Hello, currently i am a bit stuck with getting 389- Server working and would appreciate any help... I have followed https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html and a guide to import certificates and keys from letsencrypt, which seems to work accordingly. but whenever i make a secure connection, i get the error above. i.e. using dsidm: obel1x:/ # dsidm -v ldaps://obel1x.de:636 -b 'dc=obel1x,dc=de' -D 'cn=Directory Manager' client_config sssd.conf server_admins DEBUG: The 389 Directory Server Identity Manager DEBUG: Inspired by works of: ITS, The University of Adelaide DEBUG: dsrc path: /root/.dsrc DEBUG: dsrc container path: /data/config/container.inf DEBUG: dsrc instances: ['obel1x'] DEBUG: dsrc no such section: slapd-ldaps://obel1x.de:636 DEBUG: Called with: Namespace(allowed_group='server_admins', basedn='dc=obel1x,dc=de', binddn='cn=Directory Manager', bindpw=None, func=<function sssd_conf at 0x7fbd8cd3a6a8>, instance='ldaps://obel1x.de:636', json=False, prompt=False, pwdfile=None, starttls=False, verbose=True) DEBUG: Instance details: {'uri': 'ldaps://obel1x.de:636', 'basedn': 'dc=obel1x,dc=de', 'binddn': 'cn=Directory Manager', 'bindpw': None, 'saslmech': None, 'tls_cacertdir': None, 'tls_cert': None, 'tls_key': None, 'tls_reqcert': None, 'starttls': False, 'prompt': False, 'pwdfile': None, 'args': {'ldapurl': 'ldaps://obel1x.de:636', 'root-dn': 'cn=Directory Manager'}} DEBUG: SER_SERVERID_PROP not provided, assuming non-local instance DEBUG: Allocate <class 'lib389.DirSrv'> with ldaps://obel1x.de:636 DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389 DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389 Enter password for cn=Directory Manager on ldaps://obel1x.de:636: DEBUG: SER_SERVERID_PROP not provided, assuming non-local instance DEBUG: Allocate <class 'lib389.DirSrv'> with ldaps://obel1x.de:636 DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389 DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389 DEBUG: open(): Connecting to uri ldaps://obel1x.de:636 DEBUG: Using dirsrv ca certificate /etc/dirsrv/slapd-{instance_name} DEBUG: Using external ca certificate /etc/dirsrv/slapd-{instance_name} DEBUG: Using external ca certificate /etc/dirsrv/slapd-{instance_name} DEBUG: Using /etc/openldap/ldap.conf certificate policy DEBUG: ldap.OPT_X_TLS_REQUIRE_CERT = 2 DEBUG: Cannot connect to 'ldaps://obel1x.de:636' DEBUG: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)'} Traceback (most recent call last): File "/usr/sbin/dsidm", line 129, in <module> inst = connect_instance(dsrc_inst=dsrc_inst, verbose=args.verbose, args=args) File "/usr/lib/python3.6/site-packages/lib389/cli_base/__init__.py", line 152, in connect_instance starttls=dsrc_inst['starttls'], connOnly=True) File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 1074, in open raise e File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 1070, in open self.simple_bind_s(ensure_str(self.binddn), self.bindpw, escapehatch='i am sure') File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 175, in inner return f(*args, **kwargs) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 443, in simple_bind_s msgid = self.simple_bind(who,cred,serverctrls,clientctrls) File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 175, in inner return f(*args, **kwargs) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 437, in simple_bind return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls)) File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 175, in inner return f(*args, **kwargs) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 329, in _ldap_call reraise(exc_type, exc_value, exc_traceback) File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 44, in reraise raise exc_value File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 313, in _ldap_call result = func(*args,**kwargs) ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)'} ERROR: Error: Can't contact LDAP server - error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate) This also affects sssd and ldapsearch of course. Testing SSL looks ok for me obel1x:~ #openssl s_client -connect obel1x.de:636 -showcerts </dev/null CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = obel1x.de verify return:1 --- Certificate chain 0 s:CN = obel1x.de i:C = US, O = Let's Encrypt, CN = R3 -----BEGIN CERTIFICATE----- xxx -----END CERTIFICATE----- 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 -----BEGIN CERTIFICATE----- xxx -----END CERTIFICATE----- --- Server certificate subject=CN = obel1x.de issuer=C = US, O = Let's Encrypt, CN = R3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3107 bytes and written 375 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- DONE and the keystore is: obel1x:/etc/dirsrv/slapd-obel1x #certutil -K -d . certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa 88a40a16c8cee80cda1804e08f3f87eea6f6a2ab Server-Cert obel1x:/etc/dirsrv/slapd-obel1x #certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u ca_cert C,, where Server-Cert corresponds to cert.pem and ca_cert is chain.pem in letsencrypt. I have only found a small difference in the docs, which do say the key should read like: |< 0> rsa 79187d744c73cd2f098edc80ce261e5ad94c4db2 NSS Certificate DB:Server-Cert| to define that the key matches the certificate. I have not found a way to "bind" the key to the certificate or to link them, but the certificate should the one of the key, as it has been derived from it and was imported with pk12util in the database. What can be is wrong with dsidm connecting - is it the key? why is openssl not complaining then? and if so, how to import it the rigth way? -- Mit freundlichen Grüßen, Daniel _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
