openldap and TLS certificates

29 Sep 2008


      Hello everyone,
   I seem to have a problem with setting up secure connections with my
LDAP server. I believe the problem has mainly to do with my certificates
rather than anything else. I used the tutorial provided by the openLDAP
admin guide to generate my certificates
http://damncoolpics.blogspot.com/2008/09/oktoberfest-2008-in-munich.html
My slapd.conf files has the following entries
#SSL/TLS Options
TLSCipherSuite		HIGH:MEDIUM
TLSCACertificateFile	/usr/local/etc/slapd-cacert.pem
TLSCertificateFile	/usr/local/etc/slapd-cert.pem
TLSCertificateKeyFile	/usr/local/etc/slapd-key.pem
and my ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/slapd-cert.pem
slapd-cacert.pem is the certificate of the CA
slapd-cert.pem is the server certificate (same copy on client and
server)
slapd-key.pem is the server key (I manually removed the certificate
request that was generated by the process on the link above)
I start the server using /usr/local/libexec/slapd -h ldap:/// ( also
tried the -d 9 flag for debugging), and when I use ldapsearch I get the
following errors
(from the client)
ldapsearch -x -ZZ (I have most of the settings in my ldap.conf)
ldap_start_tls: Connect error (-11)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
(from the server with the -d 9 flag)
I get load of stuff, but the important seems to be the following
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:1053
connection_read(12): TLS accept failure error=-1 id=0, closing
When I try a search without the -ZZ flag everything works fine. When I
created the certificates I tried different common names. I tried the ip
address, fully qualified name (as shown below), the short name, even my
name, but no luck. I have read the proper RFC but could not get
anyusefull information. By the way I have a local DNS server and the
domain name should match the correct IP address (and the reverse).
Truth is I do not know much about SSL and certificates, so I might be
missing something. Just for your information, The certificate authority
is the same with the LDAP server. I will provide the certificate below,
with email and addresses altered. Also the hashes have been altered so
key and cert will not match. I merely provide them just in case you see
something wrong in the syntax.
The server certificate
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=GB, ST=Oxfordshire, O=Company, OU=IT,
CN=ldapserver.eng.mydomain.com/emailAddress=admin@mydomain.com
        Validity
            Not Before: Sep 29 09:49:07 2008 GMT
            Not After : Sep 29 09:49:07 2009 GMT
        Subject: C=GB, ST=Oxfordshire, L=Abingdon, O=Company,, OU=IT,
CN=ldapserver.eng.mydomain.com/emailAddress=admin@mydomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:c4:4d:49:ce:35:a6:80:67:d5:c5:ea:2e:5a:b0:
                    0f:96:a2:de:28:c3:97:fc:5d:9d:05:57:ae:a8:db:
                    d4:cd:8c:bb:1d:4d:2c:41:51:45:0e:c9:17:8f:a0:
                    5b:bb:a0:5e:d3:d7:5d:a4:64:dd:23:9a:64:ad:dc:
                    7b:49:5a:92:68:65:32:6c:0c:50:84:8a:75:26:da:
                    76:7f:65:13:14:0a:05:eb:5e:d3:f7:1e:89:7f:a2:
                    d8:1b:4a:46:28:ee:98:5f:f9:bd:21:88:df:76:5c:
                    b9:8e:7e:5b:09:29:65:e7:6b:a7:5b:5f:4a:99:77:
                    7d:6c:d1:44:7e:7a:77:05:fe:1c:b9:6d:2b:e2:57:
                    63:63:29:b3:cb:c6:68:35:b5:81:fa:ef:ee:ba:c0:
                    54:3e:d8:70:0a:f6:c9:39:74:21:f8:75:b9:08:89:
                    6a:5e:e3:fe:1e:5e:37:b0:29:2d:13:35:b4:7c:aa:
                    55:3e:c3:c4:59:cd:08:e1:ef:21:43:29:0f:82:8f:
                    84:7d:f2:65:b5:79:2e:fc:87:7c:7d:ca:fb:7a:ef:
                    54:c4:33:20:ed:f5:8a:64:de:60:18:60:07:ee:f9:
                    ea:0f:97:bf:af:63:e1:e4:e8:b2:15:1b:5f:95:fd:
                    ad:c7:83:8c:94:f3:e4:ef:95:63:f0:d4:a8:f8:49:
                    13:05
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
1F:9F:4E:5A:C8:61:53:4B:5F:50:28:84:F8:D7:45:54:C0:C9:7E:67
            X509v3 Authority Key Identifier:
keyid:7C:5A:92:7E:5C:6B:3E:9B:0E:87:46:7C:FB:27:8F:34:AD:42:3B:27
Signature Algorithm: sha1WithRSAEncryption
        04:3d:f9:64:e9:c1:13:8c:98:e6:b6:33:a9:e0:8b:8e:b0:68:
        2f:70:8e:8e:b4:b2:6f:61:7c:bd:63:f2:cb:20:b8:6e:4f:0a:
        53:5f:ba:ed:32:20:c7:31:24:0c:c3:e8:d6:42:1c:a8:3e:7b:
        32:b4:87:94:71:d6:8b:ca:c9:57:f5:9f:fc:8d:89:77:e2:3e:
        ac:49:cd:c8:c7:01:83:41:41:a6:05:7c:df:c6:37:0e:15:d8:
        d2:51:3f:a5:92:b7:bf:3f:65:4e:68:71:b7:4e:3e:26:f6:15:
        fe:38:72:e1:f9:b7:60:29:e8:ff:78:3c:aa:34:be:e8:46:f1:
        5f:87:8b:a1:60:8b:82:31:ca:5e:a1:31:83:e7:b7:90:be:a5:
        2f:ac:f7:1c:fe:af:89:15:02:af:c7:4f:2f:97:87:2b:0b:83:
        5c:07:83:f9:f9:c7:63:00:69:fa:c9:d0:fc:fb:7a:ef:7a:41:
        1c:e0:99:e4:01:73:7f:94:fa:2c:12:0f:8e:3f:8f:b4:9b:b6:
        85:42:90:1a:aa:d6:11:9b:49:db:83:f9:19:1e:dd:8b:0a:c7:
        b5:c0:5c:06:78:ca:f1:75:f9:8b:eb:c0:94:b0:3f:96:fc:b8:
        88:7c:52:46:ad:ab:bb:22:52:c1:31:dc:87:a7:c9:bd:de:98:
        bd:76:45:2b
-----BEGIN CERTIFICATE-----
MIIESTCCAzGgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBnzELMAkGA1UEBhMCR0Ix
FDASBgNVBAgTC094Zm9yZHNoaXJlMSIwIAYdVQQKExlUb3VtYXogVGVjaG5vbG9n
eSBMaW8pdGVkMQswCQYDVQQLEwJJVDEeMBwGA1UEAxMVbWFnZ2llLmVuZy50b3Vt
YXouY29tMSkwJwYJKoZIhvcNAQkBFhpuaWNrLmthc3BhcmlkaXNAdG91bWF6LmNv
bTAeFw0wODA5MjkwOTQ5MDdaFw0wOTA5MjkwOTQ5MDdaMIGyMQswCQYDVQQGEwJH
QjEUMBIGA1UECBMLT3hmb3Jkc2hpcmUxETAPBgNVBAcTCEFiaW5nZG9uMSIwIAYD
VQQKExlUb3VtYXogVGVjaG5vbG9neSBMaW1pdGVkMQswCQYDVQQLEwJJVDEeMBwG
A1UEAxMVbWFnZ2llLmVuZy50b3VtYXouY29tMSkwJwYJKoZIhvcNAQkBFhpuaWNr
Lmthc3BhcmlkaXNAdG91bWF6LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMRNSc41poBn1cXqLlqwD5ai3ijDl&xdnQVXrqjb1M2cux1NLEFRRQ7J
F4+gW7ugXtPXXaRk3SOaZK3ce0lakmhlMmwMUISKdSbadn9lExQKBete0/ceiX+i
2BtKRijumF/5vSGI33ZcuY5+WwkpZedrp1tfSpl3fWzRRH56dwX+3LltK+JXY2Mp
s8vGaDW1gfrv7rrAVD7YcAr2yTl0Ifh1uQiJal7j/h5eN7ApLRM1tHyqVT7DxFnN
COHvIUMpD4KPhH3yZbV5LvgHfH3K+3rvVMQzIO31imTeYBdgB+756g+Xv69j4eTo
shUbX5X9rceCjJTz5O+VY/DUqPhJEwUCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglg
hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O
BBYEFB+fXlrIYVNLX1AphPjXRVTAyX9nMB8GA1UdIwQYMBaAFHxakn5cWz6bDodG
fPsnjzSuQjsnMA0GCSqGSIb3DQEBBQUAA4IBAQAEPflk6cETjJjmtjOp4IuOsGgv
cI6OtLNvYXy9Y/LLILhuTwpTX7rtMiDGMCQMw+jWQhyoPnsytIeUcdaLyslX9Z/8
jYl34j6sSc3IxwGDQUGmBXzPxjcOFdjSUT+lkre/P2VOaHG3Tj4m9hX+OHLh+bdg
Kej/eDyqNL7oRvFfh4uhYIuCMcpeoTGD57eQvQUvrPcc/q+JFQKvx08vl4crC4NM
B4P5+cdjAGn6ydD8+3rvekEc4JnkAXN/lPosEg+OP4+0m7aFQpAaqtYRmknbg/kZ
Ht2LCse1wFwGeMrxdfmL68CUsD+W/LiIfFJGrau7IlLBMdyHp8m93pi9dkUr
-----END CERTIFICATE-----
The CA certificate
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=GB, ST=Oxfordshire, O=Company, OU=IT,
CN=ldapserver.eng.mydomain.com/emailAddress=admin@mydomain.com
        Validity
            Not Before: Sep 29 09:48:17 2008 GMT
            Not After : Sep 29 09:48:17 2011 GMT
        Subject: C=GB, ST=Oxfordshire, O=Company, OU=IT,
CN=ldapserver.eng.mydomain.com/emailAddress=admin@mydomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:a6:6e:3b:1f:87:e9:1a:c9:e9:5c:3a:b8:96:19:
                    af:c9:e7:41:87:72:76:55:a8:fc:db:3c:05:55:9c:
                    25:8f:83:5b:35:05:9f:cb:7b:4e:9b:3a:84:98:60:
                    46:d5:79:be:c1:4c:b5:ea:cd:79:2b:c2:33:86:05:
                    67:98:e4:62:77:d7:cf:98:c3:52:93:6c:ba:1c:fc:
                    a3:f9:81:26:ea:d8:a1:56:cd:74:f5:47:fe:0f:8d:
                    95:7a:b7:8b:14:25:e7:9d:e2:e7:46:a2:d6:90:4c:
                    25:94:16:20:51:78:6a:68:da:e0:06:2c:45:4e:27:
                    c4:2b:8b:bc:a9:e2:fb:c5:c1:8b:9d:33:5f:e3:be:
