8:18 a.m.
All,
My set up consists of three servers each syncing with each other. The host
names are:
1) mm-server1.example.ldap
2) mm-server2.example.ldap
3) mm-server3.example.ldap
Utilizing TLSv1, on all three I have:
olcTLSCertificateFile: /usr/local/openldap/etc/openldap/CA/cacert.pem
olcTLSCertificateKeyFile:
/usr/local/openldap/etc/openldap/CA/private/cakey.pem
olcTLSCipherSuite: HIGH:MEDIUM+TLSv1+SSLv3
Configured with self-signed wild-card certs, originally configured (using
openssl 0.9.8) on mm-server2 and exported to the other servers.
When running ldapmodify, ldapsearch, etc with a "-Z", and openssl s_client
on mm-server1 or mm-server3 or any client pointing back to mm-server1 or 3,
I receive the following error:
TLS certificate verification: Error, self signed certificate
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed
certificate).
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed
certificate)
Running any of those to mm-server2, it works with no such error.
I am guessing, that since the certs were created on mm-server2, originally,
that is why it works this way. Also, guessing I missed a step somewhere.
I read online a post from 2005 with a good explanation of self-signed from
Howard Chu about a similar problem.
What is the best procedure for creating wild-card certs and sharing those
out to other servers? The procedure that was used was from openssl.org so
it was not a fly-by-night weblog.
What did I miss (besides: a lot)?
Thanks in advance,
John D. Borresen (Dave)
Linux/Unix Systems Administrator
MIT Lincoln Laboratory
Surveillance Systems Group
244 Wood St
Lexington, MA 02420
Ph: (781) 981-1609
Email: john.borresen(a)ll.mit.edu
9:57 a.m.
Am Mon, 10 Mar 2014 11:18:14 -0400
schrieb "Borresen, John - 0442 - MITLL" <John.Borresen(a)ll.mit.edu>:
All,
My set up consists of three servers each syncing with each other.
The host names are:
1) mm-server1.example.ldap
2) mm-server2.example.ldap
3) mm-server3.example.ldap
Utilizing TLSv1, on all three I have:
olcTLSCertificateFile: /usr/local/openldap/etc/openldap/CA/cacert.pem
this should be opcTLSCAcertificateFile
olcTLSCertificateKeyFile:
/usr/local/openldap/etc/openldap/CA/private/cakey.pem
you are misssing the host certificate, something like
olcTLSCertificateFile /usr/local/openldap/etc/openldap/CA/host.pem
olcTLSCipherSuite: HIGH:MEDIUM+TLSv1+SSLv3
Configured with self-signed wild-card certs, originally configured
(using openssl 0.9.8) on mm-server2 and exported to the other servers.
When running ldapmodify, ldapsearch, etc with a "-Z", and openssl
s_client on mm-server1 or mm-server3 or any client pointing back to
mm-server1 or 3, I receive the following error:
TLS certificate verification: Error, self signed certificate
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
signed certificate).
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
signed certificate)
Running any of those to mm-server2, it works with no such error.
I am guessing, that since the certs were created on mm-server2,
originally, that is why it works this way. Also, guessing I missed a
step somewhere.
I read online a post from 2005 with a good explanation of self-signed
from Howard Chu about a similar problem.
What is the best procedure for creating wild-card certs and sharing
those out to other servers? The procedure that was used was from
openssl.org so it was not a fly-by-night weblog.
What did I miss (besides: a lot)?
Thanks in advance,
John D. Borresen (Dave)
Linux/Unix Systems Administrator
MIT Lincoln Laboratory
Surveillance Systems Group
244 Wood St
Lexington, MA 02420
Ph: (781) 981-1609
Email: john.borresen(a)ll.mit.edu
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
10:33 a.m.
Thanks Dieter...
As I stated I saw Howard Chu's response to an individual in 2005 with a similar issue
and he stated then, " For the slapd server you use the corresponding
TLSCACertificateFile directive. You must use these configuration directives if you want to
accept a self-signed cert."
