Re: TLS trace: SSL3 alert write:fatal:unknown CA

"Jeff Gamsby" <JFGamsby@xxxxxxx> · Fri, 2 Jun 2006 23:12:27 -0700 (PDT)

I don't see the CA cert installed in the "Managing Certificates" --> CA
certs.

Shouldn't it be there?

ldapsearch -x -D "cn=Directory Manager" -Hldaps://localhost

TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject: /CN=CAcert,
issuer: /CN=CAcert
TLS certificate verification: Error, self signed certificate in
certificate chain
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

>> Richard Megginson wrote:
>>> Jeff Gamsby wrote:
>>>>> I'm not sure I understand what's going on either, but the message
>>>>> "Peer does not recognize and trust the CA that issued your
>>>>> certificate." means that ldapsearch did not verify your LDAP server
>>>>> certificate (Server-Cert).  This is usually due to one or both of the
>>>>> following:
>>>>> 1) The value of the cn attribute in the leftmost RDN of the subjectDN
>>>>> in the LDAP server cert is not the fqdn of the LDAP server host, or
>>>>> the client cannot resolve it.
>>>>> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of
>>>>> the CA that issued the LDAP server certificate (Server-Cert)
>>>>>
>>>>> I'm not sure which one it is.  You might try dumping out the server
>>>>> certificate (../shared/bin/certutil -L -P slapd-server- -d . -n
>>>>> "Server-Cert" -a > fdscert.pem) and using openssl to verify the cert
>>>>> e.g.
>>>>> openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem
>>>>>
>>>>> If you get an error, this means that the CA whose cert is
>>>>> /etc/openldap/cacerts/cacert.asc did not issue the fedora ds server
>>>>> certificate.
>>>>
>>>> I get fdscert.pem: OK
>>> I dunno - perhaps the CA doesn't have the appropriate trust flags?
>>> This
>>> is what I get:
>>> ../shared/bin/certutil -d . -P slapd-localhost- -L
>>> CA certificate                                               CTu,u,u
>>> Server-Cert                                                  u,u,u
>>>
>>
>> Another thing you can try is verifying the server certificate:
>>
>> % ../shared/bin/certutil certutil -V -u V -n Server-Cert -d . -P
>> slapd-localhost-
>> certutil: certificate is valid
>
> ../shared/bin/certutil certutil -V -u V -n Server-Cert -d . -P
> slapd-server-
> certutil-bin: certificate is valid
>
>>
>> Can you try the FDS ldapsearch (shared/bin/ldapsearch)? It will
>> eliminate the OpenSSL certificate so we can help see where the problem
>> is. You can have it use the same cert database as the server and that
>> should help confirm that the CA and Server certificates are ok. If that
>> works then it's likely something with your OpenSSL config that is the
>> problem.
>>
>> rob
>>
>
> I'm not sure if I did this right:
>
> ../shared/bin/ldapsearch -Z -P slapd-server- -b "" -s base
> "(objectclass=*)" -v
> ldapsearch: started Fri Jun  2 22:23:18 2006
>
> ldap_init( localhost, 389 )
> ldaptool_getcertpath -- slapd-server-
> ldaptool_getkeypath -- slapd-server-
> ldaptool_getmodpath -- (null)
> SSL initialization failed: error -8174 (security library: bad database.)
>
> also...
>
> ../shared/bin/ldapsearch -P slapd-server- -b "" -s base "(objectclass=*)"
> -v
> ldapsearch: started Fri Jun  2 22:23:41 2006
>
> ldap_init( localhost, 389 )
> ldaptool_getcertpath -- slapd-server-
> ldaptool_getkeypath -- slapd-server-
> ldaptool_getmodpath -- (null)
> SSL initialization failed: error -8174 (security library: bad database.)
>
>>>>>>
>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection
>>>>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT
>>>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120
>>>>>>>>>> nentries=0 etime=0
>>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer
>>>>>>>>>> does not recognize and trust the CA that issued your
>>>>>>>>>> certificate.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> This is all that the errors log says
>>>>>>>>>>>>> How about the access log?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
>>>>>>>>>>>>>> cipher AES in backend userRoot, attempting to create one...
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
>>>>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
>>>>>>>>>>>>>> cipher 3DES in backend userRoot, attempting to create one...
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
>>>>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
>>>>>>>>>>>>>> cipher AES in backend NetscapeRoot, attempting to create
>>>>>>>>>>>>>> one...
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
>>>>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
>>>>>>>>>>>>>> cipher 3DES in backend NetscapeRoot, attempting to create
>>>>>>>>>>>>>> one...
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
>>>>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started.  Listening on
>>>>>>>>>>>>>> All Interfaces port 389 for LDAP requests
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces
>>>>>>>>>>>>>> port 636 for LDAPS requests
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks for your help
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>> OK, now I have a different error.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i
>>>>>>>>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in
>>>>>>>>>>>>>>>> ca-cert.pem`.0
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Now, I get this error:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> TLS: can't connect.
>>>>>>>>>>>>>>>> ldap_perror
>>>>>>>>>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>>>>>>>>>        additional info: Start TLS request accepted.Server
>>>>>>>>>>>>>>>> willing to negotiate SSL.
>>>>>>>>>>>>>>> What OS and version are you running?  RHEL3
>>>>>>>>>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR
>>>>>>>>>>>>>>> directive - you must use the TLS_CACERT directive with the
>>>>>>>>>>>>>>> full path and filename of the cacert.pem file (e.g.
>>>>>>>>>>>>>>> /etc/openldap/cacerts/cacert.pem).  What does it say in the
>>>>>>>>>>>>>>> fedora ds access and error log for this request?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> For a successful startTLS request with ldapsearch, you
>>>>>>>>>>>>>>> should see something like the following in your fedora ds
>>>>>>>>>>>>>>> access log:
>>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64
>>>>>>>>>>>>>>> connection from 127.0.0.1 to 127.0.0.1
>>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT
>>>>>>>>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0
>>>>>>>>>>>>>>> tag=120 nentries=0 etime=0
>>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
>>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn=""
>>>>>>>>>>>>>>> method=128 version=3
>>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0
>>>>>>>>>>>>>>> tag=97 nentries=0 etime=0 dn=""
>>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH
>>>>>>>>>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)"
>>>>>>>>>>>>>>> attrs=ALL
>>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0
>>>>>>>>>>>>>>> tag=101 nentries=1 etime=0
>>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>

>>>>>>>>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I
>>>>>>>>>>>>>>>>>>>>>> am using a OpenSSL CA, I have installed the Server
>>>>>>>>>>>>>>>>>>>>>> Cert and the CA Cert, can start FDS in SSL mode, but
>>>>>>>>>>>>>>>>>>>>>> when I run
>>>>>>>>>>>>>>>>>>>>>> ldapsearch -x -ZZ  I get TLS trace: SSL3 alert
>>>>>>>>>>>>>>>>>>>>>> write:fatal:unknown CA.
>>>>>>>>>>>>>>>>>>>>> Did you follow this -
>>>>>>>>>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>>>>>>>>>>> I did, but that didn't work for me. The only thing
>>>>>>>>>>>>>>>>>>>> that I did this time was generate a request from the
>>>>>>>>>>>>>>>>>>>> "Manage Certificates", sign the request using my
>>>>>>>>>>>>>>>>>>>> OpenSSL CA, and install the Server and CA Certs. Then
>>>>>>>>>>>>>>>>>>>> I turned on SSL in the Admin console, and restarted
>>>>>>>>>>>>>>>>>>>> the server.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> When I followed the instructions from the link, I
>>>>>>>>>>>>>>>>>>>> couldn't even get FDS to start in SSL mode.
>>>>>>>>>>>>>>>>>>> One problem may be that ldapsearch is trying to verify
>>>>>>>>>>>>>>>>>>> the hostname in your server cert, which is the value of
>>>>>>>>>>>>>>>>>>> the cn attribute in the leftmost RDN in your server
>>>>>>>>>>>>>>>>>>> cert's subject DN.  What is the subject DN of your
>>>>>>>>>>>>>>>>>>> server cert?  You can use certutil -L -n Server-Cert as
>>>>>>>>>>>>>>>>>>> specified in the Howto:SSL to print your cert.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Sorry. I missed the -P option.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server-
>>>>>>>>>>>>>>>>>> -n "server-cert" returns the Subject *CN* as FQDN of FDS
>>>>>>>>>>>>>>>>>> and OpenSSL CA host (ran on same machine)
>>>>>>>>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get
>>>>>>>>>>>>>>>>> some debugging info.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in
>>>>>>>>>>>>>>>>>>>>>> TLS_CACERT /path/to/cert
>>>>>>>>>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below?
>>>>>>>>>>>>>>>>>>>> Yes
>>>>>>>>>>>>>>>>>>>>>> TLSREQCERT allow
>>>>>>>>>>>>>>>>>>>>>> ssl on
>>>>>>>>>>>>>>>>>>>>>> ssl start_tls
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> If I run
>>>>>>>>>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts
>>>>>>>>>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> It looks OK
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Please help
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>>>>>>>

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users