Re: Peer's certificate issuer has been marked as not trusted by the user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Believe that you may need the "T" trust setting on the CA certificate too:

certutil
-t trustargs
           Specify the trust attributes to modify in an existing certificate
           or to apply to a certificate when creating it or adding it to a
           database. There are three available trust categories for each
           certificate, expressed in the order SSL, email, object signing for
           each trust setting. In each category position, use none, any, or
           all of the attribute codes:

           ·   p - Valid peer

           ·   P - Trusted peer (implies p)

           ·   c - Valid CA

           ·   C - Trusted CA (implies c)

           ·   T - trusted CA for client authentication (ssl server only)

Steve Vandenburgh
LDAP Directory Services/Identity Management

-----Original Message-----
From: Eli <elish266@xxxxxxxxx>
Sent: Tuesday, April 2, 2019 11:41 AM
To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx
Subject: [389-users] Peer's certificate issuer has been marked as not trusted by the user

Hello,

I am trying to setup a mutual based TLS authenticated 389-DS LDAP server, where the client and the server will perform certificate based authentication.
This should be test system and not a production system.

I have a Windows CA signed on the LDAP server certificate and the client certificate (.p12). The server has its the CA root and its own cert loaded:
[root@ldap2sit slapd-ldap2sit]# certutil -K -d .
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      90f72656c6c26fad75fbc5787105197301d76bab   Server-Cert
[root@ldap2sit slapd-ldap2sit]#
[root@ldap2sit slapd-ldap2sit]#
[root@ldap2sit slapd-ldap2sit]# certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u
ca_cert                                                      C,,


I have a client defined in the LDAP:
uid=a47886b9fffc , cn=a47886b9fffc , o=Avaya , l=Holon, mail=eshmulen@xxxxxxxxx

The certificate I have on the client is:
Issued to: a47886b9fffc
Issued by: sititcdc  (which is the same CA signed the server certificate and its root in loaded to the server)
Issuer: cn=sititcdc,dc=sititc,dc=dom
Subject: e=eshmulen@xxxxxxxxx, cn=a47886b9fffc, ou=SIT, o=Avaya, L=Holon, S=Israel, C=IL

My /etc/dirsrv/ldap2sit/certmap.conf:
certmap ldap2sit        o=Avaya,l=Holon
ldap2sit:DNComps
ldap2sit:FilterComps    cn
ldap2sit:verifycert     on

When trying connecting I get connection failure with with following entries in /var/log/dirsrv/.../error:
[02/Apr/2019:20:33:11.096582067 +0300] conn=5 fd=64 slot=64 SSL connection from 149.49.161.10 to 149.49.78.110
[02/Apr/2019:20:33:11.139068683 +0300] conn=5 Netscape Portable Runtime error -8172 (Peer's certificate issuer has been marked as not trusted by the user.); unauthenticated client E=eshmulen@xxxxxxxxx,CN=a47886b9fffc,OU=SIT,O=Avaya,L=Holon,ST=Israel,C=IL; issuer CN=sititcdc,DC=sititc,DC=dom
[02/Apr/2019:20:33:11.139131964 +0300] conn=5 op=-1 fd=64 closed - Peer's certificate issuer has been marked as not trusted by the user.

In wireshark trace I see the server is closing the TCP/TLS connection with alert (Level: Fatal, Description: Unknown CA)

Can you tell me what I am doing wrong here?

Thanks,
Eli
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux