Jeff Gamsby wrote: > > Jeff Gamsby > Center for X-Ray Optics > Lawrence Berkeley National Laboratory > (510) 486-7783 > > > > Richard Megginson wrote: >> Jeff Gamsby wrote: >>> >>> Jeff Gamsby >>> Center for X-Ray Optics >>> Lawrence Berkeley National Laboratory >>> (510) 486-7783 >>> >>> >>> >>> Richard Megginson wrote: >>>> Jeff Gamsby wrote: >>>>> >>>>> Jeff Gamsby >>>>> Center for X-Ray Optics >>>>> Lawrence Berkeley National Laboratory >>>>> (510) 486-7783 >>>>> >>>>> >>>>> >>>>> Richard Megginson wrote: >>>>>> Jeff Gamsby wrote: >>>>>>> I blew away the server and installed a new one, then I used the >>>>>>> setupssl.sh script to setup SSL. The script completed >>>>>>> successfully, and the server is listening on port 636, but I'm >>>>>>> back to a familiar error: >>>>>>> >>>>>>> ldapsearch -x -ZZ -d -1 >>>>>>> >>>>>>> TLS trace: SSL_connect:SSLv3 read server hello A >>>>>>> TLS certificate verification: depth: 1, err: 19, subject: >>>>>>> /CN=CAcert, issuer: /CN=CAcert >>>>>>> TLS certificate verification: Error, self signed certificate in >>>>>>> certificate chain >>>>>>> tls_write: want=7, written=7 >>>>>>> 0000: 15 03 01 00 02 02 30 >>>>>>> ......0 TLS trace: SSL3 alert write:fatal:unknown CA >>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>>> TLS: can't connect. >>>>>>> ldap_perror >>>>>>> ldap_start_tls: Connect error (-11) >>>>>>> additional info: error:14090086:SSL >>>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>>>> >>>>>>> Shouldn't CN=CAcert be cn=fqdn? >>>>>> No, no hostname validation is done on the CA cert, only on the >>>>>> LDAP server cert. >>>>>> >>>>>> Did you configure openldap to use the new CA cert? >>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients >>>>>> >>>>> >>>>> Yes. >>>>> >>>>> This is what the access log says >>>>> >>>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 >>>>> nentries=0 etime=0 >>>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection >>>>> from 127.0.0.1 to 127.0.0.1 >>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT >>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 >>>>> nentries=0 etime=0 >>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer >>>>> does not recognize and trust the CA that issued your certificate. >>>> >>>> This means that the CA cert that /etc/openldap/ldap.conf is using >>>> is not the cert of the CA that issued the Fedora DS server cert. >>> OK. I had the old cert in there. >>> >>> I followed the instructions and did a >>> >>> cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in >>> cacert.asc`.0 >>> >>> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still get >>> the same error >> But does the file /etc/openldap/cacerts/cacert.asc exist? If not, >> you need to copy that file in there. I guess the docs are not >> explicit enough - if you use TLS_CACERTDIR, you must have the file >> <hash>.0 in the cacerts directory. If you use TLS_CACERT, you must >> have the file /etc/openldap/cacerts/cacert.asc. > > It does exist, and I'm using TLS_CACERT /etc/openldap/cacerts/cacert.asc > > Same error. > [02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection from > 127.0.0.1 to 127.0.0.1 > [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120 > nentries=0 etime=0 > [02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer does > not recognize and trust the CA that issued your certificate. > > I also put the same info in /etc/ldap.conf That file is only used by pam_ldap and nss_ldap, so it shouldn't matter. > > Also, here are the certs > > ../shared/bin/certutil -L -P slapd-server- -d . > CA certificate CTu,u,u > server-cert u,u,u > Server-Cert u,u,u > > Does that look right? Try this: ../shared/bin/certutil -L -P slapd-server- -d . -n "CA certificate" -a > mycacert.asc diff mycacert.asc /etc/openldap/cacerts/cacert.asc If they are the same, then CA certificate is not the cert of the CA that issued Server-Cert. > >>> >>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection from >>> 127.0.0.1 to 127.0.0.1 >>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT >>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 >>> nentries=0 etime=0 >>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer does >>> not recognize and trust the CA that issued your certificate. >>> >>> >>> >>> >>>>>> >>>>>>> >>>>>>> This is all that the errors log says >>>>>> How about the access log? >>>>>>> >>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>>>> AES in backend userRoot, attempting to create one... >>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>>>>> generated and stored >>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>>>> 3DES in backend userRoot, attempting to create one... >>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>>>>> generated and stored >>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>>>> AES in backend NetscapeRoot, attempting to create