Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: > Jeff Gamsby wrote: >> >> Jeff Gamsby >> Center for X-Ray Optics >> Lawrence Berkeley National Laboratory >> (510) 486-7783 >> >> >> >> Richard Megginson wrote: >>> Jeff Gamsby wrote: >>>> I blew away the server and installed a new one, then I used the >>>> setupssl.sh script to setup SSL. The script completed successfully, >>>> and the server is listening on port 636, but I'm back to a familiar >>>> error: >>>> >>>> ldapsearch -x -ZZ -d -1 >>>> >>>> TLS trace: SSL_connect:SSLv3 read server hello A >>>> TLS certificate verification: depth: 1, err: 19, subject: >>>> /CN=CAcert, issuer: /CN=CAcert >>>> TLS certificate verification: Error, self signed certificate in >>>> certificate chain >>>> tls_write: want=7, written=7 >>>> 0000: 15 03 01 00 02 02 30 >>>> ......0 TLS trace: SSL3 alert write:fatal:unknown CA >>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>> TLS: can't connect. >>>> ldap_perror >>>> ldap_start_tls: Connect error (-11) >>>> additional info: error:14090086:SSL >>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>> >>>> Shouldn't CN=CAcert be cn=fqdn? >>> No, no hostname validation is done on the CA cert, only on the LDAP >>> server cert. >>> >>> Did you configure openldap to use the new CA cert? >>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients >>> >> >> Yes. >> >> This is what the access log says >> >> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 >> nentries=0 etime=0 >> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection from >> 127.0.0.1 to 127.0.0.1 >> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT >> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 >> nentries=0 etime=0 >> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer does >> not recognize and trust the CA that issued your certificate. > > This means that the CA cert that /etc/openldap/ldap.conf is using is > not the cert of the CA that issued the Fedora DS server cert. OK. I had the old cert in there. I followed the instructions and did a cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in cacert.asc`.0 and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still get the same error [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection from 127.0.0.1 to 127.0.0.1 [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer does not recognize and trust the CA that issued your certificate. >>> >>>> >>>> This is all that the errors log says >>> How about the access log? >>>> >>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>> AES in backend userRoot, attempting to create one... >>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>> generated and stored >>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>> 3DES in backend userRoot, attempting to create one... >>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>> generated and stored >>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>> AES in backend NetscapeRoot, attempting to create one... >>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>> generated and stored >>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>> 3DES in backend NetscapeRoot, attempting to create one... >>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>> generated and stored >>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All >>>> Interfaces port 389 for LDAP requests >>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port 636 >>>> for LDAPS requests >>>> >>>> Thanks for your help >>>> >>>> >>>> >>>> >>>> Jeff Gamsby >>>> Center for X-Ray Optics >>>> Lawrence Berkeley National Laboratory >>>> (510) 486-7783 >>>> >>>> >>>> >>>> Richard Megginson wrote: >>>>> Jeff Gamsby wrote: >>>>>> OK, now I have a different error. >>>>>> >>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>> >>>>>> and >>>>>> >>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 >>>>>> >>>>>> Now, I get this error: >>>>>> >>>>>> TLS: can't connect. >>>>>> ldap_perror >>>>>> ldap_start_tls: Connect error (-11) >>>>>> additional info: Start TLS request accepted.Server willing >>>>>> to negotiate SSL. >>>>> What OS and version are you running? RHEL3 >>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR directive >>>>> - you must use the TLS_CACERT directive with the full path and >>>>> filename of the cacert.pem file (e.g. >>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the fedora >>>>> ds access and error log for this request? >>>>> >>>>> For a successful startTLS request with ldapsearch, you should see >>>>> something like the following in your fedora ds access log: >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from >>>>> 127.0.0.1 to 127.0.0.1 >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 >>>>> nentries=0 etime=0 >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 >>>>> version=3 >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 >>>>> nentries=0 etime=0 dn="" >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>> >>>>>> >>>>>> >>>>>> Jeff Gamsby >>>>>> Center for X-Ray Optics >>>>>> Lawrence Berkeley National Laboratory >>>>>> (510) 486-7783 >>>>>> >>>>>> >>>>>> >>>>>> Richard Megginson wrote: >>>>>>> Jeff Gamsby wrote: >>>>>>>> >>>>>>>> Jeff Gamsby >>>>>>>> Center for X-Ray Optics >>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>> (510) 486-7783 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Richard Megginson wrote: >>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>> >>>>>>>>>> Jeff Gamsby >>>>>>>>>> Center for X-Ray Optics >>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>> (510) 486-7783 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am >>>>>>>>>>>> using a OpenSSL CA, I have installed the Server Cert and >>>>>>>>>>>> the CA Cert, can start FDS in SSL mode, but when I run >>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>> Did you follow this - >>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>> I did, but that didn't work for me. The only thing that I did >>>>>>>>>> this time was generate a request from the "Manage >>>>>>>>>> Certificates", sign the request using my OpenSSL CA, and >>>>>>>>>> install the Server and CA Certs. Then I turned on SSL in the >>>>>>>>>> Admin console, and restarted the server. >>>>>>>>>> >>>>>>>>>> When I followed the instructions from the link, I couldn't >>>>>>>>>> even get FDS to start in SSL mode. >>>>>>>>> One problem may be that ldapsearch is trying to verify the >>>>>>>>> hostname in your server cert, which is the value of the cn >>>>>>>>> attribute in the leftmost RDN in your server cert's subject >>>>>>>>> DN. What is the subject DN of your server cert? You can use >>>>>>>>> certutil -L -n Server-Cert as specified in the Howto:SSL to >>>>>>>>> print your cert. >>>>>>>> >>>>>>>> Sorry. I missed the -P option. >>>>>>>> >>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n >>>>>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and >>>>>>>> OpenSSL CA host (ran on same machine) >>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some >>>>>>> debugging info. >>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>> Yes >>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>> ssl on >>>>>>>>>>>> ssl start_tls >>>>>>>>>>>> >>>>>>>>>>>> If I run >>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts -state >>>>>>>>>>>> -CAfile /path/to/cacert.pem >>>>>>>>>>>> >>>>>>>>>>>> It looks OK >>>>>>>>>>>> >>>>>>>>>>>> Please help >>>>>>>>>>>> >>>>>>>>>>>> Thanks >>>>>>>>>>>> >>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
