[389-users] Problems with replication over SSL
Dan Weintraub
dweintraub+fds at vecna.com
Wed Jun 17 21:48:47 UTC 2009
Hi all,
I've been looking into this and I first found out that your suspicions
are correct. The trust attributes on my CA certificate are incorrect.
certutil -L shows them as "CT,,"
To fix this I tried the modify command,
certutil -M -n cacert -t CTu,u,u -d .
It gives no error, but unfortunately, does nothing and certutil -L still
shows me "CT,,"
I thought this might have been because I used openssh tools instead of
certutil, so I removed all my certificates and created a new CA with
certutil, specifying "CTu,u,u" on the command line when I created the CA
cert. I then added the CA with the Certificate Manager and did a
certutil -L only to find that it was marked "CT,," I tried to modify
this certificate with certutil -M, but it still doesn't work.
Do I have some permissions wrong somewhere? Am I using the tools
incorrectly? Any suggestions?
Thanks in advance,
Dan
jean-Noël Chardron wrote:
> hi,
>
> Dan Weintraub a écrit :
>> Thanks, that's exactly what I was following. Now that I've got the
>> port corrected I'm getting a certificate error despite having the
>> correct certificates setup (or so I thought...) I'll read through that
>> documentation you posted and see if I can sort it out.
>>
>> Thanks,
>> Dan
>>
>> PS
>> NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple bind failed,
>> LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable
>> Runtime error -8172
>
>> (Peer's certificate issuer has been marked as not trusted by the user.)
>>
> Can you post the output of the command :
> #certutil -L -d /path/of/directory/where/is/the/certificate/
>
> The path of the directory where is the certificate has 2 files : key3.db
> and cert8.db
>
> For example, on my server the output is :
> # certutil -L -d /etc/dirsrv/slapd-aragon/
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> CNRS2-Standard CT,C,C
> aragon.dr15.cnrs.fr Cert u,u,u
> CNRS-Standard CT,C,C
> CNRS CT,C,C
> CNRS2 CT,C,C
>
> I suppose (it's a hypothesis) that your certificate doesn't have the
> tag u,u,u or something like this or the CA can't trust the certificate
>
>> John A. Sullivan III wrote:
>
>>> On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote:
>>>> Hi all,
>>>>
>>>> I'm trying to setup replication over ssl and am running into
>>>> problems. I
>>>> first tried it unencrypted and all worked fine. I then copied over the
>>>> consumer's CA certificate and set up replication with SSL and Simple
>>>> Authentication. It doesn't work and I now get the following errors:
>>>>
>>>> When I set it up:
>>>> supplier error log:
>>>> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin - agmt="cn=One"
>>>> (fds:389): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP
>>>> server), Netscape Portable Runtime error -5938 (Encountered end of
>>>> file.)
>>>>
>>>> these appear thereafter:
>>>> consumer access log:
>>>> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from
>>>> 10.1.1.100 to 10.1.1.101
>>>> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71
>>>> (Protocol error) - B1
>>>>
>>>> consumer error log:
>>>> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP message
>>>> (tag
>>>> 0x80, expected 0x30)
>>>>
>>>> Versions:
>>>> Supplier:
>>>> fedora-ds-1.1.2-1.fc6
>>>> fedora-ds-dsgw-1.1.1-1.fc6
>>>> fedora-ds-base-1.1.3-2.fc6
>>>> fedora-ds-admin-1.1.6-1.fc6
>>>> fedora-ds-admin-console-1.1.2-1.fc6
>>>> fedora-ds-console-1.1.2-1.fc6
>>>>
>>>> Consumer:
>>>> fedora-ds-admin-1.1.7-3.fc6
>>>> fedora-ds-admin-console-1.1.3-1.fc6
>>>> fedora-ds-base-1.2.0-2.fc6
>>>> fedora-ds-dsgw-1.1.2-1.fc6
>>>> fedora-ds-console-1.2.0-1.fc6
>>>> fedora-ds-1.1.3-1.fc6
>>>>
>>>> I'm at a loss as to how to proceed with troubleshooting and would
>>>> appreciate any suggestions.
>>>>
>>>> Thanks,
>>>> Dan Weintraub
>>> <snip>
>>> Hi, Dan. Here is a snippet from our internal documentation. I apologize
>>> that I don't have time to customize it or analyze your issue more deeply
>>> but perhaps our findings will help you in your environment. Given
>>> Rich's comment, I wonder if you were stung by the same error in
>>> documentation we noted below:
>>>
>>> Go back to the centos-idm-console on ldap1
>>> Go to the Configuration tab, select the userRoot under the
>>> Replication
>>> object in the left panel. Left/right client and choose New
>>> Replication
>>> Agreement
>>> The name is "mycompany.com ldap1->ldap2" and the Description is
>>> "Replicates mycompany.com from ldap1 to ldap2". Click Next.
>>> Set the Consumer to ldap2.mycompany.com:389 from the drop down
>>> box (389 is correct even though we are really using 636) - Oops!
>>> That is not true despite what the documentation says. Click
>>> other and create a new entry for ldap2.mycompany.com on port
>>> 636.
>>> Enable the SSL connection.
>>> Enter cn=repuser,cn=config for the Bind As and enter the
>>> password.
>>> Click Next and then Next again.
>>> We will always keep directories in sync so click Next again.
>>> Choose Initialize Consumer Now and click Next
>>> Click Done
>>>
>>> If you need more details, e.g., about how we set up SSL, I posted most
>>> of our internal procedure a day or two ago on this mailing list in
>>> response to a post entitled "Developting a CentOS-DS setup". You can
>>> find much more detail there.
>>>
>>> Good luck - John
>>
>> --
>> 389 users mailing list
>> 389-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
More information about the 389-users
mailing list