one... >>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>>>>> generated and stored >>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher >>>>>>> 3DES in backend NetscapeRoot, attempting to create one... >>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>>>>> generated and stored >>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All >>>>>>> Interfaces port 389 for LDAP requests >>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port >>>>>>> 636 for LDAPS requests >>>>>>> >>>>>>> Thanks for your help >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Jeff Gamsby >>>>>>> Center for X-Ray Optics >>>>>>> Lawrence Berkeley National Laboratory >>>>>>> (510) 486-7783 >>>>>>> >>>>>>> >>>>>>> >>>>>>> Richard Megginson wrote: >>>>>>>> Jeff Gamsby wrote: >>>>>>>>> OK, now I have a different error. >>>>>>>>> >>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>>>>> >>>>>>>>> and >>>>>>>>> >>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 >>>>>>>>> >>>>>>>>> Now, I get this error: >>>>>>>>> >>>>>>>>> TLS: can't connect. >>>>>>>>> ldap_perror >>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>> additional info: Start TLS request accepted.Server >>>>>>>>> willing to negotiate SSL. >>>>>>>> What OS and version are you running? RHEL3 >>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR >>>>>>>> directive - you must use the TLS_CACERT directive with the full >>>>>>>> path and filename of the cacert.pem file (e.g. >>>>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the >>>>>>>> fedora ds access and error log for this request? >>>>>>>> >>>>>>>> For a successful startTLS request with ldapsearch, you should >>>>>>>> see something like the following in your fedora ds access log: >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection >>>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 >>>>>>>> nentries=0 etime=0 >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 >>>>>>>> version=3 >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 >>>>>>>> nentries=0 etime=0 dn="" >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" >>>>>>>> attrs=ALL >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 >>>>>>>> nentries=1 etime=0 >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Jeff Gamsby >>>>>>>>> Center for X-Ray Optics >>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>> (510) 486-7783 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Richard Megginson wrote: >>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>> >>>>>>>>>>> Jeff Gamsby >>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>> (510) 486-7783 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am >>>>>>>>>>>>>>> using a OpenSSL CA, I have installed the Server Cert and >>>>>>>>>>>>>>> the CA Cert, can start FDS in SSL mode, but when I run >>>>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>>>>> Did you follow this - >>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>>>>> I did, but that didn't work for me. The only thing that I >>>>>>>>>>>>> did this time was generate a request from the "Manage >>>>>>>>>>>>> Certificates", sign the request using my OpenSSL CA, and >>>>>>>>>>>>> install the Server and CA Certs. Then I turned on SSL in >>>>>>>>>>>>> the Admin console, and restarted the server. >>>>>>>>>>>>> >>>>>>>>>>>>> When I followed the instructions from the link, I couldn't >>>>>>>>>>>>> even get FDS to start in SSL mode. >>>>>>>>>>>> One problem may be that ldapsearch is trying to verify the >>>>>>>>>>>> hostname in your server cert, which is the value of the cn >>>>>>>>>>>> attribute in the leftmost RDN in your server cert's subject >>>>>>>>>>>> DN. What is the subject DN of your server cert? You can >>>>>>>>>>>> use certutil -L -n Server-Cert as specified in the >>>>>>>>>>>> Howto:SSL to print your cert. >>>>>>>>>>> >>>>>>>>>>> Sorry. I missed the -P option. >>>>>>>>>>> >>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n >>>>>>>>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and >>>>>>>>>>> OpenSSL CA host (ran on same machine) >>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some >>>>>>>>>> debugging info. >>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>>>>> Yes >>>>>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>>>>> ssl on >>>>>>>>>>>>>>> ssl start_tls >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> If I run >>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts >>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> It looks OK >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Please help >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>> >>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>> >>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> ------------------------------------------------------------------------ >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060602/9ea3c66c/attachment.bin