I did add the olcTLSCACertificateFile attribute (just forgot to list it in my original
post). Was not certain at the time if the "olcTLSCertificateFile" should be
removed so I did not remove it. So, before I do remove it, the attribute should be
"olcTLSCACertificateFile" instead of "olcTLSCertificateFile" (and this
should be removed), correct?
The CA directories on all three servers look like this:
# ll
total 28
lrwxrwxrwx 1 root root 10 Jan 24 11:44 600f07a1.0 -> cacert.pem --> client hash
-rw-r--r-- 1 ldap ldap 5136 Jan 17 12:15 cacert.pem --> Self-signed certificate
-rw-r--r-- 1 ldap ldap 1090 Jan 17 12:07 cert.csr --> Certificate Signing Request
-rw-r--r-- 1 ldap ldap 1757 Jan 17 12:23 client.pem --> Client Certificate PEM
-rw-r--r-- 1 ldap ldap 0 Jan 14 16:20 index.txt
drwxr-xr-x 2 ldap ldap 4096 Jan 14 16:18 newcerts (empty)
drwxr-xr-x 2 ldap ldap 4096 Jan 17 12:06 private --> server private key directory
(cakey.pem)
-rw-r--r-- 1 ldap ldap 3 Jan 17 11:59 serial
This may sound like a dumb question...
I created the client.pem from the cacert.pem (as indicated on openssl.org) then copied
that to each client. Is there a step I missed in there?
If so, where?
Thanks in advance
John
-----Original Message-----
From: openldap-technical-bounces(a)OpenLDAP.org
[mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Dieter Klünter
Sent: Monday, March 10, 2014 12:58 PM
To: openldap-technical(a)openldap.org
Subject: Re: TLS QUESTION
Am Mon, 10 Mar 2014 11:18:14 -0400
schrieb "Borresen, John - 0442 - MITLL" <John.Borresen(a)ll.mit.edu>:
All,
My set up consists of three servers each syncing with each other.
The host names are:
1) mm-server1.example.ldap
2) mm-server2.example.ldap
3) mm-server3.example.ldap
Utilizing TLSv1, on all three I have:
olcTLSCertificateFile: /usr/local/openldap/etc/openldap/CA/cacert.pem
this should be opcTLSCAcertificateFile
olcTLSCertificateKeyFile:
/usr/local/openldap/etc/openldap/CA/private/cakey.pem
you are misssing the host certificate, something like olcTLSCertificateFile
/usr/local/openldap/etc/openldap/CA/host.pem
olcTLSCipherSuite: HIGH:MEDIUM+TLSv1+SSLv3
Configured with self-signed wild-card certs, originally configured
(using openssl 0.9.8) on mm-server2 and exported to the other servers.
When running ldapmodify, ldapsearch, etc with a "-Z", and openssl
s_client on mm-server1 or mm-server3 or any client pointing back to
mm-server1 or 3, I receive the following error:
TLS certificate verification: Error, self signed certificate
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
signed certificate).
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
signed certificate)
Running any of those to mm-server2, it works with no such error.
I am guessing, that since the certs were created on mm-server2,
originally, that is why it works this way. Also, guessing I missed a
step somewhere.
I read online a post from 2005 with a good explanation of self-signed
from Howard Chu about a similar problem.
What is the best procedure for creating wild-card certs and sharing
those out to other servers? The procedure that was used was from
openssl.org so it was not a fly-by-night weblog.
What did I miss (besides: a lot)?
Thanks in advance,
John D. Borresen (Dave)
Linux/Unix Systems Administrator
MIT Lincoln Laboratory
Surveillance Systems Group
244 Wood St
Lexington, MA 02420
Ph: (781) 981-1609
Email: john.borresen(a)ll.mit.edu
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
3556
days inactive
3556
days old
openldap-technical@openldap.org
2 comments
2 participants
participants (2)
-
Borresen, John - 0442 - MITLL -
Dieter Klünter