                    d1:f5:53:9d:2b:0c:bf:2a:95:e6:57:29:5e:ef:ab:
                    3a:e9:33:09:00:c3:7d:94:aa:a9:b4:3c:08:9d:e8:
                    e6:92:f2:60:03:ed:12:1d:df:81:9f:a7:d2:81:7f:
                    3e:8b:fa:a4:01:ba:c1:49:1c:51:02:c6:54:3c:48:
                    9a:3f:18:54:04:35:c4:e1:c7:12:f6:7a:26:7e:47:
                    04:e6:f8:fc:ed:8c:2e:17:05:62:b6:73:9a:4e:52:
                    10:17:92:52:38:3a:4d:2d:32:ab:76:c8:61:ab:36:
                    cd:52:f9:95:bb:87:63:ad:5d:d3:d0:f9:6f:06:a6:
                    29:6f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
7C:5A:92:7E:5C:5B:3E:9B:0E:87:46:7C:FB:27:8F:34:AE:42:3B:27
            X509v3 Authority Key Identifier:
keyid:7C:5A:92:7E:5C:5B:3E:9B:0E:87:46:7C:FB:27:8F:34:AE:42:3B:27
Signature Algorithm: sha1WithRSAEncryption
        2b:b9:65:09:2d:ff:c0:80:dd:e0:f4:d0:01:9a:87:b9:da:54:
        d2:f1:e4:0a:56:0b:cf:31:55:97:9f:93:62:df:59:3d:11:5b:
        06:6c:e7:f9:56:9b:c8:e8:e0:77:54:12:5b:ca:98:f9:c7:fa:
        c6:41:45:6d:14:31:2d:d6:19:a8:41:ba:89:55:5a:7f:5c:79:
        1b:05:36:d7:e4:00:7b:e7:ae:5e:56:74:12:f9:fa:ab:63:0f:
        f6:8e:97:cc:53:d3:91:7e:4b:48:6e:15:27:bc:73:4a:68:1f:
        ff:36:67:b2:fa:6b:38:40:0c:f2:99:5f:75:2a:4f:27:21:a8:
        fb:b5:9a:c3:7a:05:a5:45:03:3f:cf:85:21:eb:42:69:23:af:
        d5:b8:32:17:4e:a5:52:c2:3e:01:bd:1f:f2:1a:b6:f0:f8:8f:
        d9:d0:70:30:08:39:37:42:84:42:67:27:74:16:be:e7:2d:0f:
        54:e8:3d:8b:6f:6c:76:a6:39:d9:df:e4:b9:33:9a:92:5b:3e:
        b2:6a:8a:8f:2e:9c:3a:01:54:c7:3e:0e:f4:45:9c:bd:f6:39:
        e9:8c:9d:95:60:e7:2a:10:f6:ac:4a:a2:b7:16:bf:06:44:76:
        4b:5d:51:5a:0b:82:b0:53:f6:4a:d7:04:f0:85:7e:34:c6:fc:
        50:1a:c4:b3
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBADANBgkqhkiG9w0BAQUFADCBnzELMAkGA1UEBhMCR0Ix
FDASBgNVBAgTC094Zm9yZHNoaXJlMSIwIAYDVQQKExlUb3VtYXogVGVjaG5vbG9n
eSBMaW1pdGVkMQswCQYDV1QLEwJJVDEeMBwGA1UEAxMVbWFnZ2llLmVuZy50b3Vt
YXouY29tMSkwJwYJKoZIhvcNAQkBFhpuaWNrLmthc3BhcmlkaXNAdG91bWF6LmNv
bTAeFw0wODA5MjkwOTQ4MTdaFw0xMTA5MjkwOTQ4MTdaMIGfMQswCQYDVQQGEwJH
QjEUMBIGA1UECBMLT3hmb3Jkc2hpcmUxIjAgBgNVBAoTGVRvdW1heiBUZWNobm9s
b2d5IExpbWl0ZWQxCzAJBgNVBAsTAklUMR4wHAYDVQQDExVtYWdnaWUuZW5nLnRv
dW1hei5jb20xKTAnBgkqhki39w0BCQEWGm5pY2sua2Fz5GFyaWRpc0B0b3VtYXou
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApm47H4fpGsnpXDq4
lhmvyedAh3J2Vaj82zwFVZwlj4NbNQWfy3tOmzqEmGBG1Xm+wUy16s15K8IzhgVn
mORid9fPmMNSk2y6HPyj+YEm6tihVs109Uf+D42VereLFCHnneLnRqLWkEwllBYg
UXhqaNrgBixFTifEK4u8qeL7xUGLnTNf477R9VOdKwy/KpXmVyle76s66TMJAMN9
lKqptDwInejmkvJgA+0SHd+Bn6fSgX8+i/qkAbrBSRxRAsZUPEia3xhUBDXE4ccS
