Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: > Jeff Gamsby wrote: >> I blew away the server and installed a new one, then I used the >> setupssl.sh script to setup SSL. The script completed successfully, >> and the server is listening on port 636, but I'm back to a familiar >> error: >> >> ldapsearch -x -ZZ -d -1 >> >> TLS trace: SSL_connect:SSLv3 read server hello A >> TLS certificate verification: depth: 1, err: 19, subject: /CN=CAcert, >> issuer: /CN=CAcert >> TLS certificate verification: Error, self signed certificate in >> certificate chain >> tls_write: want=7, written=7 >> 0000: 15 03 01 00 02 02 30 >> ......0 TLS trace: SSL3 alert write:fatal:unknown CA >> TLS trace: SSL_connect:error in SSLv3 read server certificate B >> TLS trace: SSL_connect:error in SSLv3 read server certificate B >> TLS: can't connect. >> ldap_perror >> ldap_start_tls: Connect error (-11) >> additional info: error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >> >> Shouldn't CN=CAcert be cn=fqdn? > No, no hostname validation is done on the CA cert, only on the LDAP > server cert. > > Did you configure openldap to use the new CA cert? > http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients Yes. This is what the access log says [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 nentries=0 etime=0 [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer does not recognize and trust the CA that issued your certificate. > >> >> This is all that the errors log says > How about the access log? >> >> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES >> in backend userRoot, attempting to create one... >> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >> generated and stored >> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES >> in backend userRoot, attempting to create one... >> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >> generated and stored >> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES >> in backend NetscapeRoot, attempting to create one... >> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >> generated and stored >> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES >> in backend NetscapeRoot, attempting to create one... >> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >> generated and stored >> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests >> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port 636 >> for LDAPS requests >> >> Thanks for your help >> >> >> >> >> Jeff Gamsby >> Center for X-Ray Optics >> Lawrence Berkeley National Laboratory >> (510) 486-7783 >> >> >> >> Richard Megginson wrote: >>> Jeff Gamsby wrote: >>>> OK, now I have a different error. >>>> >>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>> >>>> and >>>> >>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 >>>> >>>> Now, I get this error: >>>> >>>> TLS: can't connect. >>>> ldap_perror >>>> ldap_start_tls: Connect error (-11) >>>> additional info: Start TLS request accepted.Server willing >>>> to negotiate SSL. >>> What OS and version are you running? RHEL3 /etc/openldap/ldap.conf >>> does not like the TLS_CACERTDIR directive - you must use the >>> TLS_CACERT directive with the full path and filename of the >>> cacert.pem file (e.g. /etc/openldap/cacerts/cacert.pem). What does >>> it say in the fedora ds access and error log for this request? >>> >>> For a successful startTLS request with ldapsearch, you should see >>> something like the following in your fedora ds access log: >>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from >>> 127.0.0.1 to 127.0.0.1 >>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 >>> nentries=0 etime=0 >>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 >>> version=3 >>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 >>> nentries=0 etime=0 dn="" >>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL >>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>> >>>> >>>> >>>> Jeff Gamsby >>>> Center for X-Ray Optics >>>> Lawrence Berkeley National Laboratory >>>> (510) 486-7783 >>>> >>>> >>>> >>>> Richard Megginson wrote: >>>>> Jeff Gamsby wrote: >>>>>> >>>>>> Jeff Gamsby >>>>>> Center for X-Ray Optics >>>>>> Lawrence Berkeley National Laboratory >>>>>> (510) 486-7783 >>>>>> >>>>>> >>>>>> >>>>>> Richard Megginson wrote: >>>>>>> Jeff Gamsby wrote: >>>>>>>> >>>>>>>> Jeff Gamsby >>>>>>>> Center for X-Ray Optics >>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>> (510) 486-7783 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Richard Megginson wrote: >>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using >>>>>>>>>> a OpenSSL CA, I have installed the Server Cert and the CA >>>>>>>>>> Cert, can start FDS in SSL mode, but when I run >>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>> write:fatal:unknown CA. >>>>>>>>> Did you follow this - >>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>> I did, but that didn't work for me. The only thing that I did >>>>>>>> this time was generate a request from the "Manage >>>>>>>> Certificates", sign the request using my OpenSSL CA, and >>>>>>>> install the Server and CA Certs. Then I turned on SSL in the >>>>>>>> Admin console, and restarted the server. >>>>>>>> >>>>>>>> When I followed the instructions from the link, I couldn't even >>>>>>>> get FDS to start in SSL mode. >>>>>>> One problem may be that ldapsearch is trying to verify the >>>>>>> hostname in your server cert, which is the value of the cn >>>>>>> attribute in the leftmost RDN in your server cert's subject DN. >>>>>>> What is the subject DN of your server cert? You can use >>>>>>> certutil -L -n Server-Cert as specified in the Howto:SSL to >>>>>>> print your cert. >>>>>> >>>>>> Sorry. I missed the -P option. >>>>>> >>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n >>>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and OpenSSL >>>>>> CA host (ran on same machine) >>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some >>>>> debugging info. >>>>>> >>>>>>>>>> >>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>> Yes >>>>>>>>>> TLSREQCERT allow >>>>>>>>>> ssl on >>>>>>>>>> ssl start_tls >>>>>>>>>> >>>>>>>>>> If I run >>>>>>>>>> openssl s_client -connect localhost:636 -showcerts -state >>>>>>>>>> -CAfile /path/to/cacert.pem >>>>>>>>>> >>>>>>>>>> It looks OK >>>>>>>>>> >>>>>>>>>> Please help >>>>>>>>>> >>>>>>>>>> Thanks >>>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
