>>>>>
>>>>>>>> It looks OK
>>>>>>>>
>>>>>>>> Please help
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>> ------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>> ------------------------------------------------------------------------
>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
