[Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA
Rob Crittenden
rcritten at redhat.com
Sat Jun 3 04:23:11 UTC 2006
Richard Megginson wrote:
> Jeff Gamsby wrote:
>>> I'm not sure I understand what's going on either, but the message
>>> "Peer does not recognize and trust the CA that issued your
>>> certificate." means that ldapsearch did not verify your LDAP server
>>> certificate (Server-Cert). This is usually due to one or both of the
>>> following:
>>> 1) The value of the cn attribute in the leftmost RDN of the subjectDN
>>> in the LDAP server cert is not the fqdn of the LDAP server host, or
>>> the client cannot resolve it.
>>> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of
>>> the CA that issued the LDAP server certificate (Server-Cert)
>>>
>>> I'm not sure which one it is. You might try dumping out the server
>>> certificate (../shared/bin/certutil -L -P slapd-server- -d . -n
>>> "Server-Cert" -a > fdscert.pem) and using openssl to verify the cert
>>> e.g.
>>> openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem
>>>
>>> If you get an error, this means that the CA whose cert is
>>> /etc/openldap/cacerts/cacert.asc did not issue the fedora ds server
>>> certificate.
>>
>> I get fdscert.pem: OK
> I dunno - perhaps the CA doesn't have the appropriate trust flags? This
> is what I get:
> ../shared/bin/certutil -d . -P slapd-localhost- -L
> CA certificate CTu,u,u
> Server-Cert u,u,u
>
Another thing you can try is verifying the server certificate:
% ../shared/bin/certutil certutil -V -u V -n Server-Cert -d . -P
slapd-localhost-
certutil: certificate is valid
Can you try the FDS ldapsearch (shared/bin/ldapsearch)? It will
eliminate the OpenSSL certificate so we can help see where the problem
is. You can have it use the same cert database as the server and that
should help confirm that the CA and Server certificates are ok. If that
works then it's likely something with your OpenSSL config that is the
problem.
rob
>>>>
>>>>>>
>>>>>>>>
>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection
>>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT
>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120
>>>>>>>> nentries=0 etime=0
>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer
>>>>>>>> does not recognize and trust the CA that issued your certificate.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> This is all that the errors log says
>>>>>>>>>>> How about the access log?
>>>>>>>>>>>>
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
>>>>>>>>>>>> cipher AES in backend userRoot, attempting to create one...
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
>>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
>>>>>>>>>>>> cipher 3DES in backend userRoot, attempting to create one...
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
>>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
>>>>>>>>>>>> cipher AES in backend NetscapeRoot, attempting to create one...
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
>>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
>>>>>>>>>>>> cipher 3DES in backend NetscapeRoot, attempting to create
>>>>>>>>>>>> one...
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
>>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on
>>>>>>>>>>>> All Interfaces port 389 for LDAP requests
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces
>>>>>>>>>>>> port 636 for LDAPS requests
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks for your help
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>> OK, now I have a different error.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i
>>>>>>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in
>>>>>>>>>>>>>> ca-cert.pem`.0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Now, I get this error:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> TLS: can't connect.
>>>>>>>>>>>>>> ldap_perror
>>>>>>>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>>>>>>> additional info: Start TLS request accepted.Server
>>>>>>>>>>>>>> willing to negotiate SSL.
>>>>>>>>>>>>> What OS and version are you running? RHEL3
>>>>>>>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR
>>>>>>>>>>>>> directive - you must use the TLS_CACERT directive with the
>>>>>>>>>>>>> full path and filename of the cacert.pem file (e.g.
>>>>>>>>>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the
>>>>>>>>>>>>> fedora ds access and error log for this request?
>>>>>>>>>>>>>
>>>>>>>>>>>>> For a successful startTLS request with ldapsearch, you
>>>>>>>>>>>>> should see something like the following in your fedora ds
>>>>>>>>>>>>> access log:
>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64
>>>>>>>>>>>>> connection from 127.0.0.1 to 127.0.0.1
>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT
>>>>>>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0
>>>>>>>>>>>>> tag=120 nentries=0 etime=0
>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn=""
>>>>>>>>>>>>> method=128 version=3
>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0
>>>>>>>>>>>>> tag=97 nentries=0 etime=0 dn=""
>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH
>>>>>>>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)"
>>>>>>>>>>>>> attrs=ALL
>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0
>>>>>>>>>>>>> tag=101 nentries=1 etime=0
>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I
>>>>>>>>>>>>>>>>>>>> am using a OpenSSL CA, I have installed the Server
>>>>>>>>>>>>>>>>>>>> Cert and the CA Cert, can start FDS in SSL mode, but
>>>>>>>>>>>>>>>>>>>> when I run
>>>>>>>>>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert
>>>>>>>>>>>>>>>>>>>> write:fatal:unknown CA.
>>>>>>>>>>>>>>>>>>> Did you follow this -
>>>>>>>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>>>>>>>>> I did, but that didn't work for me. The only thing
>>>>>>>>>>>>>>>>>> that I did this time was generate a request from the
>>>>>>>>>>>>>>>>>> "Manage Certificates", sign the request using my
>>>>>>>>>>>>>>>>>> OpenSSL CA, and install the Server and CA Certs. Then
>>>>>>>>>>>>>>>>>> I turned on SSL in the Admin console, and restarted
>>>>>>>>>>>>>>>>>> the server.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> When I followed the instructions from the link, I
>>>>>>>>>>>>>>>>>> couldn't even get FDS to start in SSL mode.
>>>>>>>>>>>>>>>>> One problem may be that ldapsearch is trying to verify
>>>>>>>>>>>>>>>>> the hostname in your server cert, which is the value of
>>>>>>>>>>>>>>>>> the cn attribute in the leftmost RDN in your server
>>>>>>>>>>>>>>>>> cert's subject DN. What is the subject DN of your
>>>>>>>>>>>>>>>>> server cert? You can use certutil -L -n Server-Cert as
>>>>>>>>>>>>>>>>> specified in the Howto:SSL to print your cert.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Sorry. I missed the -P option.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server-
>>>>>>>>>>>>>>>> -n "server-cert" returns the Subject *CN* as FQDN of FDS
>>>>>>>>>>>>>>>> and OpenSSL CA host (ran on same machine)
>>>>>>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get
>>>>>>>>>>>>>>> some debugging info.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in
>>>>>>>>>>>>>>>>>>>> TLS_CACERT /path/to/cert
>>>>>>>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below?
>>>>>>>>>>>>>>>>>> Yes
>>>>>>>>>>>>>>>>>>>> TLSREQCERT allow
>>>>>>>>>>>>>>>>>>>> ssl on
>>>>>>>>>>>>>>>>>>>> ssl start_tls
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> If I run
>>>>>>>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts
>>>>>>>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> It looks OK
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Please help
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>> ------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>> ------------------------------------------------------------------------
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20060603/42225073/attachment.bin>
More information about the 389-users
mailing list