Re: TLS trace: SSL3 alert write:fatal:unknown CA

[Richard Megginson <rmeggins@xxxxxxxxxx>]

Jeff Gamsby wrote:
> OK, now I have a different error.
>
> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i 
> /etc/certs/ca-cert.pem -P slapd-server- -d .
>
> and
>
> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0
>
> Now, I get this error:
>
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (-11)
>        additional info: Start TLS request accepted.Server willing to 
> negotiate SSL.
What OS and version are you running?  RHEL3 /etc/openldap/ldap.conf does 
not like the TLS_CACERTDIR directive - you must use the TLS_CACERT 
directive with the full path and filename of the cacert.pem file (e.g. 
/etc/openldap/cacerts/cacert.pem).  What does it say in the fedora ds 
access and error log for this request?

For a successful startTLS request with ldapsearch, you should see 
something like the following in your fedora ds access log:
[02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from 
127.0.0.1 to 127.0.0.1
[02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT 
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 
nentries=0 etime=0
[02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
[02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 version=3
[02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 nentries=0 
etime=0 dn=""
[02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH base="dc=example,dc=com" 
scope=0 filter="(objectClass=*)" attrs=ALL
[02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 
nentries=1 etime=0
[02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
[02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1

> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
> > Jeff Gamsby wrote:
> > > Jeff Gamsby
> > > Center for X-Ray Optics
> > > Lawrence Berkeley National Laboratory
> > > (510) 486-7783
> > >
> > >
> > >
> > > Richard Megginson wrote:
> > > > Jeff Gamsby wrote:
> > > > > Jeff Gamsby
> > > > > Center for X-Ray Optics
> > > > > Lawrence Berkeley National Laboratory
> > > > > (510) 486-7783
> > > > >
> > > > >
> > > > >
> > > > > Richard Megginson wrote:
> > > > > > Jeff Gamsby wrote:
> > > > > > > I am trying to get FDS 1.0.2 working in SSL mode. I am using a 
> > > > > > > OpenSSL CA, I have installed the Server Cert and the CA Cert, 
> > > > > > > can start FDS in SSL mode, but when I run
> > > > > > > ldapsearch -x -ZZ  I get TLS trace: SSL3 alert 
> > > > > > > write:fatal:unknown CA.
> > > > > > Did you follow this - 
> > > > > > http://directory.fedora.redhat.com/wiki/Howto:SSL
> > > > > I did, but that didn't work for me. The only thing that I did this 
> > > > > time was generate a request from the "Manage Certificates", sign 
> > > > > the request using my OpenSSL CA, and install the Server and CA 
> > > > > Certs. Then I turned on SSL in the Admin console, and restarted 
> > > > > the server.
> > > > >
> > > > > When I followed the instructions from the link, I couldn't even 
> > > > > get FDS to start in SSL mode.
> > > > One problem may be that ldapsearch is trying to verify the hostname 
> > > > in your server cert, which is the value of the cn attribute in the 
> > > > leftmost RDN in your server cert's subject DN.  What is the subject 
> > > > DN of your server cert?  You can use certutil -L -n Server-Cert as 
> > > > specified in the Howto:SSL to print your cert.
> > >
> > > Sorry. I missed the -P option.
> > >
> > > running ../shared/bin/certutil -L -d . -P slapd-server- -n 
> > > "server-cert" returns the Subject *CN* as FQDN of FDS and OpenSSL CA 
> > > host (ran on same machine)
> > Hmm - try ldapsearch with the -v (or -d?) option to get some 
> > debugging info.
> > > > > > > In /etc/ldap.conf, I have put in
> > > > > > > TLS_CACERT /path/to/cert
> > > > > > Is this the same /path/to/cacert.pem as below?
> > > > > Yes
> > > > > > > TLSREQCERT allow
> > > > > > > ssl on
> > > > > > > ssl start_tls
> > > > > > >
> > > > > > > If I run
> > > > > > > openssl s_client -connect localhost:636 -showcerts -state 
> > > > > > > -CAfile /path/to/cacert.pem
> > > > > > >
> > > > > > > It looks OK
> > > > > > >
> > > > > > > Please help
> > > > > > >
> > > > > > > Thanks
> > > > > > ------------------------------------------------------------------------ 
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Fedora-directory-users mailing list
> > > > > > Fedora-directory-users@xxxxxxxxxx
> > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > > >   
> > > > >
> > > > > --
> > > > > Fedora-directory-users mailing list
> > > > > Fedora-directory-users@xxxxxxxxxx
> > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > ------------------------------------------------------------------------ 
> > > >
> > > >
> > > > --
> > > > Fedora-directory-users mailing list
> > > > Fedora-directory-users@xxxxxxxxxx
> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > >   
> > >
> > > --
> > > Fedora-directory-users mailing list
> > > Fedora-directory-users@xxxxxxxxxx
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > ------------------------------------------------------------------------
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >   
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users