Hi Hauke,
I've followed the mini tutorial and got stuck at the path for the server certificates in your tutorial. The path is not correct for slapd. Can you verify?
TLSCertificateFile /usr/lib/ssl/certs/<fqdn>.cert.pem TLSCertificateKeyFile /usr/lib/ssl/private/<fqdn>.key.pem
thanks
----- Original Message ---- From: Hauke Coltzau hauke.coltzau@FernUni-Hagen.de To: Dat Duong datduong2000@yahoo.com Cc: openldap-technical openldap-technical@openldap.org Sent: Thursday, October 9, 2008 12:46:00 AM Subject: AW: Re: AW: Re: AW: StartTLS is not working
Hi Dat,
I've added the below to /etc/openldap/ldap.conf on RHEL 5: TLS_CACERT /etc/openldap/cacerts/ServerCA.chain.pem TLS_REQCERT demand
and still getting errors messages... below:
TLS certificate verification: Error, self signed certificate
The LDAP server does not send a server certificate but a self signed certificate. Are you sending the RootCA's certificate? Create a server certificate as described in the tutorial and let your LDAP server use this.
I assume that you will have to read a bit more about certificates and openssl to understand all the steps of the mini tutorial.
Rergards,
Hauke
----- Original Message ---- From: Hauke Coltzau hauke.coltzau@FernUni-Hagen.de To: openldap-software openldap-software@openldap.org Cc: Dat Duong datduong2000@yahoo.com Sent: Wednesday, October 8, 2008 2:09:11 AM Subject: AW: Re: AW: StartTLS is not working
Hi Dat,
glad to see that the first problem has been solved now.
As Dieter already pointed out, we need to know how the certificates have been created. As a rough overview, you will need to run through following steps:
0. Understand the basic idea:
At the end of this MiniHowto, you will have three certification authorities:
UserCA: For user certificates (usually password protected) ServerCA: For server certificates (usually NOT password protected)
RootCA: The CA that everyone has to trust in the end. This CA only exists to create and verify the UserCA and ServerCA.
For your LDAP server, you create a server certificate with your ServerCA. The LDAP clients will accept the LDAP certificate as long as they trust the ServerCA. They will trust the ServerCA because they trust the RootCA. To make them do so, you will need the certificates of the ServerCA AND the RootCA on each client. Just to make sure: We are not talking about copying the LDAP certificate to the client. Instead, you will copy the CA certificates to the client.
1. Create directory structure and files containing random numbers (need to be root for this):
# Make sure uuencode is installed. On Debian based # systems, type # # apt-get install sharutils #
cd /usr/lib/ssl/
for i in RootCA ServerCA UserCA; do mkdir -p $i/newcerts; mkdir $i/certs; mkdir $i/crl; mkdir $i/private; touch $i/index.txt; echo 01 > $i/serial; chmod -R g-rwx,o-rwx $i; done
for i in `find /usr/lib/ssl/ -name private` do cat /dev/urandom | uuencode -m bla | head -19 | sed "s/begin.*//g" | tail -18 | xargs | sed "s/ //g" > $i/.rand chmod 770 $i/.rand ls -l $i/.rand done
At the end of this step, you will have three subdirectories in /usr/lib/ssl:
RootCA: Contains the root CA's self-signed certificate and private key as well as the certificates created by the root CA.
ServerCA: Contains the CA which is used to create server certificates. Again, the directory contains of the server CA's certificate and key as well as the certificates created by the server CA.
UserCA: Contains the CA which is used to create user certificates.
2. openssl.cnf
Adapt your openssl.cnf (should be in /usr/lib/ssl, too) to have proper entries for each of the CAs:
HOME = /usr/lib/ssl
[ RootCA ]
dir = /usr/lib/ssl/RootCA certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/RootCA.cert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/RootCA.key.pem RANDFILE = $dir/private/.rand policy = policy_match x509_extensions = ca_cert
[ ServerCA ]
dir = /usr/lib/ssl/ServerCA certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/ServerCA.cert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/ServerCA.key.pem RANDFILE = $dir/private/.rand x509_extensions = usr_cert
(Same with [ UserCA ])
There are more options to be set, but they depend on your environment. Have a look at the default_days, default_md, ... parameters.
1. Create a self signed certificate (RootCA):
cd /usr/lib/ssl/RootCA
# Create the private key first # You will be asked for a new pasword here. Make it a good one and remember it ;-) openssl genrsa -aes256 -out /usr/lib/ssl/RootCA/private/RootCA.key.pem -rand /usr/lib/ssl/RootCA/private/.rand 2048
chmod g-rwx,o-rwx /usr/lib/ssl/RootCA/private/RootCA.key.pem
# Now create a certification request. Because the cert is self-signed, this # directly creates the RootCA's certificate. You will be asked for the # password you just created. # # All in one line: openssl req -new -x509 -days 1827 -key /usr/lib/ssl/RootCA/private/RootCA.key.pem -out /usr/lib/ssl/RootCA/RootCA.cert.pem
# Copy the certificate to the certs directory and create a link named like # the cert's hash value cp RootCA.cert.pem certs/00.pem
cd certs ln -s /usr/lib/ssl/RootCA/certs/00.pem `openssl x509 -hash -noout -in 00.pem`.0
Now you should have the cert (00.pem) and something like 1a2783e8.0 pointing to /usr/lib/ssl/RootCA/00.pem
2. Create the ServerCA
cd /usr/lib/ssl/ServerCA
# Create the private key for the ServerCA # You will be asked for a new password here. Do not make it the same as the RootCA's # password, but still - make it a good one. # openssl genrsa -aes256 -out /usr/lib/ssl/ServerCA/private/ServerCA.key.pem -rand /usr/lib/ssl/ServerCA/private/.rand 2048
chmod g-rwx,o-rwx /usr/lib/ssl/ServerCA/private/ServerCA.key.pem
# Create the certification request. You will be asked for the # newly created password. # (All in one line)
openssl req -new -days 1827 -key /usr/lib/ssl/ServerCA/private/ServerCA.key.pem -out /usr/lib/ssl/ServerCA/ServerCA.req.pem
# Let the RootCA sign the request and create the certificate. # You will need the RootCA's password for this. # openssl ca -name RootCA -in /usr/lib/ssl/ServerCA/ServerCA.req.pem -out /usr/lib/ssl/ServerCA/ServerCA.cert.pem
# Copy and link the certificate. # mv /usr/lib/ssl/RootCA/newcerts/01.pem /usr/lib/ssl/RootCA/certs/ cd /usr/lib/ssl/RootCA/certs/ ln -s 01.pem `openssl x509 -in 01.pem -hash -noout`.0
# And copy the part neccessary for browser integration into # another file (this is the part between BEGIN CERTIFICATE and END CERTIFICATE) # cd /usr/lib/ssl/ServerCA sed -n '/-----BEGIN CERTIFICATE-----/,$p' ServerCA.cert.pem > ServerCA.crt
# Create the CACerts file used on the client side to verify a server cert
mkdir /usr/lib/ssl/cacerts/ cat /usr/lib/ssl/RootCA/RootCA.cert.pem /usr/lib/ssl/ServerCA/ServerCA.cert.pem > /usr/lib/ssl/cacerts/ServerCA.chain.pem
# The newly created file (ServerCA.chain.pem) is the CACertsFile which has to be copied # to every client. Create a /usr/lib/ssl/cacerts/ directory on the client side and copy # the file to that location.
3. Do the same with the User CA
4. Create your LDAP server certificate. As for the name in your cert, use the fqdn of the machine you are running the server on.
cd /usr/lib/ssl/ServerCA
# You will NOT need a password here # openssl genrsa -out <fqdn-of-your-server>.key.pem -rand ./private/.rand 2048 openssl req -new -key <fqdn-of-your-server>.key.pem -out <fqdn-of-your-server>.req.pem
# But here, you will be asked for the ServerCA's password openssl ca -name ServerCA -in <fqdn-of-your-server>.req.pem -out <fqdn-of-your-server>.cert.pem
Move and link the new certificate (in newcerts) as above.
5. Configure LDAP server and clients
Make sure that your ldap server can read its own private key. If your ldap server is running as user openldap, make sure that this user owns the private key in /usr/lib/ssl/ServerCA/private/
Normal users should never be allowed to read the key! This would break the whole security mechanism.
In your slapd.conf, you will have
TLSCertificateFile /usr/lib/ssl/certs/<fqdn>.cert.pem TLSCertificateKeyFile /usr/lib/ssl/private/<fqdn>.key.pem
And on client side ldap.conf:
TLS_CACERT /usr/lib/ssl/cacerts/ServerCA.chain.pem TLS_REQCERT demand
Hope this helps,
Hauke
p.s.: The description is strongly influenced by Frank Steidl's tutorial as it can be found at http://fra.nksteidl.de/Erinnerungen/OpenSSL.php
----- Ursprüngliche Mail ----- Von: "Dieter Kluenter" < dieter@dkluenter.de > An: openldap-technical@openldap.org Gesendet: Dienstag, 7. Oktober 2008 22:34:14 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien Betreff: Re: AW: StartTLS is not working
Dat Duong < datduong2000@yahoo.com > writes:
Hi Hauke,
I still can't get TLS to work. Here is the error message.
TLS certificate verification: Error, self signed certificate tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Please describe the parameters to create your certificate chain. I presume you have not signed your certificates with a known certificate authority.
-Dieter
Hi Dat,
please read the openssl man pages and make yourself familiar with the creation of certificates. There are a lot things which can be done just the wrong way, which only creates a lot of frustration. Take the time and do some reading, you will save that time later on.
To your problem. The quistions are: Where did you store the certificate for your LDAP server? Where did you store the private key?
If you followed the tutorial then you should have the server's certificate and private key under /usr/lib/ssl/ServerCA/ and it's name should be something like host.yourdomain.com.cert.pem
Make a
find /usr/lib/ssl/ -name "*.pem"
This should show you every certificate you generated.
Best regards,
Hauke
----- Ursprüngliche Mail ----- Von: "Dat Duong" datduong2000@yahoo.com An: "Hauke Coltzau" hauke.coltzau@FernUni-Hagen.de CC: "openldap-technical" openldap-technical@openldap.org Gesendet: Donnerstag, 9. Oktober 2008 10:02:13 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien Betreff: Re: AW: Re: AW: Re: AW: StartTLS is not working
Hi Hauke,
I've followed the mini tutorial and got stuck at the path for the server certificates in your tutorial. The path is not correct for slapd. Can you verify?
TLSCertificateFile /usr/lib/ssl/certs/<fqdn>.cert.pem TLSCertificateKeyFile /usr/lib/ssl/private/<fqdn>.key.pem
thanks
----- Original Message ---- From: Hauke Coltzau hauke.coltzau@FernUni-Hagen.de To: Dat Duong datduong2000@yahoo.com Cc: openldap-technical openldap-technical@openldap.org Sent: Thursday, October 9, 2008 12:46:00 AM Subject: AW: Re: AW: Re: AW: StartTLS is not working
Hi Dat,
I've added the below to /etc/openldap/ldap.conf on RHEL 5: TLS_CACERT /etc/openldap/cacerts/ServerCA.chain.pem TLS_REQCERT demand
and still getting errors messages... below:
TLS certificate verification: Error, self signed certificate
The LDAP server does not send a server certificate but a self signed certificate. Are you sending the RootCA's certificate? Create a server certificate as described in the tutorial and let your LDAP server use this.
I assume that you will have to read a bit more about certificates and openssl to understand all the steps of the mini tutorial.
Rergards,
Hauke
----- Original Message ---- From: Hauke Coltzau < hauke.coltzau@FernUni-Hagen.de > To: openldap-software < openldap-software@openldap.org > Cc: Dat Duong < datduong2000@yahoo.com > Sent: Wednesday, October 8, 2008 2:09:11 AM Subject: AW: Re: AW: StartTLS is not working
Hi Dat,
glad to see that the first problem has been solved now.
As Dieter already pointed out, we need to know how the certificates have been created. As a rough overview, you will need to run through following steps:
0. Understand the basic idea:
At the end of this MiniHowto, you will have three certification authorities:
UserCA: For user certificates (usually password protected) ServerCA: For server certificates (usually NOT password protected)
RootCA: The CA that everyone has to trust in the end. This CA only exists to create and verify the UserCA and ServerCA.
For your LDAP server, you create a server certificate with your ServerCA. The LDAP clients will accept the LDAP certificate as long as they trust the ServerCA. They will trust the ServerCA because they trust the RootCA. To make them do so, you will need the certificates of the ServerCA AND the RootCA on each client. Just to make sure: We are not talking about copying the LDAP certificate to the client. Instead, you will copy the CA certificates to the client.
1. Create directory structure and files containing random numbers (need to be root for this):
# Make sure uuencode is installed. On Debian based # systems, type # # apt-get install sharutils #
cd /usr/lib/ssl/
for i in RootCA ServerCA UserCA; do mkdir -p $i/newcerts; mkdir $i/certs; mkdir $i/crl; mkdir $i/private; touch $i/index.txt; echo 01 > $i/serial; chmod -R g-rwx,o-rwx $i; done
for i in `find /usr/lib/ssl/ -name private` do cat /dev/urandom | uuencode -m bla | head -19 | sed "s/begin.*//g" | tail -18 | xargs | sed "s/ //g" > $i/.rand chmod 770 $i/.rand ls -l $i/.rand done
At the end of this step, you will have three subdirectories in /usr/lib/ssl:
RootCA: Contains the root CA's self-signed certificate and private key as well as the certificates created by the root CA.
ServerCA: Contains the CA which is used to create server certificates. Again, the directory contains of the server CA's certificate and key as well as the certificates created by the server CA.
UserCA: Contains the CA which is used to create user certificates.
2. openssl.cnf
Adapt your openssl.cnf (should be in /usr/lib/ssl, too) to have proper entries for each of the CAs:
HOME = /usr/lib/ssl
[ RootCA ]
dir = /usr/lib/ssl/RootCA certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/RootCA.cert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/RootCA.key.pem RANDFILE = $dir/private/.rand policy = policy_match x509_extensions = ca_cert
[ ServerCA ]
dir = /usr/lib/ssl/ServerCA certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/ServerCA.cert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/ServerCA.key.pem RANDFILE = $dir/private/.rand x509_extensions = usr_cert
(Same with [ UserCA ])
There are more options to be set, but they depend on your environment. Have a look at the default_days, default_md, ... parameters.
1. Create a self signed certificate (RootCA):
cd /usr/lib/ssl/RootCA
# Create the private key first # You will be asked for a new pasword here. Make it a good one and remember it ;-) openssl genrsa -aes256 -out /usr/lib/ssl/RootCA/private/RootCA.key.pem -rand /usr/lib/ssl/RootCA/private/.rand 2048
chmod g-rwx,o-rwx /usr/lib/ssl/RootCA/private/RootCA.key.pem
# Now create a certification request. Because the cert is self-signed, this # directly creates the RootCA's certificate. You will be asked for the # password you just created. # # All in one line: openssl req -new -x509 -days 1827 -key /usr/lib/ssl/RootCA/private/RootCA.key.pem -out /usr/lib/ssl/RootCA/RootCA.cert.pem
# Copy the certificate to the certs directory and create a link named like # the cert's hash value cp RootCA.cert.pem certs/00.pem
cd certs ln -s /usr/lib/ssl/RootCA/certs/00.pem `openssl x509 -hash -noout -in 00.pem`.0
Now you should have the cert (00.pem) and something like 1a2783e8.0 pointing to /usr/lib/ssl/RootCA/00.pem
2. Create the ServerCA
cd /usr/lib/ssl/ServerCA
# Create the private key for the ServerCA # You will be asked for a new password here. Do not make it the same as the RootCA's # password, but still - make it a good one. # openssl genrsa -aes256 -out /usr/lib/ssl/ServerCA/private/ServerCA.key.pem -rand /usr/lib/ssl/ServerCA/private/.rand 2048
chmod g-rwx,o-rwx /usr/lib/ssl/ServerCA/private/ServerCA.key.pem
# Create the certification request. You will be asked for the # newly created password. # (All in one line)
openssl req -new -days 1827 -key /usr/lib/ssl/ServerCA/private/ServerCA.key.pem -out /usr/lib/ssl/ServerCA/ServerCA.req.pem
# Let the RootCA sign the request and create the certificate. # You will need the RootCA's password for this. # openssl ca -name RootCA -in /usr/lib/ssl/ServerCA/ServerCA.req.pem -out /usr/lib/ssl/ServerCA/ServerCA.cert.pem
# Copy and link the certificate. # mv /usr/lib/ssl/RootCA/newcerts/01.pem /usr/lib/ssl/RootCA/certs/ cd /usr/lib/ssl/RootCA/certs/ ln -s 01.pem `openssl x509 -in 01.pem -hash -noout`.0
# And copy the part neccessary for browser integration into # another file (this is the part between BEGIN CERTIFICATE and END CERTIFICATE) # cd /usr/lib/ssl/ServerCA sed -n '/-----BEGIN CERTIFICATE-----/,$p' ServerCA.cert.pem > ServerCA.crt
# Create the CACerts file used on the client side to verify a server cert
mkdir /usr/lib/ssl/cacerts/ cat /usr/lib/ssl/RootCA/RootCA.cert.pem /usr/lib/ssl/ServerCA/ServerCA.cert.pem > /usr/lib/ssl/cacerts/ServerCA.chain.pem
# The newly created file (ServerCA.chain.pem) is the CACertsFile which has to be copied # to every client. Create a /usr/lib/ssl/cacerts/ directory on the client side and copy # the file to that location.
3. Do the same with the User CA
4. Create your LDAP server certificate. As for the name in your cert, use the fqdn of the machine you are running the server on.
cd /usr/lib/ssl/ServerCA
# You will NOT need a password here # openssl genrsa -out <fqdn-of-your-server>.key.pem -rand ./private/.rand 2048 openssl req -new -key <fqdn-of-your-server>.key.pem -out <fqdn-of-your-server>.req.pem
# But here, you will be asked for the ServerCA's password openssl ca -name ServerCA -in <fqdn-of-your-server>.req.pem -out <fqdn-of-your-server>.cert.pem
Move and link the new certificate (in newcerts) as above.
5. Configure LDAP server and clients
Make sure that your ldap server can read its own private key. If your ldap server is running as user openldap, make sure that this user owns the private key in /usr/lib/ssl/ServerCA/private/
Normal users should never be allowed to read the key! This would break the whole security mechanism.
In your slapd.conf, you will have
TLSCertificateFile /usr/lib/ssl/certs/<fqdn>.cert.pem TLSCertificateKeyFile /usr/lib/ssl/private/<fqdn>.key.pem
And on client side ldap.conf:
TLS_CACERT /usr/lib/ssl/cacerts/ServerCA.chain.pem TLS_REQCERT demand
Hope this helps,
Hauke
p.s.: The description is strongly influenced by Frank Steidl's tutorial as it can be found at http://fra.nksteidl.de/Erinnerungen/OpenSSL.php
----- Ursprüngliche Mail ----- Von: "Dieter Kluenter" < dieter@dkluenter.de > An: openldap-technical@openldap.org Gesendet: Dienstag, 7. Oktober 2008 22:34:14 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien Betreff: Re: AW: StartTLS is not working
Dat Duong < datduong2000@yahoo.com > writes:
Hi Hauke,
I still can't get TLS to work. Here is the error message.
TLS certificate verification: Error, self signed certificate tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Please describe the parameters to create your certificate chain. I presume you have not signed your certificates with a known certificate authority.
-Dieter
openldap-technical@openldap.org