Re: SSL replication error

[Michal Medvecky <michal@xxxxxxxxxxxx>]

So I finally made it work.

I tried with F28 and I got the error message "system error -8157 (Certificate extension not found.)”. After some investigations, I realized that one of certs in my certificate chain was incorrectly imported (under wrong nickname, thus not imported at all).

After fixing that, it worked.

Then, I tried the same setup with Ubuntu 18.04 (389-ds 1.3.7.10, ldap-utils 2.4.45+dfsg-1ubuntu1) and it works.

It’s still broken with 16.04 though (389 1.3.4.9-1, ldap-utils 2.4.42+dfsg-2ubuntu3.2)

Thanks for all your effort,

Michal

On 5 Jun 2018, at 15:41, Mark Reynolds <mreynolds@xxxxxxxxxx> wrote:

What version of openldap is on your system?  There is known issue fixed in openldap-2.4.23-31 and up

Can you do a ldapsearch from one system to the the other?

ldapsearch -ZZ -xLLL -h HOST -p PORT -b "" -s base

Then check the DS access and errors logs.  There should be more info there for the failure.

I just setup self-signed certs on a F28 and everything works for me (with host name checking set to "on").


-------------------------------------------------------------------------
[root@ibm-ls22-04 slapd-localhost]# certutil -d . -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA certificate                                               CTu,Cu,Cu
Server-Cert                                                  u,u,Pu
--------------------------------------------------------------------------

Can you run "certutil -L" on your cert db?  Do your trust attrs match mine?

Maybe your cert is missing the basic constraints extension (See my CA cert for an example)?



Here is my info:


Server Cert:
========================================

# certutil -d /etc/dirsrv/slapd-HOST -L -n Server-Cert

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1001 (0x3e9)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=CAcert"
        Validity:
            Not Before: Tue Jun 05 11:19:13 2018
            Not After : Mon Jun 05 11:19:13 2028
        Subject: "CN=ibm-ls22-04.rhts.eng.brq.redhat.com,OU=389 Directory Server"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    cb:16:8f:2d:72:66:b3:35:83:35:ce:df:48:b1:82:cd:
                    a3:ee:95:5d:a5:21:62:ae:a9:55:52:bb:f3:03:5c:cf:
                    f0:51:64:83:17:44:1a:58:70:e7:57:9b:5d:3e:6d:0a:
                    f4:a2:96:28:10:82:03:9c:4a:5c:a1:cf:27:5f:97:62:
                    d6:c3:57:5f:0d:ca:c1:62:41:43:47:59:5c:b0:31:c6:
                    f7:fe:18:d9:2d:14:ac:08:c8:82:a3:97:66:bf:b5:6d:
                    d9:99:9a:7a:19:4e:94:01:52:b5:02:2f:46:70:08:25:
                    81:7f:82:13:27:95:04:04:1f:2b:4d:21:f9:3e:1c:3d:
                    19:82:de:d3:8e:7b:80:5c:ff:12:42:19:fa:60:e6:c1:
                    d4:62:8b:00:21:5a:91:e6:12:b7:82:67:3c:14:18:59:
                    43:4d:9d:cb:f8:d7:85:a3:26:f3:19:68:96:47:38:c3:
                    c9:c2:7a:9d:0d:b6:86:a4:f7:bd:7e:f8:5e:a5:a3:b1:
                    82:f6:b0:f2:e0:18:83:90:95:20:52:5b:73:d6:6d:70:
                    8d:ad:55:79:43:ba:04:21:aa:e3:e8:9b:24:81:5d:f3:
                    dd:8d:e0:2c:8f:c9:28:ec:ff:24:d4:ac:85:d1:2b:4e:
                    03:9d:f8:77:4f:09:88:25:65:27:98:55:a2:30:35:65
                Exponent: 65537 (0x10001)
    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        4a:06:4d:21:b4:be:fe:5f:47:3d:6f:0d:e6:8d:10:52:
        0c:74:61:33:e5:f2:4f:68:13:7f:e4:b4:0b:b2:39:52:
        79:ca:6e:1c:ce:df:02:a1:01:3b:0d:cd:39:d2:aa:42:
        bc:17:2c:29:bf:08:25:dd:3e:8c:24:6b:80:bd:59:f9:
        0b:91:2b:f7:41:81:4f:42:7f:1e:30:b5:4e:7b:47:67:
        08:58:87:0d:93:76:9a:04:d0:ee:fd:f5:9f:b7:2c:9e:
        1e:a5:6f:69:4d:d9:3c:a6:cd:5f:a6:7d:b9:9a:cc:43:
        ef:ab:1d:38:b1:9f:33:cd:2e:84:5a:96:38:9d:99:a6:
        1a:29:ec:f2:16:2f:e7:a0:8f:56:6d:a5:62:b2:59:3a:
        b4:2c:d4:c8:b3:30:1d:23:f6:0a:e7:6d:9b:e1:d5:5c:
        c7:27:36:52:33:88:75:1a:be:0d:8e:70:fc:25:75:2f:
        6a:70:d4:36:81:81:87:ec:ea:53:f0:22:8f:e0:6c:26:
        40:54:ec:29:b9:c9:e3:73:3c:d9:cd:50:b5:45:51:fd:
        1f:cb:71:e9:ae:01:65:31:f5:b1:b7:13:3d:63:b7:20:
        1c:72:4c:2d:50:2a:be:f7:77:e2:fb:0f:09:59:4a:0c:
        ba:83:a6:72:d4:96:77:36:28:bf:56:18:2c:e9:75:6d
    Fingerprint (SHA-256):
        D9:DB:31:8F:A7:57:03:8F:28:9D:53:C1:32:AE:28:B3:02:F5:CE:E7:72:62:A8:BF:DD:92:39:A9:FD:98:05:C0
    Fingerprint (SHA1):
        85:C4:0B:3F:FC:A3:57:FB:90:D5:BE:B7:E5:8A:9A:B6:48:CB:63:4C

