Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: > Jeff Gamsby wrote: >> >> Jeff Gamsby >> Center for X-Ray Optics >> Lawrence Berkeley National Laboratory >> (510) 486-7783 >> >> >> >> Richard Megginson wrote: >>> Jeff Gamsby wrote: >>>> >>>> Jeff Gamsby >>>> Center for X-Ray Optics >>>> Lawrence Berkeley National Laboratory >>>> (510) 486-7783 >>>> >>>> >>>> >>>> Richard Megginson wrote: >>>>> Jeff Gamsby wrote: >>>>>> I blew away the server and installed a new one, then I used the >>>>>> setupssl.sh script to setup SSL. The script completed >>>>>> successfully, and the server is listening on port 636, but I'm >>>>>> back to a familiar error: >>>>>> >>>>>> ldapsearch -x -ZZ -d -1 >>>>>> >>>>>> TLS trace: SSL_connect:SSLv3 read server hello A >>>>>> TLS certificate verification: depth: 1, err: 19, subject: >>>>>> /CN=CAcert, issuer: /CN=CAcert >>>>>> TLS certificate verification: Error, self signed certificate in >>>>>> certificate chain >>>>>> tls_write: want=7, written=7 >>>>>> 0000: 15 03 01 00 02 02 30 >>>>>> ......0 TLS trace: SSL3 alert write:fatal:unknown CA >>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>> TLS: can't connect. >>>>>> ldap_perror >>>>>> ldap_start_tls: Connect error (-11) >>>>>> additional info: error:14090086:SSL >>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>>> >>>>>> Shouldn't CN=CAcert be cn=fqdn? >>>>> No, no hostname validation is done on the CA cert, only on the >>>>> LDAP server cert. >>>>> >>>>> Did you configure openldap to use the new CA cert? >>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients >>>>> >>>> >>>> Yes. >>>> >>>> This is what the access log says >>>> >>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 >>>> nentries=0 etime=0 >>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection from >>>> 127.0.0.1 to 127.0.0.1 >>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT >>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 >>>> nentries=0 etime=0 >>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer >>>> does not recognize and trust the CA that issued your certificate. >>> >>> This means that the CA cert that /etc/openldap/ldap.conf is using is >>> not the cert of the CA that issued the Fedora DS server cert. >> OK. I had the old cert in there. >> >> I followed the instructions and did a >> >> cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in >> cacert.asc`.0 >> >> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still get >> the same error > But does the file /etc/openldap/cacerts/cacert.asc exist? If not, you > need to copy that file in there. I guess the docs are not explicit > enough - if you use TLS_CACERTDIR, you must have the file <hash>.0 in > the cacerts directory. If you use TLS_CACERT, you must have the file > /etc/openldap/cacerts/cacert.asc. It does exist, and I'm using TLS_CACERT /etc/openldap/cacerts/cacert.asc Same error. [02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer does not recognize and trust the CA that issued your certificate. I also put the same info in /etc/ldap.conf Also, here are the certs ../shared/bin/certutil -L -P slapd-server- -d . CA certificate CTu,u,u server-cert u,u,u Server-Cert u,u,u Does that look right? >> >> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection from >> 127.0.0.1 to 127.0.0.1 >> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT >> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 >> nentries=0 etime=0 >> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer does >> not recognize and trust the CA that issued your certificate. >> >> >> >> >>>>> >>>>>> >>>>>> This is all that the errors log says >>>>> How about the access log? >>>>>> >>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>>> AES in backend userRoot, attempting to create one... >>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>>>> generated and stored >>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>>> 3DES in backend userRoot, attempting to create one... >>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>>>> generated and stored >>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>>> AES in backend NetscapeRoot, attempting to create one... >>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>>>> generated and stored >>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>>> 3DES in backend NetscapeRoot, attempting to create one... >>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>>>> generated and stored >>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All >>>>>> Interfaces port 389 for LDAP requests >>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port >>>>>> 636 for LDAPS requests >>>>>> >>>>>> Thanks for your help >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Jeff Gamsby >>>>>> Center for X-Ray Optics >>>>>> Lawrence Berkeley National Laboratory >>>>>> (510) 486-7783 >>>>>> >>>>>> >>>>>> >>>>>> Richard Megginson wrote: >>>>>>> Jeff Gamsby wrote: >>>>>>>> OK, now I have a different error. >>>>>>>> >>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>>>> >>>>>>>> and >>>>>>>> >>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 >>>>>>>> >>>>>>>> Now, I get this error: >>>>>>>> >>>>>>>> TLS: can't connect. >>>>>>>> ldap_perror >>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>> additional info: Start TLS request accepted.Server >>>>>>>> willing to negotiate SSL. >>>>>>> What OS and version are you running? RHEL3 >>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR >>>>>>> directive - you must use the TLS_CACERT directive with the full >>>>>>> path and filename of the cacert.pem file (e.g. >>>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the >>>>>>> fedora ds access and error log for this request? >>>>>>> >>>>>>> For a successful startTLS request with ldapsearch, you should >>>>>>> see something like the following in your fedora ds access log: >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection >>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 >>>>>>> nentries=0 etime=0 >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 >>>>>>> version=3 >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 >>>>>>> nentries=0 etime=0 dn="" >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 >>>>>>> nentries=1 etime=0 >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Jeff Gamsby >>>>>>>> Center for X-Ray Optics >>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>> (510) 486-7783 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Richard Megginson wrote: >>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>> >>>>>>>>>> Jeff Gamsby >>>>>>>>>> Center for X-Ray Optics >>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>> (510) 486-7783 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>> >>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am >>>>>>>>>>>>>> using a OpenSSL CA, I have installed the Server Cert and >>>>>>>>>>>>>> the CA Cert, can start FDS in SSL mode, but when I run >>>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>>>> Did you follow this - >>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>>>> I did, but that didn't work for me. The only thing that I >>>>>>>>>>>> did this time was generate a request from the "Manage >>>>>>>>>>>> Certificates", sign the request using my OpenSSL CA, and >>>>>>>>>>>> install the Server and CA Certs. Then I turned on SSL in >>>>>>>>>>>> the Admin console, and restarted the server. >>>>>>>>>>>> >>>>>>>>>>>> When I followed the instructions from the link, I couldn't >>>>>>>>>>>> even get FDS to start in SSL mode. >>>>>>>>>>> One problem may be that ldapsearch is trying to verify the >>>>>>>>>>> hostname in your server cert, which is the value of the cn >>>>>>>>>>> attribute in the leftmost RDN in your server cert's subject >>>>>>>>>>> DN. What is the subject DN of your server cert? You can >>>>>>>>>>> use certutil -L -n Server-Cert as specified in the Howto:SSL >>>>>>>>>>> to print your cert. >>>>>>>>>> >>>>>>>>>> Sorry. I missed the -P option. >>>>>>>>>> >>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n >>>>>>>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and >>>>>>>>>> OpenSSL CA host (ran on same machine) >>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some >>>>>>>>> debugging info. >>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>>>> Yes >>>>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>>>> ssl on >>>>>>>>>>>>>> ssl start_tls >>>>>>>>>>>>>> >>>>>>>>>>>>>> If I run >>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts -state >>>>>>>>>>>>>> -CAfile /path/to/cacert.pem >>>>>>>>>>>>>> >>>>>>>>>>>>>> It looks OK >>>>>>>>>>>>>> >>>>>>>>>>>>>> Please help >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>> >>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
