[Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA
Jeff Gamsby
JFGamsby at lbl.gov
Sat Jun 3 05:29:32 UTC 2006
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>>> I'm not sure I understand what's going on either, but the message
>>>> "Peer does not recognize and trust the CA that issued your
>>>> certificate." means that ldapsearch did not verify your LDAP server
>>>> certificate (Server-Cert). This is usually due to one or both of the
>>>> following:
>>>> 1) The value of the cn attribute in the leftmost RDN of the subjectDN
>>>> in the LDAP server cert is not the fqdn of the LDAP server host, or
>>>> the client cannot resolve it.
>>>> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of
>>>> the CA that issued the LDAP server certificate (Server-Cert)
>>>>
>>>> I'm not sure which one it is. You might try dumping out the server
>>>> certificate (../shared/bin/certutil -L -P slapd-server- -d . -n
>>>> "Server-Cert" -a > fdscert.pem) and using openssl to verify the cert
>>>> e.g.
>>>> openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem
>>>>
>>>> If you get an error, this means that the CA whose cert is
>>>> /etc/openldap/cacerts/cacert.asc did not issue the fedora ds server
>>>> certificate.
>>>
>>> I get fdscert.pem: OK
>> I dunno - perhaps the CA doesn't have the appropriate trust flags? This
>> is what I get:
>> ../shared/bin/certutil -d . -P slapd-localhost- -L
>> CA certificate CTu,u,u
>> Server-Cert u,u,u
>>
>
> Another thing you can try is verifying the server certificate:
>
> % ../shared/bin/certutil certutil -V -u V -n Server-Cert -d . -P
> slapd-localhost-
> certutil: certificate is valid
../shared/bin/certutil certutil -V -u V -n Server-Cert -d . -P slapd-server-
certutil-bin: certificate is valid
>
> Can you try the FDS ldapsearch (shared/bin/ldapsearch)? It will
> eliminate the OpenSSL certificate so we can help see where the problem
> is. You can have it use the same cert database as the server and that
> should help confirm that the CA and Server certificates are ok. If that
> works then it's likely something with your OpenSSL config that is the
> problem.
>
> rob
>
I'm not sure if I did this right:
../shared/bin/ldapsearch -Z -P slapd-server- -b "" -s base
"(objectclass=*)" -v
ldapsearch: started Fri Jun 2 22:23:18 2006
ldap_init( localhost, 389 )
ldaptool_getcertpath -- slapd-server-
ldaptool_getkeypath -- slapd-server-
ldaptool_getmodpath -- (null)
SSL initialization failed: error -8174 (security library: bad database.)
also...
../shared/bin/ldapsearch -P slapd-server- -b "" -s base "(objectclass=*)" -v
ldapsearch: started Fri Jun 2 22:23:41 2006
ldap_init( localhost, 389 )
ldaptool_getcertpath -- slapd-server-
ldaptool_getkeypath -- slapd-server-
ldaptool_getmodpath -- (null)
SSL initialization failed: error -8174 (security library: bad database.)
>>>>>
>>>>>>>
>>>>>>>>>
>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection
>>>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT
>>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120
>>>>>>>>> nentries=0 etime=0
>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer
>>>>>>>>> does not recognize and trust the CA that issued your certificate.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> This is all that the errors log says
>>>>>>>>>>>> How about the access log?
>>>>>>>>>>>>>
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
>>>>>>>>>>>>> cipher AES in backend userRoot, attempting to create one...
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
>>>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
>>>>>>>>>>>>> cipher 3DES in backend userRoot, attempting to create one...
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
>>>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
>>>>>>>>>>>>> cipher AES in backend NetscapeRoot, attempting to create
>>>>>>>>>>>>> one...
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
>>>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
>>>>>>>>>>>>> cipher 3DES in backend NetscapeRoot, attempting to create
>>>>>>>>>>>>> one...
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
>>>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. Listening on
>>>>>>>>>>>>> All Interfaces port 389 for LDAP requests
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces
>>>>>>>>>>>>> port 636 for LDAPS requests
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks for your help
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>> OK, now I have a different error.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i
>>>>>>>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in
>>>>>>>>>>>>>>> ca-cert.pem`.0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Now, I get this error:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> TLS: can't connect.
>>>>>>>>>>>>>>> ldap_perror
>>>>>>>>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>>>>>>>> additional info: Start TLS request accepted.Server
>>>>>>>>>>>>>>> willing to negotiate SSL.
>>>>>>>>>>>>>> What OS and version are you running? RHEL3
>>>>>>>>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR
>>>>>>>>>>>>>> directive - you must use the TLS_CACERT directive with the
>>>>>>>>>>>>>> full path and filename of the cacert.pem file (e.g.
>>>>>>>>>>>>>> /etc/openldap/cacerts/cacert.pem). What does it say in the
>>>>>>>>>>>>>> fedora ds access and error log for this request?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> For a successful startTLS request with ldapsearch, you
>>>>>>>>>>>>>> should see something like the following in your fedora ds
>>>>>>>>>>>>>> access log:
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64
>>>>>>>>>>>>>> connection from 127.0.0.1 to 127.0.0.1
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT
>>>>>>>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0
>>>>>>>>>>>>>> tag=120 nentries=0 etime=0
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn=""
>>>>>>>>>>>>>> method=128 version=3
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0
>>>>>>>>>>>>>> tag=97 nentries=0 etime=0 dn=""
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH
>>>>>>>>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)"
>>>>>>>>>>>>>> attrs=ALL
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0
>>>>>>>>>>>>>> tag=101 nentries=1 etime=0
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I
>>>>>>>>>>>>>>>>>>>>> am using a OpenSSL CA, I have installed the Server
>>>>>>>>>>>>>>>>>>>>> Cert and the CA Cert, can start FDS in SSL mode, but
>>>>>>>>>>>>>>>>>>>>> when I run
>>>>>>>>>>>>>>>>>>>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert
>>>>>>>>>>>>>>>>>>>>> write:fatal:unknown CA.
>>>>>>>>>>>>>>>>>>>> Did you follow this -
>>>>>>>>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>>>>>>>>>> I did, but that didn't work for me. The only thing
>>>>>>>>>>>>>>>>>>> that I did this time was generate a request from the
>>>>>>>>>>>>>>>>>>> "Manage Certificates", sign the request using my
>>>>>>>>>>>>>>>>>>> OpenSSL CA, and install the Server and CA Certs. Then
>>>>>>>>>>>>>>>>>>> I turned on SSL in the Admin console, and restarted
>>>>>>>>>>>>>>>>>>> the server.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> When I followed the instructions from the link, I
>>>>>>>>>>>>>>>>>>> couldn't even get FDS to start in SSL mode.
>>>>>>>>>>>>>>>>>> One problem may be that ldapsearch is trying to verify
>>>>>>>>>>>>>>>>>> the hostname in your server cert, which is the value of
>>>>>>>>>>>>>>>>>> the cn attribute in the leftmost RDN in your server
>>>>>>>>>>>>>>>>>> cert's subject DN. What is the subject DN of your
>>>>>>>>>>>>>>>>>> server cert? You can use certutil -L -n Server-Cert as
>>>>>>>>>>>>>>>>>> specified in the Howto:SSL to print your cert.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Sorry. I missed the -P option.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server-
>>>>>>>>>>>>>>>>> -n "server-cert" returns the Subject *CN* as FQDN of FDS
>>>>>>>>>>>>>>>>> and OpenSSL CA host (ran on same machine)
>>>>>>>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get
>>>>>>>>>>>>>>>> some debugging info.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in
>>>>>>>>>>>>>>>>>>>>> TLS_CACERT /path/to/cert
>>>>>>>>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below?
>>>>>>>>>>>>>>>>>>> Yes
>>>>>>>>>>>>>>>>>>>>> TLSREQCERT allow
>>>>>>>>>>>>>>>>>>>>> ssl on
>>>>>>>>>>>>>>>>>>>>> ssl start_tls
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> If I run
>>>>>>>>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts
>>>>>>>>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> It looks OK
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Please help
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>> ------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>> ------------------------------------------------------------------------
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>> ------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
More information about the 389-users
mailing list