Re: TLS trace: SSL3 alert write:fatal:unknown CA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:

Jeff Gamsby wrote:


Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:

Jeff Gamsby wrote:


Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:

Jeff Gamsby wrote:


Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:

Jeff Gamsby wrote:


Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:

Jeff Gamsby wrote:
I blew away the server and installed a new one, then I used the setupssl.sh script to setup SSL. The script completed successfully, and the server is listening on port 636, but I'm back to a familiar error: 

ldapsearch -x -ZZ -d -1

TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject: /CN=CAcert, issuer: /CN=CAcert TLS certificate verification: Error, self signed certificate in certificate chain 
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA 
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 

Shouldn't CN=CAcert be cn=fqdn?
No, no hostname validation is done on the CA cert, only on the LDAP server cert.
Did you configure openldap to use the new CA cert? http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients 

Yes.

This is what the access log says
[02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 nentries=0 etime=0 [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer does not recognize and trust the CA that issued your certificate.
This means that the CA cert that /etc/openldap/ldap.conf is using is not the cert of the CA that issued the Fedora DS server cert. 
OK.  I had the old cert in there.

I followed the instructions and did a
cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in cacert.asc`.0
and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still get the same error
But does the file /etc/openldap/cacerts/cacert.asc exist? If not, you need to copy that file in there. I guess the docs are not explicit enough - if you use TLS_CACERTDIR, you must have the file <hash>.0 in the cacerts directory. If you use TLS_CACERT, you must have the file /etc/openldap/cacerts/cacert.asc.
It does exist, and I'm using TLS_CACERT /etc/openldap/cacerts/cacert.asc 

Same error.
[02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer does not recognize and trust the CA that issued your certificate. 

I also put the same info in /etc/ldap.conf
That file is only used by pam_ldap and nss_ldap, so it shouldn't matter. 

Also, here are the certs

../shared/bin/certutil -L -P slapd-server- -d .
CA certificate                                               CTu,u,u
server-cert                                                  u,u,u
Server-Cert                                                  u,u,u

Does that look right?

Try this:
../shared/bin/certutil -L -P slapd-server- -d . -n "CA certificate" -a > mycacert.asc 

diff mycacert.asc /etc/openldap/cacerts/cacert.asc
If they are the same, then CA certificate is not the cert of the CA that issued Server-Cert. 

They are the same.

I'm not sure that I understand.
I'm not sure I understand what's going on either, but the message "Peer does not recognize and trust the CA that issued your certificate." means that ldapsearch did not verify your LDAP server certificate (Server-Cert). This is usually due to one or both of the following: 1) The value of the cn attribute in the leftmost RDN of the subjectDN in the LDAP server cert is not the fqdn of the LDAP server host, or the client cannot resolve it. 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of the CA that issued the LDAP server certificate (Server-Cert)
I'm not sure which one it is. You might try dumping out the server certificate (../shared/bin/certutil -L -P slapd-server- -d . -n "Server-Cert" -a > fdscert.pem) and using openssl to verify the cert e.g. 
openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem
If you get an error, this means that the CA whose cert is /etc/openldap/cacerts/cacert.asc did not issue the fedora ds server certificate. 

I get fdscert.pem: OK
[02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection from 127.0.0.1 to 127.0.0.1 [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer does not recognize and trust the CA that issued your certificate. 








This is all that the errors log says

How about the access log?
[02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES in backend userRoot, attempting to create one... [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully generated and stored [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one... [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully generated and stored [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES in backend NetscapeRoot, attempting to create one... [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully generated and stored [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES in backend NetscapeRoot, attempting to create one... [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully generated and stored [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port 636 for LDAPS requests 

Thanks for your help




Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:

Jeff Gamsby wrote:

OK, now I have a different error.
I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i /etc/certs/ca-cert.pem -P slapd-server- -d . 

and
ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0 

Now, I get this error:

TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: Start TLS request accepted.Server willing to negotiate SSL.
What OS and version are you running? RHEL3 /etc/openldap/ldap.conf does not like the TLS_CACERTDIR directive - you must use the TLS_CACERT directive with the full path and filename of the cacert.pem file (e.g. /etc/openldap/cacerts/cacert.pem). What does it say in the fedora ds access and error log for this request?
For a successful startTLS request with ldapsearch, you should see something like the following in your fedora ds access log: [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from 127.0.0.1 to 127.0.0.1 [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 nentries=0 etime=0 
[02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
[02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 version=3 [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH base="dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 nentries=1 etime=0 
[02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
[02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1




Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:

Jeff Gamsby wrote:


Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:

Jeff Gamsby wrote:


Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:

Jeff Gamsby wrote:
I am trying to get FDS 1.0.2 working in SSL mode. I am using a OpenSSL CA, I have installed the Server Cert and the CA Cert, can start FDS in SSL mode, but when I run ldapsearch -x -ZZ I get TLS trace: SSL3 alert write:fatal:unknown CA.
Did you follow this - http://directory.fedora.redhat.com/wiki/Howto:SSL
I did, but that didn't work for me. The only thing that I did this time was generate a request from the "Manage Certificates", sign the request using my OpenSSL CA, and install the Server and CA Certs. Then I turned on SSL in the Admin console, and restarted the server.
When I followed the instructions from the link, I couldn't even get FDS to start in SSL mode.
One problem may be that ldapsearch is trying to verify the hostname in your server cert, which is the value of the cn attribute in the leftmost RDN in your server cert's subject DN. What is the subject DN of your server cert? You can use certutil -L -n Server-Cert as specified in the Howto:SSL to print your cert. 

Sorry. I missed the -P option.
running ../shared/bin/certutil -L -d . -P slapd-server- -n "server-cert" returns the Subject *CN* as FQDN of FDS and OpenSSL CA host (ran on same machine)
Hmm - try ldapsearch with the -v (or -d?) option to get some debugging info. 



In /etc/ldap.conf, I have put in
TLS_CACERT /path/to/cert

Is this the same /path/to/cacert.pem as below?

Yes

TLSREQCERT allow
ssl on
ssl start_tls

If I run
openssl s_client -connect localhost:636 -showcerts -state -CAfile /path/to/cacert.pem 

It looks OK

Please help

Thanks
------------------------------------------------------------------------ 

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users 

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------ 

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users 

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------ 

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users 

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------ 

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------ 

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------ 

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------ 

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------ 

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

------------------------------------------------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux