Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: > Jeff Gamsby wrote: >> >> Jeff Gamsby >> Center for X-Ray Optics >> Lawrence Berkeley National Laboratory >> (510) 486-7783 >> >> >> >> Richard Megginson wrote: >>> Jeff Gamsby wrote: >>>> >>>> Jeff Gamsby >>>> Center for X-Ray Optics >>>> Lawrence Berkeley National Laboratory >>>> (510) 486-7783 >>>> >>>> >>>> >>>> Richard Megginson wrote: >>>>> Jeff Gamsby wrote: >>>>>> >>>>>> Jeff Gamsby >>>>>> Center for X-Ray Optics >>>>>> Lawrence Berkeley National Laboratory >>>>>> (510) 486-7783 >>>>>> >>>>>> >>>>>> >>>>>> Richard Megginson wrote: >>>>>>> Jeff Gamsby wrote: >>>>>>>> I blew away the server and installed a new one, then I used the >>>>>>>> setupssl.sh script to setup SSL. The script completed >>>>>>>> successfully, and the server is listening on port 636, but I'm >>>>>>>> back to a familiar error: >>>>>>>> >>>>>>>> ldapsearch -x -ZZ -d -1 >>>>>>>> >>>>>>>> TLS trace: SSL_connect:SSLv3 read server hello A >>>>>>>> TLS certificate verification: depth: 1, err: 19, subject: >>>>>>>> /CN=CAcert, issuer: /CN=CAcert >>>>>>>> TLS certificate verification: Error, self signed certificate in >>>>>>>> certificate chain >>>>>>>> tls_write: want=7, written=7 >>>>>>>> 0000: 15 03 01 00 02 02 30 >>>>>>>> ......0 TLS trace: SSL3 alert write:fatal:unknown CA >>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>>>> TLS: can't connect. >>>>>>>> ldap_perror >>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>> additional info: error:14090086:SSL >>>>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>>>>> >>>>>>>> Shouldn't CN=CAcert be cn=fqdn? >>>>>>> No, no hostname validation is done on the CA cert, only on the >>>>>>> LDAP server cert. >>>>>>> >>>>>>> Did you configure openldap to use the new CA cert? >>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients >>>>>>> >>>>>> >>>>>> Yes. >>>>>> >>>>>> This is what the access log says >>>>>> >>>>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 >>>>>> nentries=0 etime=0 >>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection >>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT >>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 >>>>>> nentries=0 etime=0 >>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer >>>>>> does not recognize and trust the CA that issued your certificate. >>>>> >>>>> This means that the CA cert that /etc/openldap/ldap.conf is using >>>>> is not the cert of the CA that issued the Fedora DS server cert. >>>> OK. I had the old cert in there. >>>> >>>> I followed the instructions and did a >>>> >>>> cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in >>>> cacert.asc`.0 >>>> >>>> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still get >>>> the same error >>> But does the file /etc/openldap/cacerts/cacert.asc exist? If not, >>> you need to copy that file in there. I guess the docs are not >>> explicit enough - if you use TLS_CACERTDIR, you must have the file >>> <hash>.0 in the cacerts directory. If you use TLS_CACERT, you must >>> have the file /etc/openldap/cacerts/cacert.asc. >> >> It does exist, and I'm using TLS_CACERT /etc/openldap/cacerts/cacert.asc >> >> Same error. >> [02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection from >> 127.0.0.1 to 127.0.0.1 >> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT >> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120 >> nentries=0 etime=0 >> [02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer does >> not recognize and trust the CA that issued your certificate. >> >> I also put the same info in /etc/ldap.conf > That file is only used by pam_ldap and nss_ldap, so it shouldn't matter. >> >> Also, here are the certs >> >> ../shared/bin/certutil -L -P slapd-server- -d . >> CA certificate CTu,u,u >> server-cert u,u,u >> Server-Cert u,u,u >> >> Does that look right? > Try this: > ../shared/bin/certutil -L -P slapd-server- -d . -n "CA certificate" -a > > mycacert.asc > > diff mycacert.asc /etc/openldap/cacerts/cacert.asc > > If they are the same, then CA certificate is not the cert of the CA > that issued Server-Cert. They are the same. I'm not sure that I understand. >> >>>> >>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection from >>>> 127.0.0.1 to 127.0.0.1 >>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT >>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 >>>> nentries=0 etime=0 >>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer does >>>> not recognize and trust the CA that issued your certificate. >>>> >>>> >>>> >>>> >>>>>>> >>>>>>>> >>>>>>>> This is all that the errors log says >>>>>>> How about the access log? >>>>>>>> >>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>> cipher AES in backend userRoot, attempting to create one... >>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>>>>>> generated and stored >>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>> cipher 3DES in backend userRoot, attempting to create one... >>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>>>>>> generated and stored >>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>> cipher AES in backend NetscapeRoot, attempting to create one... >>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully >>>>>>>> generated and stored >>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>> cipher 3DES in backend NetscapeRoot, attempting to create one... >>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully >>>>>>>> generated and stored >>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All >>>>>>>> Interfaces port 389 for LDAP requests >>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port >>>>>>>> 636 for LDAPS requests >>>>>>>> >>>>>>>> Thanks for your help >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Jeff Gamsby >>>>>>>> Center for X-Ray Optics >>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>> (510) 486-7783 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Richard Megginson wrote: >>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>> OK, now I have a different error. >>>>>>>>>> >>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>>>>>> >>>>>>>>>> and >>>>>>>>>> >>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 >>>>>>>>>> >>>>>>>>>> Now, I get this error: >>>>>>>>>> >>>>>>>>>> TLS: can't connect. >>>>>>>>>> ldap_perror >>>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>>> additional info: Start TLS request accepted.Server >>>>>>>>>> willing to negotiate SSL. >>>>>>>>> What OS and version are you running? RHEL3 >>>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR >>>>>>>>> directive - you must use the TLS_CACERT directive with the >>>>>>>>> full path and filename of the cacert.pem file (e.g. >>>>>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the >>>>>>>>> fedora ds access and error log for this request? >>>>>>>>> >>>>>>>>> For a successful startTLS request with ldapsearch, you should >>>>>>>>> see something like the following in your fedora ds access log: >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection >>>>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 >>>>>>>>> nentries=0 etime=0 >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" >>>>>>>>> method=128 version=3 >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 >>>>>>>>> nentries=0 etime=0 dn="" >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" >>>>>>>>> attrs=ALL >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 >>>>>>>>> nentries=1 etime=0 >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Jeff Gamsby >>>>>>>>>> Center for X-Ray Optics >>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>> (510) 486-7783 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>> >>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am >>>>>>>>>>>>>>>> using a OpenSSL CA, I have installed the Server Cert >>>>>>>>>>>>>>>> and the CA Cert, can start FDS in SSL mode, but when I run >>>>>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>>>>>> Did you follow this - >>>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>>>>>> I did, but that didn't work for me. The only thing that I >>>>>>>>>>>>>> did this time was generate a request from the "Manage >>>>>>>>>>>>>> Certificates", sign the request using my OpenSSL CA, and >>>>>>>>>>>>>> install the Server and CA Certs. Then I turned on SSL in >>>>>>>>>>>>>> the Admin console, and restarted the server. >>>>>>>>>>>>>> >>>>>>>>>>>>>> When I followed the instructions from the link, I >>>>>>>>>>>>>> couldn't even get FDS to start in SSL mode. >>>>>>>>>>>>> One problem may be that ldapsearch is trying to verify the >>>>>>>>>>>>> hostname in your server cert, which is the value of the cn >>>>>>>>>>>>> attribute in the leftmost RDN in your server cert's >>>>>>>>>>>>> subject DN. What is the subject DN of your server cert? >>>>>>>>>>>>> You can use certutil -L -n Server-Cert as specified in the >>>>>>>>>>>>> Howto:SSL to print your cert. >>>>>>>>>>>> >>>>>>>>>>>> Sorry. I missed the -P option. >>>>>>>>>>>> >>>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n >>>>>>>>>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and >>>>>>>>>>>> OpenSSL CA host (ran on same machine) >>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some >>>>>>>>>>> debugging info. >>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>>>>>> Yes >>>>>>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>>>>>> ssl on >>>>>>>>>>>>>>>> ssl start_tls >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> If I run >>>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts >>>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> It looks OK >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Please help >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>> >>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
