> Richard Megginson wrote: >> Jeff Gamsby wrote: >>>> I'm not sure I understand what's going on either, but the message >>>> "Peer does not recognize and trust the CA that issued your >>>> certificate." means that ldapsearch did not verify your LDAP server >>>> certificate (Server-Cert). This is usually due to one or both of the >>>> following: >>>> 1) The value of the cn attribute in the leftmost RDN of the subjectDN >>>> in the LDAP server cert is not the fqdn of the LDAP server host, or >>>> the client cannot resolve it. >>>> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of >>>> the CA that issued the LDAP server certificate (Server-Cert) >>>> >>>> I'm not sure which one it is. You might try dumping out the server >>>> certificate (../shared/bin/certutil -L -P slapd-server- -d . -n >>>> "Server-Cert" -a > fdscert.pem) and using openssl to verify the cert >>>> e.g. >>>> openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem >>>> >>>> If you get an error, this means that the CA whose cert is >>>> /etc/openldap/cacerts/cacert.asc did not issue the fedora ds server >>>> certificate. >>> >>> I get fdscert.pem: OK >> I dunno - perhaps the CA doesn't have the appropriate trust flags? This >> is what I get: >> ../shared/bin/certutil -d . -P slapd-localhost- -L >> CA certificate CTu,u,u >> Server-Cert u,u,u >> > > Another thing you can try is verifying the server certificate: > > % ../shared/bin/certutil certutil -V -u V -n Server-Cert -d . -P > slapd-localhost- > certutil: certificate is valid > > Can you try the FDS ldapsearch (shared/bin/ldapsearch)? It will > eliminate the OpenSSL certificate so we can help see where the problem > is. You can have it use the same cert database as the server and that > should help confirm that the CA and Server certificates are ok. If that > works then it's likely something with your OpenSSL config that is the > problem. > > rob > Rob, This is what I did. FC4 installed fds 1.0.2 system has real hostname and name resolves ran this script $serverroot/shared/bin/certutil -N -d . -f pwdfile.txt $serverroot/shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt $serverroot/shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt $serverroot/shared/bin/certutil -S -n "Server-Cert" -s "cn=server.xxx.xxx" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt mv key3.db slapd-server-key3.db mv cert8.db slapd-server-cert8.db ln -s slapd-server-key3.db key3.db ln -s slapd-server-cert8.db cert8.db chown nobody.nobody /opt/fedora-ds/alias/slapd-msas* $serverroot/shared/bin/certutil -L -d . -n "CA certificate" -r > cacert.der openssl x509 -inform DER -in cacert.der -outform PEM -out cacert.pem cp cacert.pem /etc/openldap/cacerts/ restarted FDS turned on ssl mode in admin console in "Configuration -> Encryption" Used Server-Cert certificate restarted FDS ran # ../shared/bin/ldapsearch -Z -p 636 -b "" -s base "(objectclass=*)" -v ldapsearch: started Sun Jun 4 12:48:46 2006 ldap_init( localhost, 636 ) ldaptool_getcertpath -- . ldaptool_getkeypath -- . ldaptool_getmodpath -- (null) ldaptool_getdonglefilename -- (null) filter pattern: (objectclass=*) returning: ALL filter is: (objectclass=*) version: 1 dn: objectClass: top namingContexts: dc=server,dc=xxx,dc=xxx namingContexts: o=NetscapeRoot supportedExtension: 2.16.840.1.113730.3.5.7 supportedExtension: 2.16.840.1.113730.3.5.8 supportedExtension: 2.16.840.1.113730.3.5.3 supportedExtension: 2.16.840.1.113730.3.5.5 supportedExtension: 2.16.840.1.113730.3.5.6 supportedExtension: 2.16.840.1.113730.3.5.9 supportedExtension: 2.16.840.1.113730.3.5.4 supportedExtension: 1.3.6.1.4.1.1466.20037 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 2.16.840.1.113730.3.4.3 supportedControl: 2.16.840.1.113730.3.4.4 supportedControl: 2.16.840.1.113730.3.4.5 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.16 supportedControl: 2.16.840.1.113730.3.4.15 supportedControl: 2.16.840.1.113730.3.4.17 supportedControl: 2.16.840.1.113730.3.4.19 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2 supportedControl: 2.16.840.1.113730.3.4.14 supportedControl: 2.16.840.1.113730.3.4.20 supportedControl: 1.3.6.1.4.1.1466.29539.12 supportedControl: 2.16.840.1.113730.3.4.13 supportedControl: 2.16.840.1.113730.3.4.12 supportedControl: 2.16.840.1.113730.3.4.18 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: DIGEST-MD5 supportedLDAPVersion: 2 supportedLDAPVersion: 3 vendorName: Fedora Project vendorVersion: Fedora-Directory/1.0.2 B2006.060.1951 dataversion: 020060604194005020060604194005 netscapemdsuffix: cn=ldap://dc=server,dc=xxx,dc=xxx,dc=xxx:389 1 matches Access log says: [04/Jun/2006:12:50:35 -0700] conn=42 fd=69 slot=69 SSL connection from 127.0.0.1 to 127.0.0.1 [04/Jun/2006:12:50:35 -0700] conn=42 SSL 128-bit RC4 [04/Jun/2006:12:50:35 -0700] conn=42 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs=ALL [04/Jun/2006:12:50:35 -0700] conn=42 op=0 RESULT err=0 tag=101 nentries=1 etime=0 [04/Jun/2006:12:50:35 -0700] conn=42 op=1 UNBIND [04/Jun/2006:12:50:35 -0700] conn=42 op=1 fd=69 closed - U1 OK right? Now run ldapsearch -x -Hldaps://localhost # ldapsearch -x -Hldaps://localhost TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 19, subject: /CN=CAcert, issuer: /CN=CAcert TLS certificate verification: Error, self signed certificate in certificate chain tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>> >>>>>>> >>>>>>>>> >>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection >>>>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT >>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 >>>>>>>>> nentries=0 etime=0 >>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer >>>>>>>>> does not recognize and trust the CA that issued your certificate. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> This is all that the errors log says >>>>>>>>>>>> How about the access log? >>>>>>>>>>>>> >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>>> cipher AES in backend userRoot, attempting to create one... >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES >>>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>>> cipher 3DES in backend userRoot, attempting to create one... >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>>> cipher AES in backend NetscapeRoot, attempting to create >>>>>>>>>>>>> one... >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES >>>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for >>>>>>>>>>>>> cipher 3DES in backend NetscapeRoot, attempting to create >>>>>>>>>>>>> one... >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES >>>>>>>>>>>>> successfully generated and stored >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on >>>>>>>>>>>>> All Interfaces port 389 for LDAP requests >>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces >>>>>>>>>>>>> port 636 for LDAPS requests >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks for your help >>>>>>>>>>>>> >>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>> OK, now I have a different error. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i >>>>>>>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d . >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> and >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in >>>>>>>>>>>>>>> ca-cert.pem`.0 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Now, I get this error: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> TLS: can't connect. >>>>>>>>>>>>>>> ldap_perror >>>>>>>>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>>>>>>>> additional info: Start TLS request accepted.Server >>>>>>>>>>>>>>> willing to negotiate SSL. >>>>>>>>>>>>>> What OS and version are you running? RHEL3 >>>>>>>>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR >>>>>>>>>>>>>> directive - you must use the TLS_CACERT directive with the >>>>>>>>>>>>>> full path and filename of the cacert.pem file (e.g. >>>>>>>>>>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the >>>>>>>>>>>>>> fedora ds access and error log for this request? >>>>>>>>>>>>>> >>>>>>>>>>>>>> For a successful startTLS request with ldapsearch, you >>>>>>>>>>>>>> should see something like the following in your fedora ds >>>>>>>>>>>>>> access log: >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 >>>>>>>>>>>>>> connection from 127.0.0.1 to 127.0.0.1 >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT >>>>>>>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 >>>>>>>>>>>>>> tag=120 nentries=0 etime=0 >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" >>>>>>>>>>>>>> method=128 version=3 >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 >>>>>>>>>>>>>> tag=97 nentries=0 etime=0 dn="" >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH >>>>>>>>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" >>>>>>>>>>>>>> attrs=ALL >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 >>>>>>>>>>>>>> tag=101 nentries=1 etime=0 >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND >>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1 >>>>>>>>>>>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>>>>>>>>>>> Jeff Gamsby wrote: >>>>>>>>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I >>>>>>>>>>>>>>>>>>>>> am using a OpenSSL CA, I have installed the Server >>>>>>>>>>>>>>>>>>>>> Cert and the CA Cert, can start FDS in SSL mode, but >>>>>>>>>>>>>>>>>>>>> when I run >>>>>>>>>>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert >>>>>>>>>>>>>>>>>>>>> write:fatal:unknown CA. >>>>>>>>>>>>>>>>>>>> Did you follow this - >>>>>>>>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL >>>>>>>>>>>>>>>>>>> I did, but that didn't work for me. The only thing >>>>>>>>>>>>>>>>>>> that I did this time was generate a request from the >>>>>>>>>>>>>>>>>>> "Manage Certificates", sign the request using my >>>>>>>>>>>>>>>>>>> OpenSSL CA, and install the Server and CA Certs. Then >>>>>>>>>>>>>>>>>>> I turned on SSL in the Admin console, and restarted >>>>>>>>>>>>>>>>>>> the server. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> When I followed the instructions from the link, I >>>>>>>>>>>>>>>>>>> couldn't even get FDS to start in SSL mode. >>>>>>>>>>>>>>>>>> One problem may be that ldapsearch is trying to verify >>>>>>>>>>>>>>>>>> the hostname in your server cert, which is the value of >>>>>>>>>>>>>>>>>> the cn attribute in the leftmost RDN in your server >>>>>>>>>>>>>>>>>> cert's subject DN. What is the subject DN of your >>>>>>>>>>>>>>>>>> server cert? You can use certutil -L -n Server-Cert as >>>>>>>>>>>>>>>>>> specified in the Howto:SSL to print your cert. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Sorry. I missed the -P option. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- >>>>>>>>>>>>>>>>> -n "server-cert" returns the Subject *CN* as FQDN of FDS >>>>>>>>>>>>>>>>> and OpenSSL CA host (ran on same machine) >>>>>>>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get >>>>>>>>>>>>>>>> some debugging info. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in >>>>>>>>>>>>>>>>>>>>> TLS_CACERT /path/to/cert >>>>>>>>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below? >>>>>>>>>>>>>>>>>>> Yes >>>>>>>>>>>>>>>>>>>>> TLSREQCERT allow >>>>>>>>>>>>>>>>>>>>> ssl on >>>>>>>>>>>>>>>>>>>>> ssl start_tls >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> If I run >>>>>>>>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts >>>>>>>>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> It looks OK >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Please help >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Thanks
