TLS trace: SSL3 alert write:fatal:unknown CA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jeff Gamsby wrote:
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>> I blew away the server and installed a new one, then I used the 
>>> setupssl.sh script to setup SSL. The script completed successfully, 
>>> and the server is listening on port 636, but I'm back to a familiar 
>>> error:
>>>
>>> ldapsearch -x -ZZ -d -1
>>>
>>> TLS trace: SSL_connect:SSLv3 read server hello A
>>> TLS certificate verification: depth: 1, err: 19, subject: 
>>> /CN=CAcert, issuer: /CN=CAcert
>>> TLS certificate verification: Error, self signed certificate in 
>>> certificate chain
>>> tls_write: want=7, written=7
>>>  0000:  15 03 01 00 02 02 30                               
>>> ......0          TLS trace: SSL3 alert write:fatal:unknown CA
>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>>> TLS: can't connect.
>>> ldap_perror
>>> ldap_start_tls: Connect error (-11)
>>>        additional info: error:14090086:SSL 
>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>
>>> Shouldn't CN=CAcert be cn=fqdn?
>> No, no hostname validation is done on the CA cert, only on the LDAP 
>> server cert.
>>
>> Did you configure openldap to use the new CA cert?  
>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients
>
> Yes.
>
> This is what the access log says
>
> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 
> nentries=0 etime=0
> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection from 
> 127.0.0.1 to 127.0.0.1
> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT 
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 
> nentries=0 etime=0
> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer does 
> not recognize and trust the CA that issued your certificate.

This means that the CA cert that /etc/openldap/ldap.conf is using is not 
the cert of the CA that issued the Fedora DS server cert.
>>
>>>
>>> This is all that the errors log says
>> How about the access log?
>>>
>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES 
>>> in backend userRoot, attempting to create one...
>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully 
>>> generated and stored
>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 
>>> 3DES in backend userRoot, attempting to create one...
>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully 
>>> generated and stored
>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES 
>>> in backend NetscapeRoot, attempting to create one...
>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully 
>>> generated and stored
>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 
>>> 3DES in backend NetscapeRoot, attempting to create one...
>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully 
>>> generated and stored
>>> [02/Jun/2006:14:21:01 -0700] - slapd started.  Listening on All 
>>> Interfaces port 389 for LDAP requests
>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port 636 
>>> for LDAPS requests
>>>
>>> Thanks for your help
>>>
>>>
>>>
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>> OK, now I have a different error.
>>>>>
>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i 
>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>>>>
>>>>> and
>>>>>
>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0
>>>>>
>>>>> Now, I get this error:
>>>>>
>>>>> TLS: can't connect.
>>>>> ldap_perror
>>>>> ldap_start_tls: Connect error (-11)
>>>>>        additional info: Start TLS request accepted.Server willing 
>>>>> to negotiate SSL.
>>>> What OS and version are you running?  RHEL3 /etc/openldap/ldap.conf 
>>>> does not like the TLS_CACERTDIR directive - you must use the 
>>>> TLS_CACERT directive with the full path and filename of the 
>>>> cacert.pem file (e.g. /etc/openldap/cacerts/cacert.pem).  What does 
>>>> it say in the fedora ds access and error log for this request?
>>>>
>>>> For a successful startTLS request with ldapsearch, you should see 
>>>> something like the following in your fedora ds access log:
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from 
>>>> 127.0.0.1 to 127.0.0.1
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT 
>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 
>>>> nentries=0 etime=0
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 
>>>> version=3
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 
>>>> nentries=0 etime=0 dn=""
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH 
>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 
>>>> nentries=1 etime=0
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1
>>>>
>>>>>
>>>>>
>>>>> Jeff Gamsby
>>>>> Center for X-Ray Optics
>>>>> Lawrence Berkeley National Laboratory
>>>>> (510) 486-7783
>>>>>
>>>>>
>>>>>
>>>>> Richard Megginson wrote:
>>>>>> Jeff Gamsby wrote:
>>>>>>>
>>>>>>> Jeff Gamsby
>>>>>>> Center for X-Ray Optics
>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>> (510) 486-7783
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Richard Megginson wrote:
>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>
>>>>>>>>> Jeff Gamsby
>>>>>>>>> Center for X-Ray Optics
>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>> (510) 486-7783
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using 
>>>>>>>>>>> a OpenSSL CA, I have installed the Server Cert and the CA 
>>>>>>>>>>> Cert, can start FDS in SSL mode, but when I run
>>>>>>>>>>> ldapsearch -x -ZZ  I get TLS trace: SSL3 alert 
>>>>>>>>>>> write:fatal:unknown CA.
>>>>>>>>>> Did you follow this - 
>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>> I did, but that didn't work for me. The only thing that I did 
>>>>>>>>> this time was generate a request from the "Manage 
>>>>>>>>> Certificates", sign the request using my OpenSSL CA, and 
>>>>>>>>> install the Server and CA Certs. Then I turned on SSL in the 
>>>>>>>>> Admin console, and restarted the server.
>>>>>>>>>
>>>>>>>>> When I followed the instructions from the link, I couldn't 
>>>>>>>>> even get FDS to start in SSL mode.
>>>>>>>> One problem may be that ldapsearch is trying to verify the 
>>>>>>>> hostname in your server cert, which is the value of the cn 
>>>>>>>> attribute in the leftmost RDN in your server cert's subject 
>>>>>>>> DN.  What is the subject DN of your server cert?  You can use 
>>>>>>>> certutil -L -n Server-Cert as specified in the Howto:SSL to 
>>>>>>>> print your cert.
>>>>>>>
>>>>>>> Sorry. I missed the -P option.
>>>>>>>
>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n 
>>>>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and 
>>>>>>> OpenSSL CA host (ran on same machine)
>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some 
>>>>>> debugging info.
>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> In /etc/ldap.conf, I have put in
>>>>>>>>>>> TLS_CACERT /path/to/cert
>>>>>>>>>> Is this the same /path/to/cacert.pem as below?
>>>>>>>>> Yes
>>>>>>>>>>> TLSREQCERT allow
>>>>>>>>>>> ssl on
>>>>>>>>>>> ssl start_tls
>>>>>>>>>>>
>>>>>>>>>>> If I run
>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts -state 
>>>>>>>>>>> -CAfile /path/to/cacert.pem
>>>>>>>>>>>
>>>>>>>>>>> It looks OK
>>>>>>>>>>>
>>>>>>>>>>> Please help
>>>>>>>>>>>
>>>>>>>>>>> Thanks
>>>>>>>>>>>
>>>>>>>>>> ------------------------------------------------------------------------ 
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>   
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>> ------------------------------------------------------------------------ 
>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>   
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>> ------------------------------------------------------------------------ 
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>   
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>> ------------------------------------------------------------------------ 
>>>>
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> ------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060602/9f8e5251/attachment.bin 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux