Re: SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Further information using ldapsearch that substantiates the log file.

 

[root@xxx ~]# ldapsearch -x -ZZ serverxxx.com

ldap_start_tls: Connect error (-11)

        additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.

 

From: Andy [mailto:racingyacht1@xxxxxxxxx]
Sent: 18 April 2014 01:40
To: 'General discussion list for the 389 Directory server project.'
Subject: RE: SSL

 

I have done a system check and the SSL certificate has a problem. Error log:

[18/Apr/2014:01:33:53 +0100] conn=40 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"

[18/Apr/2014:01:33:53 +0100] conn=40 op=0 RESULT err=0 tag=120 nentries=0 etime=0

[18/Apr/2014:01:33:53 +0100] conn=40 op=-1 fd=70 closed - Peer does not recognize and trust the CA that issued your certificate.

From: Andy [mailto:racingyacht1@xxxxxxxxx]
Sent: 18 April 2014 00:40
To: 'General discussion list for the 389 Directory server project.'
Subject: RE: SSL

 

Hi Justin,

Thanks for the prompt advice.

 

Replication is now working between Master and a single consumer. Thanks for your help.

I will continue to do a full test.

 

Best regards

 

 

From: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Justin Edmands
Sent: 17 April 2014 20:55
To: General discussion list for the 389 Directory server project.
Subject: Re: SSL

 

I am having an issue with securing Directory Server communication using SSL which I need guidance on how to solve. I am setting up a master and slave which will use SSL to secure communication between the two servers and to all other clients.

 

I used openssl to create a CA cert and sign the Manager server certificate as follows:

-          CA cert created by  openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/ca.key -out certs/ca.crt -days 3650

-          Manager server csr signed - openssl ca -config openssl.cnf -policy policy_anything -out certs/xxx.crt -infiles xxx.csr

-          Checked both certs using before installing on Manager

-          Both certs were installed using root.

-          Enabled encryption via the console and restarted dirsrv. Note coms remain of port 389 after the reboot. E.g. xxx.com:389

-           

o   certutil -L -d . output show that both a CA cert and server cert are installed as follows:

server-cert                                                  u,u,u

xxxx-ca.crt                                                  CT,,

-          I checked that the server is listening on port 636. Logs also confirmed that the Manager is listening on port 636

-          I tested that the Manager can receive connection on port 636, by connecting using telnet from another server – telnet <server name> 636. The connect was also visible on netstat output.

-          I can’t see any errors in /var/log/dirsrv/slpad-<server>/errors 

Can you help so that I can setup secure communication correctly?

Kind regards

Andy

1 - Do you have a replication agreement setup?

1a - In your replication agreement did you specify the Replication Manager account with correct password? (mine is cn=Replication Manager,cn=config)?

2 - Did you make sure you specify the "Supplier" as coming from port 389 and the "Consumer" using port 636?

2a - Did you select the following for the Connection:

"Use TLS/SSL (TLS/SSL Encryption with LDAPS)"

"Simple (Bind DN/Password)"

Bind as: cn=Replication Manager(or whatever you have),cn=config

Password: (password)

 

Note: To check for Replication Manager account, browse to Directory Tab. Click config. Replication Manager will appear. Edit password here. This needs to exist on both directory servers.

3. Did you assign them different unique IDs when creating the client certificates? Note the "m" option.

certutil -S -n "Server-Cert-dirsrv2-hq" -s "cn=dirsrv2.example.com,cn=Directory Server" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d . -z noise.txt -f pwdfile.txt
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux