Hello everyone, I hope Im at the right place for these kind of question, please tell me if I’m wrong.
I just installed openldap as a proxy for AD. The proxy in itself works fine, I have made a few ldapsearch and got result I was expecting.
Now I want to add TLS to it for security reason.
I’m using openldap 2.4.42 on Ubuntu 16.04.1 LTS unfortunately it’s built with gnutls which I don’t know much about I would have preferred it to be built with openssl.
So Im trying to make TLS work so I added these to slapd.conf
TLSCipherSuite HIGH:!NULL TLSCACertificateFile /etc/SSL/LDAP/certificate_chain.cer.pem.gnutls TLSCertificateFile /etc/SSL/LDAP/p01ldp5001.cer.pem TLSCertificateKeyFile /etc/SSL/LDAP/p01ldp5001.key.pem TLSVerifyClient never security ssf=128
I also used certtool (gnutls tool) to validate my certificate
I can verify my certificate_chain.cer.pem.gnutls with certtool so the file in itself is okay.
certtool -e --infile certificate_chain.cer.pem.gnutls Loaded 2 certificates, 1 CAs and 0 CRLs
Subject: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1 Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.
I can also verify the whole chain if I make a file containing the 3 certs, CA, Intermediate and Server
certtool -e --infile full_chain.pem --verify-hostname p01ldp5001.services.local --verify-purpose 1.3.6.1.5.5.7.3.1 Loaded 3 certificates, 1 CAs and 0 CRLs
Subject: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1 Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA Output: Verified. The certificate is trusted.
Subject: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=p01ldp5001.services.local Issuer: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1 Checked against: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1 Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.
Yet when I try to start the server I get this error
main: TLS init def ctx failed: -1
Can someone help me with this?
Patrick Ouellet [ligne] Administrateur Linux Operation VPSI [promutuel-assurance] Groupe Promutuel 2000, boulevard Lebourgneuf, 4e étage, Québec (Québec) G2K 0B6 [tel] 418 840-1188, poste 2393 / 1 800 510-4630 [telec] 418 840-9900 promutuelassurance.cahttps://www.promutuelassurance.ca/
Si vous devez imprimer ce document, faites-le recto verso. Si vous n'êtes pas le destinataire de ce message, veuillez le détruire après avoir informé l'expéditeur de son erreur. Par ailleurs, il est interdit de copier ou de modifier tout courriel sans l'autorisation de l'auteur. Promutuel Assurance n'assume aucune responsabilité à l'égard du contenu des messages personnels envoyés par ses employés.
If you need to print this document, please print it double-sided. If you are not the intended recipient of this message, please notify the sender of the error and destroy the message. Please further note that it is prohibited to copy or modify any email without the author’s permission. Promutuel Insurance accepts no liability whatsoever with regard to the content of personal messages sent by its employees.
Am Fri, 2 Dec 2016 12:17:07 +0000 schrieb Patrick.Ouellet@promutuel.ca:
Hello everyone, I hope Im at the right place for these kind of question, please tell me if I’m wrong.
I just installed openldap as a proxy for AD. The proxy in itself works fine, I have made a few ldapsearch and got result I was expecting.
Now I want to add TLS to it for security reason.
I’m using openldap 2.4.42 on Ubuntu 16.04.1 LTS unfortunately it’s built with gnutls which I don’t know much about I would have preferred it to be built with openssl.
So Im trying to make TLS work so I added these to slapd.conf
TLSCipherSuite HIGH:!NULL TLSCACertificateFile /etc/SSL/LDAP/certificate_chain.cer.pem.gnutls TLSCertificateFile /etc/SSL/LDAP/p01ldp5001.cer.pem TLSCertificateKeyFile /etc/SSL/LDAP/p01ldp5001.key.pem TLSVerifyClient never security ssf=128
I also used certtool (gnutls tool) to validate my certificate
I can verify my certificate_chain.cer.pem.gnutls with certtool so the file in itself is okay.
certtool -e --infile certificate_chain.cer.pem.gnutls Loaded 2 certificates, 1 CAs and 0 CRLs
Subject: C=CA,ST=Quebec,O=Promutuel
CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1 Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.
I can also verify the whole chain if I make a file containing the 3 certs, CA, Intermediate and Server
certtool -e --infile full_chain.pem --verify-hostname p01ldp5001.services.local --verify-purpose 1.3.6.1.5.5.7.3.1 Loaded 3 certificates, 1 CAs and 0 CRLs
Subject: C=CA,ST=Quebec,O=Promutuel
CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1 Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA Output: Verified. The certificate is trusted.
Subject: C=CA,ST=Quebec,L=Quebec,O=Promutuel
CES,OU=Operations,CN=p01ldp5001.services.local Issuer: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1 Checked against: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1 Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.
Yet when I try to start the server I get this error
main: TLS init def ctx failed: -1
Can someone help me with this?
man slapd.conf(5), search for TLS Options for GnuTLS, in particular TLSCipherSuite options.
-Dieter
On Fri, Dec 02, 2016 at 12:17:07PM +0000, Patrick.Ouellet@promutuel.ca wrote:
Chain verification output: Verified. The certificate is trusted.
Yet when I try to start the server I get this error
main: TLS init def ctx failed: -1
Can someone help me with this?
Does the openldap user have permissions to read the certificate and private key?
openldap-technical@openldap.org