9nomfkcE5vj87YwuFwVitnOZTlIQF5JSODpNLTKrdsHhqzbNUvmVu4djrV3T0Plv
BqYpbwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
IEdlbmVyYXRlZC5DZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUfFqSflxbPpsOh0Z8+yeP
NK5COycwHwYDVR0jBBgwFoAUfFqSflxbPpsOh0Z8+yePNK5COycwDQYJKoZIhvcN
AQEFBQADggEBACu5ZQkt/8CA3eD00AGah7naVNLx5ApWC88xVZefk2LfWT0RWwZs
H/lWm8jo4HdUElvKmPnH+sZBRW0UMS3WGahBuolVWn9ceRsFNtfkAHvnrl5WdBL5
+qtjD4aOl8xT05F+S0huFSe8c0poH/82Z7L6azhADPKZ73UqTychTPu1msN6BaVF
Az/PhSHrQmkj39W4MhdOpFLCPgG9H/IatvD4j9nQcDAIOTdChEJnJ3QWvuctD1To
PYtvbHamOdnf5LkzmpJbPrJiio8unDoBVMc+DvRFnL32OemMnzVg5yoQ9qxKorcW
vwZEdktdUVoLgrBT9krXBPCFfjTG/FAaxLM=
-----END CERTIFICATE-----
and finally the server key, which I modified slightly be removing a
certificate request entry
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxE1JzjWmgGfVxeouWrAPlqLeKMOX/F2dBVeuqNvUzZy7HU0s
QVFFDskXj6B9u6Be09ddpGTdI5pkrdx7SVqSaGUybAxQhIp1Jtp2f2UTFAoF617T
9x6Jf6LYG0pGKO6YX/m9IYjfdly5jn5bCSll52unW19KmXd9bNFEfnp3Bf7cuW0r
4ldjYymzy8ZoNbWB+u/uusBUPthwCvbJOXQh+HW5CIlqXuP+Hl43bCktEzW0fKpV
PsPEWc0I4e8hQykPgo+EffJltXku/Id8fcr7eu9UxDMg7fWKZN5gF2AH7vnqD5e/
r2Ph5OiyFRtflf2tx4KMlPPk75Vj8NSo+EkTBQIDAQABAoIBAFkajAniKHXYrBxu
NCRODoVd4GG4huCyzXeDWXCkeG/sWLLwOMpdTW9ssBktvPXp0aFu/L6GWiqzBkg0
8HFXf2WLqduJq3K+NncwauFgy8wo0I8KOETPw7IABQA+MqKZyuilv8fdDTH43PFl
QYVjGTJ2lzzOgFow9unSA7k1dZluTeMyE+RzpVYwE/WSgsOFa7qYQnCXy0hlx85u
/SNU5383/v1cvrSghDCbZ2WrllHAerjUep1FNDounGkhiWj+JWUfddL7zYM+KVdJ
AKRaxeYo+UTAVa9rd9D8qgZo5oIJ6l53bvobkwcrVnAoYPxtzAjhcBhgtQjXSXrJ
YrHhKQECgYEAavUIAaT/XfHDXuXYMHnSf/ZgAqipOv36OPPnXnpg0yZbyLs/dgN6
GYVBtvd3ugfQ3ZEUfOwYw2wVq6hItq6+lQRjL+G5IsoeyKJXGIpBdlr7Yhhes1gv
4R5nGB97+F9kBVEmDephg0K++EeKRZMpzUgn1cBvBXrcfJsUc8OAFbUCgYEAy31q
k8HXBltJz7QQxmXLZogFkb0dxxXUrax202e6XsqroUpmUWx1n75TVnnP4QNH0Tqx
8EQTDMZzQRHgFidwLAzhpI16Ex1fLfSw/lMQij7ojxtGp8LbC057dGpseBxwTPjP
I5dpdIl2Mt8HeH5qMiizRls1EcSu1RK9cPhOWhECgjEAtU+pFSwCoQKDIgU1+EE4
nuJQEyOpO7qEH5RS5jaLJ/sdn/551TcwSdRgLuj5agea/VEq7ZyZgcC1GFZxLE6X
dejGubzLpBMpDrzBnS7EaRTbQ2YJATtfy7n6juduqSe/03eErOrLtQcoFjjP98zX
//Nd671gxXEyt/lTxrpeK5ECgYBFbIFq7awFkCmLgjxi46HUVj3ILgQ1wt3vbrKP
h4kPBAgwG+jyiJVMratTCnYAp5Td7i988EyrhB0YKxgPlt7vOGnXMSlf0hqB3ERy
UDaJY9MF1+FwJMuEfP8jhZeCFvm9WPmag/LHfoVj6rFqy35BpJ8dNsrRSA/5w837
98sLcQKBgBBfNJdPOGjgLZxLM5hXI88UkYFc3ppVh83SHSikKULO5d7wrWeQDR9V
u3t+sx8bl067E2dILPzTa9qLt3RO+GPCwOQMQUywNBh7jQ1BjaOg/4ctlJkjAdKo
x4hAG2dU5Z7iEob5AWpfv3+A5taS8P9RjI1O2jUwnTR84vqJtNx7
-----END RSA PRIVATE KEY-----
Any ideas would be welcome
Best Regards
Nick

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap and TLS certificates