[Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA

Jeff Gamsby JFGamsby at lbl.gov
Fri Jun 2 22:49:13 UTC 2006 

Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:
> Jeff Gamsby wrote:
>>
>> Jeff Gamsby
>> Center for X-Ray Optics
>> Lawrence Berkeley National Laboratory
>> (510) 486-7783
>>
>>
>>
>> Richard Megginson wrote:
>>> Jeff Gamsby wrote:
>>>>
>>>> Jeff Gamsby
>>>> Center for X-Ray Optics
>>>> Lawrence Berkeley National Laboratory
>>>> (510) 486-7783
>>>>
>>>>
>>>>
>>>> Richard Megginson wrote:
>>>>> Jeff Gamsby wrote:
>>>>>>
>>>>>> Jeff Gamsby
>>>>>> Center for X-Ray Optics
>>>>>> Lawrence Berkeley National Laboratory
>>>>>> (510) 486-7783
>>>>>>
>>>>>>
>>>>>>
>>>>>> Richard Megginson wrote:
>>>>>>> Jeff Gamsby wrote:
>>>>>>>> I blew away the server and installed a new one, then I used the 
>>>>>>>> setupssl.sh script to setup SSL. The script completed 
>>>>>>>> successfully, and the server is listening on port 636, but I'm 
>>>>>>>> back to a familiar error:
>>>>>>>>
>>>>>>>> ldapsearch -x -ZZ -d -1
>>>>>>>>
>>>>>>>> TLS trace: SSL_connect:SSLv3 read server hello A
>>>>>>>> TLS certificate verification: depth: 1, err: 19, subject: 
>>>>>>>> /CN=CAcert, issuer: /CN=CAcert
>>>>>>>> TLS certificate verification: Error, self signed certificate in 
>>>>>>>> certificate chain
>>>>>>>> tls_write: want=7, written=7
>>>>>>>>  0000:  15 03 01 00 02 02 30                               
>>>>>>>> ......0          TLS trace: SSL3 alert write:fatal:unknown CA
>>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>>>>>>>> TLS: can't connect.
>>>>>>>> ldap_perror
>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>        additional info: error:14090086:SSL 
>>>>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>>>>>>
>>>>>>>> Shouldn't CN=CAcert be cn=fqdn?
>>>>>>> No, no hostname validation is done on the CA cert, only on the 
>>>>>>> LDAP server cert.
>>>>>>>
>>>>>>> Did you configure openldap to use the new CA cert?  
>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients 
>>>>>>>
>>>>>>
>>>>>> Yes.
>>>>>>
>>>>>> This is what the access log says
>>>>>>
>>>>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 
>>>>>> nentries=0 etime=0
>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection 
>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT 
>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 
>>>>>> nentries=0 etime=0
>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer 
>>>>>> does not recognize and trust the CA that issued your certificate.
>>>>>
>>>>> This means that the CA cert that /etc/openldap/ldap.conf is using 
>>>>> is not the cert of the CA that issued the Fedora DS server cert.
>>>> OK.  I had the old cert in there.
>>>>
>>>> I followed the instructions and did a
>>>>
>>>> cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in 
>>>> cacert.asc`.0
>>>>
>>>> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still get 
>>>> the same error
>>> But does the file /etc/openldap/cacerts/cacert.asc exist?  If not, 
>>> you need to copy that file in there.  I guess the docs are not 
>>> explicit enough - if you use TLS_CACERTDIR, you must have the file 
>>> <hash>.0 in the cacerts directory.  If you use TLS_CACERT, you must 
>>> have the file /etc/openldap/cacerts/cacert.asc.
>>
>> It does exist, and I'm using TLS_CACERT /etc/openldap/cacerts/cacert.asc
>>
>> Same error.
>> [02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection from 
>> 127.0.0.1 to 127.0.0.1
>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT 
>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120 
>> nentries=0 etime=0
>> [02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer does 
>> not recognize and trust the CA that issued your certificate.
>>
>> I also put the same info in /etc/ldap.conf
> That file is only used by pam_ldap and nss_ldap, so it shouldn't matter.
>>
>> Also, here are the certs
>>
>> ../shared/bin/certutil -L -P slapd-server- -d .
>> CA certificate                                               CTu,u,u
>> server-cert                                                  u,u,u
>> Server-Cert                                                  u,u,u
>>
>> Does that look right?
> Try this:
> ../shared/bin/certutil -L -P slapd-server- -d . -n "CA certificate" -a 
> > mycacert.asc
>
> diff mycacert.asc /etc/openldap/cacerts/cacert.asc
>
> If they are the same, then CA certificate is not the cert of the CA 
> that issued Server-Cert.

 They are the same.

I'm not sure that I understand.

>>
>>>>
>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection from 
>>>> 127.0.0.1 to 127.0.0.1
>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT 
>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 
>>>> nentries=0 etime=0
>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer does 
>>>> not recognize and trust the CA that issued your certificate.
>>>>
>>>>
>>>>
>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> This is all that the errors log says
>>>>>>> How about the access log?
>>>>>>>>
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for 
>>>>>>>> cipher AES in backend userRoot, attempting to create one...
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully 
>>>>>>>> generated and stored
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for 
>>>>>>>> cipher 3DES in backend userRoot, attempting to create one...
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully 
>>>>>>>> generated and stored
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for 
>>>>>>>> cipher AES in backend NetscapeRoot, attempting to create one...
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully 
>>>>>>>> generated and stored
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for 
>>>>>>>> cipher 3DES in backend NetscapeRoot, attempting to create one...
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully 
>>>>>>>> generated and stored
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started.  Listening on All 
>>>>>>>> Interfaces port 389 for LDAP requests
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port 
>>>>>>>> 636 for LDAPS requests
>>>>>>>>
>>>>>>>> Thanks for your help
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Jeff Gamsby
>>>>>>>> Center for X-Ray Optics
>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>> (510) 486-7783
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Richard Megginson wrote:
>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>> OK, now I have a different error.
>>>>>>>>>>
>>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i 
>>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>>>>>>>>>
>>>>>>>>>> and
>>>>>>>>>>
>>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0
>>>>>>>>>>
>>>>>>>>>> Now, I get this error:
>>>>>>>>>>
>>>>>>>>>> TLS: can't connect.
>>>>>>>>>> ldap_perror
>>>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>>>        additional info: Start TLS request accepted.Server 
>>>>>>>>>> willing to negotiate SSL.
>>>>>>>>> What OS and version are you running?  RHEL3 
>>>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR 
>>>>>>>>> directive - you must use the TLS_CACERT directive with the 
>>>>>>>>> full path and filename of the cacert.pem file (e.g. 
>>>>>>>>> /etc/openldap/cacerts/cacert.pem).  What does it say in the 
>>>>>>>>> fedora ds access and error log for this request?
>>>>>>>>>
>>>>>>>>> For a successful startTLS request with ldapsearch, you should 
>>>>>>>>> see something like the following in your fedora ds access log:
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection 
>>>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT 
>>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 
>>>>>>>>> nentries=0 etime=0
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" 
>>>>>>>>> method=128 version=3
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 
>>>>>>>>> nentries=0 etime=0 dn=""
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH 
>>>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" 
>>>>>>>>> attrs=ALL
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 
>>>>>>>>> nentries=1 etime=0
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Jeff Gamsby
>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>> (510) 486-7783
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am 
>>>>>>>>>>>>>>>> using a OpenSSL CA, I have installed the Server Cert 
>>>>>>>>>>>>>>>> and the CA Cert, can start FDS in SSL mode, but when I run
>>>>>>>>>>>>>>>> ldapsearch -x -ZZ  I get TLS trace: SSL3 alert 
>>>>>>>>>>>>>>>> write:fatal:unknown CA.
>>>>>>>>>>>>>>> Did you follow this - 
>>>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>>>>> I did, but that didn't work for me. The only thing that I 
>>>>>>>>>>>>>> did this time was generate a request from the "Manage 
>>>>>>>>>>>>>> Certificates", sign the request using my OpenSSL CA, and 
>>>>>>>>>>>>>> install the Server and CA Certs. Then I turned on SSL in 
>>>>>>>>>>>>>> the Admin console, and restarted the server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> When I followed the instructions from the link, I 
>>>>>>>>>>>>>> couldn't even get FDS to start in SSL mode.
>>>>>>>>>>>>> One problem may be that ldapsearch is trying to verify the 
>>>>>>>>>>>>> hostname in your server cert, which is the value of the cn 
>>>>>>>>>>>>> attribute in the leftmost RDN in your server cert's 
>>>>>>>>>>>>> subject DN.  What is the subject DN of your server cert?  
>>>>>>>>>>>>> You can use certutil -L -n Server-Cert as specified in the 
>>>>>>>>>>>>> Howto:SSL to print your cert.
>>>>>>>>>>>>
>>>>>>>>>>>> Sorry. I missed the -P option.
>>>>>>>>>>>>
>>>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n 
>>>>>>>>>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and 
>>>>>>>>>>>> OpenSSL CA host (ran on same machine)
>>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some 
>>>>>>>>>>> debugging info.
>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in
>>>>>>>>>>>>>>>> TLS_CACERT /path/to/cert
>>>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below?
>>>>>>>>>>>>>> Yes
>>>>>>>>>>>>>>>> TLSREQCERT allow
>>>>>>>>>>>>>>>> ssl on
>>>>>>>>>>>>>>>> ssl start_tls
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> If I run
>>>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts 
>>>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> It looks OK
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Please help
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ------------------------------------------------------------------------ 
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users 
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>   
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users 
>>>>>>>>>>>>>>
>>>>>>>>>>>>> ------------------------------------------------------------------------ 
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> -- 
>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users 
>>>>>>>>>>>>>
>>>>>>>>>>>>>   
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>> ------------------------------------------------------------------------ 
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>   
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>> ------------------------------------------------------------------------ 
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>   
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>> ------------------------------------------------------------------------ 
>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>   
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>> ------------------------------------------------------------------------ 
>>>>>
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>   
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>> ------------------------------------------------------------------------ 
>>>
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

More information about the 389-users mailing list