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            Terminal Record
            Trusted
            User




CA Cert:
=========================================

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1000 (0x3e8)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=CAcert"
        Validity:
            Not Before: Tue Jun 05 11:19:12 2018
            Not After : Mon Jun 05 11:19:12 2028
        Subject: "CN=CAcert"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    df:92:6d:6c:82:26:6b:5d:f3:09:d8:68:30:e6:79:24:
                    ab:34:ec:33:ed:a5:cc:c4:22:c3:ca:d7:b8:3e:cf:27:
                    70:66:02:37:e5:0f:44:e7:8c:6a:81:44:63:b1:07:98:
                    1c:15:e1:73:28:a6:b3:54:94:ac:c8:4d:a5:f1:f6:7f:
                    bb:b2:bf:d4:4e:e0:e9:08:ce:2d:65:28:df:ba:e0:af:
                    cd:91:43:a9:28:ed:5f:b1:de:0f:38:09:6c:c7:a9:4a:
                    1e:97:68:d7:dd:3b:f7:c9:c5:62:b5:d4:f6:0b:e2:be:
                    0d:45:4e:f8:8e:14:f9:35:8e:91:e0:ee:bf:4b:f9:16:
                    ab:a2:d5:3c:ca:0f:8d:86:e9:69:99:97:1c:ce:1e:01:
                    99:d3:55:70:6d:9d:a5:76:a2:19:aa:77:40:01:77:62:
                    dd:6d:37:42:43:5e:fe:c0:38:9e:69:66:41:63:79:a5:
                    a7:d7:ad:b7:cb:5a:31:aa:7e:4c:20:95:27:46:6b:a8:
                    5c:16:6a:06:9c:69:51:55:79:71:ba:9a:0a:93:c2:35:
                    72:25:bc:10:0b:6b:49:64:06:a7:6b:e8:f9:e1:bc:3f:
                    d7:ea:1e:9b:0e:37:2e:e2:07:59:9d:d1:d0:84:3c:e1:
                    41:bd:ee:c8:bb:3a:b0:01:37:18:5c:15:0e:d1:bf:5b
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with no maximum path length.

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        28:c9:c4:0f:2b:67:09:d2:46:f0:06:b2:33:67:c7:dd:
        9b:4e:71:ba:57:43:8f:74:d3:d1:b5:30:ea:ba:18:1c:
        73:ab:3e:53:99:e4:3a:fc:a3:74:b4:1c:c3:82:38:2c:
        ba:30:2c:9f:7c:9b:2c:4e:53:46:bc:ea:d5:54:9f:2e:
        61:40:4d:1d:34:5a:9b:fd:91:5b:f9:47:6e:00:46:94:
        7d:c7:1d:e1:fd:81:87:de:5e:fb:ad:13:67:c0:c8:ce:
        92:d7:ce:ee:9b:c4:fa:b3:2d:1b:7e:79:4a:f3:f7:92:
        b5:cb:c7:bb:45:f6:bc:79:ce:f4:6e:63:37:b2:7c:ef:
        45:f8:f8:1f:6a:8f:65:2a:3a:40:c6:4a:ed:43:74:2a:
        33:30:f1:4b:9a:ed:be:02:12:15:10:1b:1c:20:a7:67:
        59:bb:91:01:39:f9:64:cb:ab:ca:cc:72:f0:c2:3f:6b:
        20:15:92:10:ad:8b:d6:e3:08:83:cc:f1:28:c7:3e:ae:
        e9:8b:15:c5:bf:25:d7:5c:e5:0e:fd:e0:db:03:41:66:
        e0:c8:0d:12:45:75:7e:fe:31:98:ef:17:89:f9:04:19:
        6c:38:61:f9:66:12:d5:48:ba:ea:25:e2:05:81:26:f1:
        ed:25:42:a7:6d:0f:ec:7d:c3:1c:df:5a:8b:5e:8f:ff
    Fingerprint (SHA-256):
        96:63:89:07:30:CF:27:6F:E9:42:F7:AC:B8:71:47:12:74:52:D8:37:4D:9C:66:22:D1:2A:E3:FF:C6:89:2A:75
    Fingerprint (SHA1):
        7D:43:C9:FA:E4:53:18:D7:5B:F6:11:76:D9:04:A1:E2:AA:62:FA:4F

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            User
            Trusted Client CA
        Email Flags:
            Valid CA
            Trusted CA
            User
        Object Signing Flags:
            Valid CA
            Trusted CA
            User


I see your hostname is set as an alternative subject DN, but I don't see a "main" subject in the cert you provided.  Run the certutil commands like I did above and lets see what is different or missing.

HTH,
Mark

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx/message/KZPA3AQ6Q6BPUDVSLXLCTVUSN2WXB55Z/