Hello, currently i am a bit stuck with getting 389- Server working and would appreciate any help... I have followed https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html
and a guide to import certificates and keys from letsencrypt, which seems to work accordingly.
but whenever i make a secure connection, i get the error above. i.e. using dsidm:
obel1x:/ # dsidm -v ldaps://obel1x.de:636 -b 'dc=obel1x,dc=de' -D 'cn=Directory Manager' client_config sssd.conf server_admins DEBUG: The 389 Directory Server Identity Manager DEBUG: Inspired by works of: ITS, The University of Adelaide DEBUG: dsrc path: /root/.dsrc DEBUG: dsrc container path: /data/config/container.inf DEBUG: dsrc instances: ['obel1x'] DEBUG: dsrc no such section: slapd-ldaps://obel1x.de:636 DEBUG: Called with: Namespace(allowed_group='server_admins', basedn='dc=obel1x,dc=de', binddn='cn=Directory Manager', bindpw=None, func=<function sssd_conf at 0x7fbd8cd3a6a8>, instance='ldaps://obel1x.de:636', json=False, prompt=False, pwdfile=None, starttls=False, verbose=True) DEBUG: Instance details: {'uri': 'ldaps://obel1x.de:636', 'basedn': 'dc=obel1x,dc=de', 'binddn': 'cn=Directory Manager', 'bindpw': None, 'saslmech': None, 'tls_cacertdir': None, 'tls_cert': None, 'tls_key': None, 'tls_reqcert': None, 'starttls': False, 'prompt': False, 'pwdfile': None, 'args': {'ldapurl': 'ldaps://obel1x.de:636', 'root-dn': 'cn=Directory Manager'}} DEBUG: SER_SERVERID_PROP not provided, assuming non-local instance DEBUG: Allocate <class 'lib389.DirSrv'> with ldaps://obel1x.de:636 DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389 DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389 Enter password for cn=Directory Manager on ldaps://obel1x.de:636: DEBUG: SER_SERVERID_PROP not provided, assuming non-local instance DEBUG: Allocate <class 'lib389.DirSrv'> with ldaps://obel1x.de:636 DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389 DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389 DEBUG: open(): Connecting to uri ldaps://obel1x.de:636 DEBUG: Using dirsrv ca certificate /etc/dirsrv/slapd-{instance_name} DEBUG: Using external ca certificate /etc/dirsrv/slapd-{instance_name} DEBUG: Using external ca certificate /etc/dirsrv/slapd-{instance_name} DEBUG: Using /etc/openldap/ldap.conf certificate policy DEBUG: ldap.OPT_X_TLS_REQUIRE_CERT = 2 DEBUG: Cannot connect to 'ldaps://obel1x.de:636' DEBUG: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)'} Traceback (most recent call last): File "/usr/sbin/dsidm", line 129, in <module> inst = connect_instance(dsrc_inst=dsrc_inst, verbose=args.verbose, args=args) File "/usr/lib/python3.6/site-packages/lib389/cli_base/__init__.py", line 152, in connect_instance starttls=dsrc_inst['starttls'], connOnly=True) File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 1074, in open raise e File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 1070, in open self.simple_bind_s(ensure_str(self.binddn), self.bindpw, escapehatch='i am sure') File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 175, in inner return f(*args, **kwargs) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 443, in simple_bind_s msgid = self.simple_bind(who,cred,serverctrls,clientctrls) File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 175, in inner return f(*args, **kwargs) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 437, in simple_bind return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls)) File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 175, in inner return f(*args, **kwargs) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 329, in _ldap_call reraise(exc_type, exc_value, exc_traceback) File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 44, in reraise raise exc_value File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 313, in _ldap_call result = func(*args,**kwargs) ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)'} ERROR: Error: Can't contact LDAP server - error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)
This also affects sssd and ldapsearch of course.
Testing SSL looks ok for me
obel1x:~ #openssl s_client -connect obel1x.de:636 -showcerts </dev/null CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = obel1x.de verify return:1 --- Certificate chain 0 s:CN = obel1x.de i:C = US, O = Let's Encrypt, CN = R3 -----BEGIN CERTIFICATE----- xxx
-----END CERTIFICATE----- 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 -----BEGIN CERTIFICATE----- xxx
-----END CERTIFICATE----- --- Server certificate subject=CN = obel1x.de
issuer=C = US, O = Let's Encrypt, CN = R3
--- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3107 bytes and written 375 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- DONE
and the keystore is:
obel1x:/etc/dirsrv/slapd-obel1x #certutil -K -d . certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa 88a40a16c8cee80cda1804e08f3f87eea6f6a2ab Server-Cert obel1x:/etc/dirsrv/slapd-obel1x #certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Server-Cert u,u,u ca_cert C,,
where Server-Cert corresponds to cert.pem and ca_cert is chain.pem in letsencrypt.
I have only found a small difference in the docs, which do say the key should read like:
|< 0> rsa 79187d744c73cd2f098edc80ce261e5ad94c4db2 NSS Certificate DB:Server-Cert|
to define that the key matches the certificate. I have not found a way to "bind" the key to the certificate or to link them, but the certificate should the one of the key, as it has been derived from it and was imported with pk12util in the database.
What can be is wrong with dsidm connecting - is it the key? why is openssl not complaining then? and if so, how to import it the rigth way?
-- Mit freundlichen Grüßen, Daniel
On 9/25/21 12:52 PM, Daniel wrote:
Hello, currently i am a bit stuck with getting 389- Server working and would appreciate any help... I have followed https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html
and a guide to import certificates and keys from letsencrypt, which seems to work accordingly.
but whenever i make a secure connection, i get the error above. i.e. using dsidm:
obel1x:/ # dsidm -v ldaps://obel1x.de:636 -b 'dc=obel1x,dc=de' -D 'cn=Directory Manager' client_config sssd.conf server_admins DEBUG: The 389 Directory Server Identity Manager DEBUG: Inspired by works of: ITS, The University of Adelaide DEBUG: dsrc path: /root/.dsrc DEBUG: dsrc container path: /data/config/container.inf DEBUG: dsrc instances: ['obel1x'] DEBUG: dsrc no such section: slapd-ldaps://obel1x.de:636 DEBUG: Called with: Namespace(allowed_group='server_admins', basedn='dc=obel1x,dc=de', binddn='cn=Directory Manager', bindpw=None, func=<function sssd_conf at 0x7fbd8cd3a6a8>, instance='ldaps://obel1x.de:636', json=False, prompt=False, pwdfile=None, starttls=False, verbose=True) DEBUG: Instance details: {'uri': 'ldaps://obel1x.de:636', 'basedn': 'dc=obel1x,dc=de', 'binddn': 'cn=Directory Manager', 'bindpw': None, 'saslmech': None, 'tls_cacertdir': None, 'tls_cert': None, 'tls_key': None, 'tls_reqcert': None, 'starttls': False, 'prompt': False, 'pwdfile': None, 'args': {'ldapurl': 'ldaps://obel1x.de:636', 'root-dn': 'cn=Directory Manager'}} DEBUG: SER_SERVERID_PROP not provided, assuming non-local instance DEBUG: Allocate <class 'lib389.DirSrv'> with ldaps://obel1x.de:636 DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389 DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389 Enter password for cn=Directory Manager on ldaps://obel1x.de:636: DEBUG: SER_SERVERID_PROP not provided, assuming non-local instance DEBUG: Allocate <class 'lib389.DirSrv'> with ldaps://obel1x.de:636 DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389 DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389 DEBUG: open(): Connecting to uri ldaps://obel1x.de:636 DEBUG: Using dirsrv ca certificate /etc/dirsrv/slapd-{instance_name} DEBUG: Using external ca certificate /etc/dirsrv/slapd-{instance_name} DEBUG: Using external ca certificate /etc/dirsrv/slapd-{instance_name} DEBUG: Using /etc/openldap/ldap.conf certificate policy DEBUG: ldap.OPT_X_TLS_REQUIRE_CERT = 2 DEBUG: Cannot connect to 'ldaps://obel1x.de:636' DEBUG: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)'} Traceback (most recent call last): File "/usr/sbin/dsidm", line 129, in <module> inst = connect_instance(dsrc_inst=dsrc_inst, verbose=args.verbose, args=args) File "/usr/lib/python3.6/site-packages/lib389/cli_base/__init__.py", line 152, in connect_instance starttls=dsrc_inst['starttls'], connOnly=True) File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 1074, in open raise e File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 1070, in open self.simple_bind_s(ensure_str(self.binddn), self.bindpw, escapehatch='i am sure') File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 175, in inner return f(*args, **kwargs) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 443, in simple_bind_s msgid = self.simple_bind(who,cred,serverctrls,clientctrls) File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 175, in inner return f(*args, **kwargs) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 437, in simple_bind return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 175, in inner return f(*args, **kwargs) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 329, in _ldap_call reraise(exc_type, exc_value, exc_traceback) File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 44, in reraise raise exc_value File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 313, in _ldap_call result = func(*args,**kwargs) ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)'} ERROR: Error: Can't contact LDAP server - error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)
This also affects sssd and ldapsearch of course.
Testing SSL looks ok for me
obel1x:~ #openssl s_client -connect obel1x.de:636 -showcerts </dev/null CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = obel1x.de verify return:1
Certificate chain 0 s:CN = obel1x.de i:C = US, O = Let's Encrypt, CN = R3 -----BEGIN CERTIFICATE----- xxx
-----END CERTIFICATE----- 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 -----BEGIN CERTIFICATE----- xxx
-----END CERTIFICATE-----
Server certificate subject=CN = obel1x.de
issuer=C = US, O = Let's Encrypt, CN = R3
No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits
SSL handshake has read 3107 bytes and written 375 bytes Verification: OK
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
DONE
and the keystore is:
obel1x:/etc/dirsrv/slapd-obel1x #certutil -K -d . certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa 88a40a16c8cee80cda1804e08f3f87eea6f6a2ab Server-Cert obel1x:/etc/dirsrv/slapd-obel1x #certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Server-Cert u,u,u ca_cert C,,
The ca_cert should have the trust flags: CT,,
Trying fixing this first.
Then make sure /etc/openldap/ldap.conf has the TLS_CACERTDIR set to /etc/dirsrv/slapd-YOUR_INSTANCE_NAME
Second we just fixed a bug in the CLI tools and trying to use LDAPS. To verify if you are running into this bug setup the ~/.dsrc file:
Here is an example of .dsrc file. Adjust this for your setup.
/root/.dsrc
-----------------------------------------------------------
[localhost] uri = ldaps://localhost basedn = dc=example,dc=com binddn = cn=Directory Manager # You need to copy /etc/dirsrv/slapd-localhost/ca.crt to your host for this to work. tls_cacertdir = /etc/dirsrv/slapd-localhost/
----------------------------------------------------------
More info on this:
https://www.port389.org/docs/389ds/howto/howto-install-389.html#setting-up-d...
https://www.port389.org/docs/389ds/design/dsadm-dsconf.html#what-will-it-loo...
Then when you use the CLI tools you specify the instance identifier. In this example it is "localhost", and it will use the configuration from /root/.dsrc
# dsidm localhost user get
HTH,
Mark
where Server-Cert corresponds to cert.pem and ca_cert is chain.pem in letsencrypt.
I have only found a small difference in the docs, which do say the key should read like:
|< 0> rsa 79187d744c73cd2f098edc80ce261e5ad94c4db2 NSS Certificate DB:Server-Cert|
to define that the key matches the certificate. I have not found a way to "bind" the key to the certificate or to link them, but the certificate should the one of the key, as it has been derived from it and was imported with pk12util in the database.
What can be is wrong with dsidm connecting - is it the key? why is openssl not complaining then? and if so, how to import it the rigth way?
-- Mit freundlichen Grüßen, Daniel _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
389-users@lists.fedoraproject.org