Jeff Gamsby wrote: >> I'm not sure I understand what's going on either, but the message >> "Peer does not recognize and trust the CA that issued your >> certificate." means that ldapsearch did not verify your LDAP server >> certificate (Server-Cert). This is usually due to one or both of the >> following: >> 1) The value of the cn attribute in the leftmost RDN of the subjectDN >> in the LDAP server cert is not the fqdn of the LDAP server host, or >> the client cannot resolve it. >> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of >> the CA that issued the LDAP server certificate (Server-Cert) >> >> I'm not sure which one it is. You might try dumping out the server >> certificate (../shared/bin/certutil -L -P slapd-server- -d . -n >> "Server-Cert" -a > fdscert.pem) and using openssl to verify the cert >> e.g. >> openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem >> >> If you get an error, this means that the CA whose cert is >> /etc/openldap/cacerts/cacert.asc did not issue the fedora ds server >> certificate. > > I get fdscert.pem: OK I dunno - perhaps the CA doesn't have the appropriate trust flags? This is what I get: ../shared/bin/certutil -d . -P slapd-localhost- -L CA certificate CTu,u,u Server-Cert u,u,u >>> >>>>> >>>>>>> >>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection >>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT >>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 >>>>>>> nentries=0 etime=0 >>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer >>>>>>> does not recognize and trust the CA that issued your certificate. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> This is all that the errors log says >>>>>>>>>> How about the access log? >>>>>>>>>>> >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>> cipher AES in backend userRoot, attempting to create one... >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES >>>>>>>>>>> successfully generated and stored >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>> cipher 3DES in backend userRoot, attempting to create one... >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>>>> successfully generated and stored >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>> cipher AES in backend NetscapeRoot, attempting to create one... >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES >>>>>>>>>>> successfully generated and stored >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>> cipher 3DES in backend NetscapeRoot, attempting to create >>>>>>>>>>> one... >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>>>> successfully generated and stored >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on >>>>>>>>>>> All Interfaces port 389 for LDAP requests >>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces >>>>>>>>>>> port 636 for LDAPS requests >>>>>>>>>>> >>>>>>>>>>> Thanks for your help >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Jeff Gamsby >>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>> (510) 486-7783 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>> OK, now I have a different error. >>>>>>>>>>>>> >>>>>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>>>>>>>>> >>>>>>>>>>>>> and >>>>>>>>>>>>> >>>>>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in >>>>>>>>>>>>> ca-cert.pem`.0 >>>>>>>>>>>>> >>>>>>>>>>>>> Now, I get this error: >>>>>>>>>>>>> >>>>>>>>>>>>> TLS: can't connect. >>>>>>>>>>>>> ldap_perror >>>>>>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>>>>>> additional info: Start TLS request accepted.Server >>>>>>>>>>>>> willing to negotiate SSL. >>>>>>>>>>>> What OS and version are you running? RHEL3 >>>>>>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR >>>>>>>>>>>> directive - you must use the TLS_CACERT directive with the >>>>>>>>>>>> full path and filename of the cacert.pem file (e.g. >>>>>>>>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the >>>>>>>>>>>> fedora ds access and error log for this request? >>>>>>>>>>>> >>>>>>>>>>>> For a successful startTLS request with ldapsearch, you >>>>>>>>>>>> should see something like the following in your fedora ds >>>>>>>>>>>> access log: >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 >>>>>>>>>>>> connection from 127.0.0.1 to 127.0.0.1 >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 >>>>>>>>>>>> tag=120 nentries=0 etime=0 >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" >>>>>>>>>>>> method=128 version=3 >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 >>>>>>>>>>>> tag=97 nentries=0 etime=0 dn="" >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>>>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" >>>>>>>>>>>> attrs=ALL >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 >>>>>>>>>>>> tag=101 nentries=1 etime=0 >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Jeff Gamsby >>>>>>>>>>>>>>>>> Center for X-Ray Optics >>>>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory >>>>>>>>>>>>>>>>> (510) 486-7783 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I >>>>>>>>>>>>>>>>>>> am using a OpenSSL CA, I have installed the Server >>>>>>>>>>>>>>>>>>> Cert and the CA Cert, can start FDS in SSL mode, but >>>>>>>>>>>>>>>>>>> when I run >>>>>>>>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>>>>>>>>> Did you follow this - >>>>>>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>>>>>>>>> I did, but that didn't work for me. The only thing >>>>>>>>>>>>>>>>> that I did this time was generate a request from the >>>>>>>>>>>>>>>>> "Manage Certificates", sign the request using my >>>>>>>>>>>>>>>>> OpenSSL CA, and install the Server and CA Certs. Then >>>>>>>>>>>>>>>>> I turned on SSL in the Admin console, and restarted >>>>>>>>>>>>>>>>> the server. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> When I followed the instructions from the link, I >>>>>>>>>>>>>>>>> couldn't even get FDS to start in SSL mode. >>>>>>>>>>>>>>>> One problem may be that ldapsearch is trying to verify >>>>>>>>>>>>>>>> the hostname in your server cert, which is the value of >>>>>>>>>>>>>>>> the cn attribute in the leftmost RDN in your server >>>>>>>>>>>>>>>> cert's subject DN. What is the subject DN of your >>>>>>>>>>>>>>>> server cert? You can use certutil -L -n Server-Cert as >>>>>>>>>>>>>>>> specified in the Howto:SSL to print your cert. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Sorry. I missed the -P option. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- >>>>>>>>>>>>>>> -n "server-cert" returns the Subject *CN* as FQDN of FDS >>>>>>>>>>>>>>> and OpenSSL CA host (ran on same machine) >>>>>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get >>>>>>>>>>>>>> some debugging info. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>>>>>>>>> Yes >>>>>>>>>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>>>>>>>>> ssl on >>>>>>>>>>>>>>>>>>> ssl start_tls >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> If I run >>>>>>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts >>>>>>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> It looks OK >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Please help >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>>> >>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>>> >>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> ------------------------------------------------------------------------ >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060602/be97d18f/attachment.bin
