Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: > Jeff Gamsby wrote: >> >> Jeff Gamsby >> Center for X-Ray Optics >> Lawrence Berkeley National Laboratory >> (510) 486-7783 >> >> >> >> Richard Megginson wrote: >>> Jeff Gamsby wrote: >>>> >>>> Jeff Gamsby >>>> Center for X-Ray Optics >>>> Lawrence Berkeley National Laboratory >>>> (510) 486-7783 >>>> >>>> >>>> >>>> Richard Megginson wrote: >>>>> Jeff Gamsby wrote: >>>>>> >>>>>> Jeff Gamsby >>>>>> Center for X-Ray Optics >>>>>> Lawrence Berkeley National Laboratory >>>>>> (510) 486-7783 >>>>>> >>>>>> >>>>>> >>>>>> Richard Megginson wrote: >>>>>>> Jeff Gamsby wrote: >>>>>>>> >>>>>>>> Jeff Gamsby >>>>>>>> Center for X-Ray Optics >>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>> (510) 486-7783 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Richard Megginson wrote: >>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>> I blew away the server and installed a new one, then I used >>>>>>>>>> the setupssl.sh script to setup SSL. The script completed >>>>>>>>>> successfully, and the server is listening on port 636, but >>>>>>>>>> I'm back to a familiar error: >>>>>>>>>> >>>>>>>>>> ldapsearch -x -ZZ -d -1 >>>>>>>>>> >>>>>>>>>> TLS trace: SSL_connect:SSLv3 read server hello A >>>>>>>>>> TLS certificate verification: depth: 1, err: 19, subject: >>>>>>>>>> /CN=CAcert, issuer: /CN=CAcert >>>>>>>>>> TLS certificate verification: Error, self signed certificate >>>>>>>>>> in certificate chain >>>>>>>>>> tls_write: want=7, written=7 >>>>>>>>>> 0000: 15 03 01 00 02 02 30 >>>>>>>>>> ......0 TLS trace: SSL3 alert write:fatal:unknown CA >>>>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>>>>>>>>> TLS: can't connect. >>>>>>>>>> ldap_perror >>>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>>> additional info: error:14090086:SSL >>>>>>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>>>>>>> >>>>>>>>>> Shouldn't CN=CAcert be cn=fqdn? >>>>>>>>> No, no hostname validation is done on the CA cert, only on the >>>>>>>>> LDAP server cert. >>>>>>>>> >>>>>>>>> Did you configure openldap to use the new CA cert? >>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients >>>>>>>>> >>>>>>>> >>>>>>>> Yes. >>>>>>>> >>>>>>>> This is what the access log says >>>>>>>> >>>>>>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 >>>>>>>> nentries=0 etime=0 >>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection >>>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT >>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 >>>>>>>> nentries=0 etime=0 >>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer >>>>>>>> does not recognize and trust the CA that issued your certificate. >>>>>>> >>>>>>> This means that the CA cert that /etc/openldap/ldap.conf is >>>>>>> using is not the cert of the CA that issued the Fedora DS server >>>>>>> cert. >>>>>> OK. I had the old cert in there. >>>>>> >>>>>> I followed the instructions and did a >>>>>> >>>>>> cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash >>>>>> -in cacert.asc`.0 >>>>>> >>>>>> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still >>>>>> get the same error >>>>> But does the file /etc/openldap/cacerts/cacert.asc exist? If not, >>>>> you need to copy that file in there. I guess the docs are not >>>>> explicit enough - if you use TLS_CACERTDIR, you must have the file >>>>> <hash>.0 in the cacerts directory. If you use TLS_CACERT, you >>>>> must have the file /etc/openldap/cacerts/cacert.asc. >>>> >>>> It does exist, and I'm using TLS_CACERT >>>> /etc/openldap/cacerts/cacert.asc >>>> >>>> Same error. >>>> [02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection from >>>> 127.0.0.1 to 127.0.0.1 >>>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT >>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120 >>>> nentries=0 etime=0 >>>> [02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer does >>>> not recognize and trust the CA that issued your certificate. >>>> >>>> I also put the same info in /etc/ldap.conf >>> That file is only used by pam_ldap and nss_ldap, so it shouldn't >>> matter. >>>> >>>> Also, here are the certs >>>> >>>> ../shared/bin/certutil -L -P slapd-server- -d . >>>> CA certificate CTu,u,u >>>> server-cert u,u,u >>>> Server-Cert u,u,u >>>> >>>> Does that look right? >>> Try this: >>> ../shared/bin/certutil -L -P slapd-server- -d . -n "CA certificate" >>> -a > mycacert.asc >>> >>> diff mycacert.asc /etc/openldap/cacerts/cacert.asc >>> >>> If they are the same, then CA certificate is not the cert of the CA >>> that issued Server-Cert. >> >> They are the same. >> >> I'm not sure that I understand. > I'm not sure I understand what's going on either, but the message > "Peer does not recognize and trust the CA that issued your > certificate." means that ldapsearch did not verify your LDAP server > certificate (Server-Cert). This is usually due to one or both of the > following: > 1) The value of the cn attribute in the leftmost RDN of the subjectDN > in the LDAP server cert is not the fqdn of the LDAP server host, or > the client cannot resolve it. > 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of the > CA that issued the LDAP server certificate (Server-Cert) > > I'm not sure which one it is. You might try dumping out the server > certificate (../shared/bin/certutil -L -P slapd-server- -d . -n > "Server-Cert" -a > fdscert.pem) and using openssl to verify the cert e.g. > openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem > > If you get an error, this means that the CA whose cert is > /etc/openldap/cacerts/cacert.asc did not issue the fedora ds server > certificate. I get fdscert.pem: OK >> >>>> >>>>>> >>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection >>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT >>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 >>>>>> nentries=0 etime=0 >>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer >>>>>> does not recognize and trust the CA that issued your certificate. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> This is all that the errors log says >>>>>>>>> How about the access log? >>>>>>>>>> >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>> cipher AES in backend userRoot, attempting to create one... >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES >>>>>>>>>> successfully generated and stored >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>> cipher 3DES in backend userRoot, attempting to create one... >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>>> successfully generated and stored >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>> cipher AES in backend NetscapeRoot, attempting to create one... >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES >>>>>>>>>> successfully generated and stored >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>> cipher 3DES in backend NetscapeRoot, attempting to create one... >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>>> successfully generated and stored >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on >>>>>>>>>> All Interfaces port 389 for LDAP requests >>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces >>>>>>>>>> port 636 for LDAPS requests >>>>>>>>>> >>>>>>>>>> Thanks for your help >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Jeff Gamsby >>>>>>>>>> Center for X-Ray Optics >>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>> (510) 486-7783 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>> OK, now I have a different error. >>>>>>>>>>>> >>>>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>>>>>>>> >>>>>>>>>>>> and >>>>>>>>>>>> >>>>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in >>>>>>>>>>>> ca-cert.pem`.0 >>>>>>>>>>>> >>>>>>>>>>>> Now, I get this error: >>>>>>>>>>>> >>>>>>>>>>>> TLS: can't connect. >>>>>>>>>>>> ldap_perror >>>>>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>>>>> additional info: Start TLS request accepted.Server >>>>>>>>>>>> willing to negotiate SSL. >>>>>>>>>>> What OS and version are you running? RHEL3 >>>>>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR >>>>>>>>>>> directive - you must use the TLS_CACERT directive with the >>>>>>>>>>> full path and filename of the cacert.pem file (e.g. >>>>>>>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the >>>>>>>>>>> fedora ds access and error log for this request? >>>>>>>>>>> >>>>>>>>>>> For a successful startTLS request with ldapsearch, you >>>>>>>>>>> should see something like the following in your fedora ds >>>>>>>>>>> access log: >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 >>>>>>>>>>> connection from 127.0.0.1 to 127.0.0.1 >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 >>>>>>>>>>> tag=120 nentries=0 etime=0 >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" >>>>>>>>>>> method=128 version=3 >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 >>>>>>>>>>> tag=97 nentries=0 etime=0 dn="" >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" >>>>>>>>>>> attrs=ALL >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 >>>>>>>>>>> tag=101 nentries=1 etime=0 >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I >>>>>>>>>>>>>>>>>> am using a OpenSSL CA, I have installed the Server >>>>>>>>>>>>>>>>>> Cert and the CA Cert, can start FDS in SSL mode, but >>>>>>>>>>>>>>>>>> when I run >>>>>>>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>>>>>>>> Did you follow this - >>>>>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>>>>>>>> I did, but that didn't work for me. The only thing that >>>>>>>>>>>>>>>> I did this time was generate a request from the "Manage >>>>>>>>>>>>>>>> Certificates", sign the request using my OpenSSL CA, >>>>>>>>>>>>>>>> and install the Server and CA Certs. Then I turned on >>>>>>>>>>>>>>>> SSL in the Admin console, and restarted the server. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> When I followed the instructions from the link, I >>>>>>>>>>>>>>>> couldn't even get FDS to start in SSL mode. >>>>>>>>>>>>>>> One problem may be that ldapsearch is trying to verify >>>>>>>>>>>>>>> the hostname in your server cert, which is the value of >>>>>>>>>>>>>>> the cn attribute in the leftmost RDN in your server >>>>>>>>>>>>>>> cert's subject DN. What is the subject DN of your >>>>>>>>>>>>>>> server cert? You can use certutil -L -n Server-Cert as >>>>>>>>>>>>>>> specified in the Howto:SSL to print your cert. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Sorry. I missed the -P option. >>>>>>>>>>>>>> >>>>>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- >>>>>>>>>>>>>> -n "server-cert" returns the Subject *CN* as FQDN of FDS >>>>>>>>>>>>>> and OpenSSL CA host (ran on same machine) >>>>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get >>>>>>>>>>>>> some debugging info. >>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>>>>>>>> Yes >>>>>>>>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>>>>>>>> ssl on >>>>>>>>>>>>>>>>>> ssl start_tls >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> If I run >>>>>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts >>>>>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> It looks OK >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Please help >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>> >>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
