Re: TLS Error -8179

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Title: RE: [389-users] Re: TLS Error -8179

Thanks for the response. I think I've gotten this resolved. My primary problem was lack of understanding of issuer root and intermediate files. I was strictly using the files sent to me by the certificate authority when what appears to be needed is the publicly available intermediate CA file (which neither of my issuers have sent me). Up until now, almost all of my experience with certificates has been over HTTPS, and I've never had to deal with intermediate files to achieve secure connections. The weird thing is that prior to my implementation of the correct file, ldapsearch was showing a good LDAPS connection while restarting dirsrv continuously failed.

 

In response to your question, what was consistently showing the -8179 error was restarting dirsrv. I was getting good LDAPS connections with ldapsearch and openssl s_client -connect <FQDN>:636. Once I imported the intermediate file into the database as ca_cert, then dirsrv showed good TLS connections.

 

-----Original message-----
From: William Brown
Sent: Sunday, February 11 2018, 6:37 pm
To: General discussion list for the 389 Directory server project.
Subject: [389-users] Re: TLS Error -8179
 
Sorry for the very late response, I have been unwell on away from the
computer.

On Tue, 2018-02-06 at 05:34 +0000, Eric Wheeler wrote:
> Greetings,
>  
> I'm a new 389 Directory Server user on an Amazon Linux 1 EC2
> platform. I got the server launched without much issue, but then hit
> a wall when I imported certificates and turned on SSL. Essentially
> I'm getting the error message.
>  
> TLS error -8179: Peer's Certificate issuer is not recognized.

What showed this error? ldapsearch?

Restarting dirsrv showed the error, i.e.

>  
> I'm fairly convinced it's an issue with certificate importation
> and/or configuration because the certificate I'm using is a valid and
> current one. The following commands both resolve successfully.
>  
> ldapsearch -H ldap://<FQDN>:389 -D 'cn=Directory Manager' -W -Z -b
> 'cn=encryption,cn=config' -x -d1
> openssl s_client -connect <FQDN>:636
>  
> The ldapsearch command shows a valid certificate and openssl resolves
> to "Verify return code: 0 (ok)."
>  
> These are authenticating against the pem file at
> /etc/pki/tls/certs/ca-bundle.crt 

You need to configure openldap libs with a CA: check
/etc/openldap/ldap.conf and the TLS_CACERT parameter for a single pem
file to trust as the root, or TLS_CACERTDIR for a hashed directory of
certificates (IE put the .pem files in the CACERTDIR then run "openssl
rehash /path/to/cacertdir")

ldapsearch/ldapwhoami generally takes a -d flag too which can help
debug these issues too.

>  
>  
>  
> In order to get 389 DS over LDAPS working, I followed a combination
> of instructions I found on pages http://directory.fedoraproject.org/d
> ocs/389ds/howto/howto-ssl.html  and http://directory.fedoraproject.or
> g/docs/389ds/FAQ/faq.html.
>  
> Here are my steps.
>  
> 1. Stop dirsrv
>  
> service dirsrv stop
>  
> 2. Reset the database:
>  
> certutil -N -d /etc/dirsrv/slapd-<myinstance>
>  
> 3. Import my CA file
>  
> certutil -A -d /etc/dirsrv/slapd-<myinstance> -n "ca_cert" -t "CT,,"
> -i /etc/pki/tls/certs/ca-bundle.crt -a
>  
> 4. Transfer my pem cert and key files to pkcs12 format for
> importation
>  
> openssl pkcs12 -export -inkey /etc/pki/tls/private/mykey.key -in
> /etc/pki/tls/certs/mycert.crt -out /home/diradmin/mykeycert.p12 -name
> "Server-Cert"
>  
> 5. Use pk12util to import
>  
> pk12util -d /etc/dirsrv/slapd-<myinstance> -n "Server-Cert" -i
> /home/diradmin/mykeycert.p12
>  
> 6. Edit dse.ldif
>  
> Add the following line to the object dn: cn=config.
>      nsslapd-security: on
>  
> The object dn: cn=encryption,cn=config should contain the following
> lines. Remove any of the parameters sslVersionMin, sslVersionMax, and
> nsSSL3Ciphers.
>      dn: cn=encryption,cn=config
>      objectClass: top
>      objectClass: nsEncryptionConfig
>      cn: encryption
>      nsSSLSessionTimeout: 0
>      nsSSLClientAuth: off
>      nsSSL3: off
>     nsSSL2: off
>  
> If it doesn’t exist, add the object dn:
> cn=RSA,cn=encryption,cn=config and give it the following lines. The
> value of nsSSLPersonalitySSL must equal the nickname of the
> certificate file you imported above.
>      dn: cn=RSA,cn=encryption,cn=config
>      objectClass: top
>      objectClass: nsEncryptionModule
>      nsSSLPersonalitySSL: Server-Cert 
>      nsSSLActivation: on
>      nsSSLToken: Internal (Software)
>      cn: RSA
>  
> 7. Create a new file in the main Directory Server directory.
>  
> cd /etc/dirsrv/slapd-<instance name>
> touch pin.txt
> vi pin.txt
>  
> Add the following line to it. The phrase "Internal (Software)" in the
> line below must match the value of the attribute nsSSLToken above.
>  
> Internal (Software) Token:<password of Directory Server database>
>  
> 8. Change the owner and group of pin.txt to the main Directory Server
> user (in my case diradmin) and set permissions to 400
>  
> chown diradmin:diradmin pin.txt
> chmod 400 pin.txt
>  
> 9. Restart the Directory Server
>  
> service dirsrv start
>  
>  
> Based on my admittedly limited understanding of 389 DS, this should
> result in successful LDAPS connections, but it doesn't. Restarting
> dirsrv results in "TLS error -8179: Peer's Certificate issuer is not
> recognized."
>  
> So, either I'm importing the wrong certificates or something about
> my importation process is flawed.
>  
> Oh and by the way, I tried a different approach and started with a
> certificate signing request using certutil with the intention of
> requesting a new certificate. However certutil will not show me the
> public key for the csr, only the request. So, it seems I'm stuck.
> Anyone have any ideas?
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.o
> rg
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux