Hello,
I need to publish the GeoTrust intermediate certificate; I'm using 2.4.29 built against Mozilla NSS. In OpenSSL world, I'd use -- I think -- TLSCACertificateFile /path/to/CA-certificates. Here's what I've tried:
Download GeoTrust cert from https://knowledge.geotrust.com/support/knowledge-base/index?page=content&... ; save as intermediate.crt
Import with:
# certutil -d /etc/openldap/nssdb/ -A -t ",," -n geotrust-intermediate -i intermediate.crt
Certutil -L now shows:
# certutil -d /etc/openldap/nssdb/ -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
geotrust-intermediate ,, ds.clarku.edu Pu,Pu,Pu
cn=config looks like this:
olcTLSCACertificateFile: geotrust-intermediate olcTLSCACertificatePath: /etc/openldap/nssdb olcTLSCertificateFile: ds.clarku.edu
But still clients cannot verify the cert.
Any Mozilla NSS guru's know what I'm going wrong?
Thanks,
Aaron
On 02/24/2012 11:15 AM, Aaron Bennett wrote:
Hello, I need to publish the GeoTrust intermediate certificate; I'm using 2.4.29 built against Mozilla NSS. In OpenSSL world, I'd use -- I think -- TLSCACertificateFile /path/to/CA-certificates. Here's what I've tried: Download GeoTrust cert from _https://knowledge.geotrust.com/support/knowledge-base/index?page=content&... https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422 ; save as intermediate.crt Import with: # certutil -d /etc/openldap/nssdb/ -A -t ",," -n geotrust-intermediate -i intermediate.crt Certutil -L now shows: # certutil -d /etc/openldap/nssdb/ -L Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI geotrust-intermediate ,, ds.clarku.edu Pu,Pu,Pu cn=config looks like this: olcTLSCACertificateFile: geotrust-intermediate olcTLSCACertificatePath: /etc/openldap/nssdb olcTLSCertificateFile: ds.clarku.edu But still clients cannot verify the cert. Any Mozilla NSS guru's know what I'm going wrong?
See http://www.openldap.org/faq/data/cache/1514.html Using Builtin Root Certs:
Thanks, Aaron
From: Rich Megginson [mailto:rich.megginson@gmail.com]
See http://www.openldap.org/faq/data/cache/1514.html Using Builtin Root Certs:
- Hi Rich,
Thanks for responding.
I read that. So, I did ln -s /usr/lib64/libnssckbi.so to my nss key directory... doesn't seem to have any effect. If I do certutil -d /etc/openldap/nssdb/ -L -h all then it shows all of those certs as expected, including: Builtin Object Token:GeoTrust Global CA C,C,C Builtin Object Token:GeoTrust Global CA 2 C,C,C Builtin Object Token:GeoTrust Universal CA C,C,C Builtin Object Token:GeoTrust Universal CA 2 C,C,C Builtin Object Token:GeoTrust Primary Certification Authority C,, Builtin Object Token:GeoTrust Primary Certification Authority - G3 C,C,C Builtin Object Token:GeoTrust Primary Certification Authority - G2 C,C,C
For Geotrust. It still shows the geotrust-intermediate cert that I imported: geotrust-intermediate ,,
as well. But with or without an explicit "olcTLSCACertificateFile: geotrust-intermediate", ldapwhomi -d1 produces: ldap_url_parse_ext(ldaps://ds.clarku.edu) ldap_create ldap_url_parse_ext(ldaps://ds.clarku.edu:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ds.clarku.edu:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 140.232.1.12:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
What am I missing?
On 02/24/2012 11:57 AM, Aaron Bennett wrote:
From: Rich Megginson [mailto:rich.megginson@gmail.com]
See http://www.openldap.org/faq/data/cache/1514.html Using Builtin Root Certs:
Hi Rich,
Thanks for responding.
I read that. So, I did ln -s /usr/lib64/libnssckbi.so to my nss key directory... doesn't seem to have any effect. If I do certutil -d /etc/openldap/nssdb/ -L -h all then it shows all of those certs as expected, including:
Builtin Object Token:GeoTrust Global CA C,C,C
Builtin Object Token:GeoTrust Global CA 2 C,C,C
Builtin Object Token:GeoTrust Universal CA C,C,C
Builtin Object Token:GeoTrust Universal CA 2 C,C,C
Builtin Object Token:GeoTrust Primary Certification Authority C,,
Builtin Object Token:GeoTrust Primary Certification Authority - G3 C,C,C
Builtin Object Token:GeoTrust Primary Certification Authority - G2 C,C,C
For Geotrust. It still shows the geotrust-intermediate cert that I imported:
geotrust-intermediate ,,
as well. But with or without an explicit "olcTLSCACertificateFile: geotrust-intermediate", ldapwhomi -d1 produces:
ldap_url_parse_ext(ldaps://ds.clarku.edu)
ldap_create
ldap_url_parse_ext(ldaps://ds.clarku.edu:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ds.clarku.edu:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 140.232.1.12:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Is the ldapwhoami client on the same machine as the server? What is the client TLS configuration?
What am I missing?
From: Rich Megginson [mailto:rich.megginson@gmail.com] Sent: Friday, February 24, 2012 2:50 PM To: Aaron Bennett Cc: openldap-technical@openldap.org Subject: Re: Mozilla NSS -- how to deploy intermediate certificate
Is the ldapwhoami client on the same machine as the server? What is the client TLS configuration?
No. If I run the ldapwhoami from the server it works correctly. In this particular case, I'm running it from an Ubuntu 11.10 workstation. Apache Directory Studio on Windows also throws a certificate error when trying to connect. Likewise I have reports of failure to connect via PHP-Ldap from a third computer.
Thanks,
Aaron
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Aaron Bennett Sent: Friday, February 24, 2012 3:25 PM To: richm@stanfordalumni.org Cc: openldap-technical@openldap.org Subject: RE: Mozilla NSS -- how to deploy intermediate certificate
From: Rich Megginson [mailto:rich.megginson@gmail.com] Sent: Friday, February 24, 2012 2:50 PM To: Aaron Bennett Cc: openldap-technical@openldap.org Subject: Re: Mozilla NSS -- how to deploy intermediate certificate
Is the ldapwhoami client on the same machine as the server? What is the client TLS configuration?
No. If I run the ldapwhoami from the server it works correctly. In this particular case, I'm running it from an Ubuntu 11.10 workstation. Apache Directory Studio on Windows also throws a certificate error when trying to connect. Likewise I have reports of failure to connect via PHP-Ldap from a third computer.
--------------
On other oddity about this is there are two boxes in play -- one's hostname is 'animal.clarku.edu' and the other is 'zoot.clarku.edu'; they are round-robin'd behind the hostname 'ds.clarku.edu.' However the cert I have installed on each box is for ds.clarku.edu.
On 02/24/2012 01:31 PM, Aaron Bennett wrote:
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Aaron Bennett Sent: Friday, February 24, 2012 3:25 PM To: richm@stanfordalumni.org Cc: openldap-technical@openldap.org Subject: RE: Mozilla NSS -- how to deploy intermediate certificate
From: Rich Megginson [mailto:rich.megginson@gmail.com] Sent: Friday, February 24, 2012 2:50 PM To: Aaron Bennett Cc: openldap-technical@openldap.org Subject: Re: Mozilla NSS -- how to deploy intermediate certificate
Is the ldapwhoami client on the same machine as the server? What is the client TLS configuration?
No. If I run the ldapwhoami from the server it works correctly. In this particular case, I'm running it from an Ubuntu 11.10 workstation. Apache Directory Studio on Windows also throws a certificate error when trying to connect. Likewise I have reports of failure to connect via PHP-Ldap from a third computer.
TLS/SSL clients need at the very least the CA certificate chain in order to verify the server's certificate.
On other oddity about this is there are two boxes in play -- one's hostname is 'animal.clarku.edu' and the other is 'zoot.clarku.edu'; they are round-robin'd behind the hostname 'ds.clarku.edu.' However the cert I have installed on each box is for ds.clarku.edu.
Not sure how this works with openldap - the usual way to handle this is to use subjectAltName so that the server's cert has animal.clarku.edu zoot.clarku.edu and ds.clarku.edu
On other oddity about this is there are two boxes in play -- one's hostname is 'animal.clarku.edu' and the other is 'zoot.clarku.edu'; they are round-robin'd behind the hostname 'ds.clarku.edu.' However the cert I have installed on each box is for ds.clarku.edu.
Not sure how this works with openldap - the usual way to handle this is to use subjectAltName so that the server's cert has animal.clarku.edu zoot.clarku.edu and ds.clarku.edu
That's how you do it. For Mozilla clients, you'll want to make sure to list the hostname in the altname list too.
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Rich Megginson wrote:
On 02/24/2012 01:31 PM, Aaron Bennett wrote:
On other oddity about this is there are two boxes in play -- one's hostname is 'animal.clarku.edu' and the other is 'zoot.clarku.edu'; they are round-robin'd behind the hostname 'ds.clarku.edu.' However the cert I have installed on each box is for ds.clarku.edu.
Not sure how this works with openldap - the usual way to handle this is to use subjectAltName so that the server's cert has animal.clarku.edu zoot.clarku.edu and ds.clarku.edu
That's already documented here: http://www.openldap.org/doc/admin24/tls.html
Obviously there is a standard for it and we implement that spec.
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, February 24, 2012 4:37 PM To: richm@stanfordalumni.org Cc: Rich Megginson; Aaron Bennett; openldap-technical@openldap.org Subject: Re: Mozilla NSS -- how to deploy intermediate certificate
Rich Megginson wrote:
On 02/24/2012 01:31 PM, Aaron Bennett wrote:
On other oddity about this is there are two boxes in play -- one's hostname is 'animal.clarku.edu' and the other is 'zoot.clarku.edu'; they are round-robin'd behind the hostname 'ds.clarku.edu.' However the cert I have installed on each box is for ds.clarku.edu.
Not sure how this works with openldap - the usual way to handle this is to use subjectAltName so that the server's cert has animal.clarku.edu zoot.clarku.edu and ds.clarku.edu
That's already documented here: http://www.openldap.org/doc/admin24/tls.html
Obviously there is a standard for it and we implement that spec. -----------
That's great -- and I understand, but the error I'm getting is "The issuer certificate is unknown" from Apache Directory Explorer and "TLS: peer cert untrusted or revoked (0x42)" from ldapwhoami. If the cert that's loaded into Mozilla NSS is for 'ds.clarku.edu' and the request is sent for 'ds.clarku.edu', how are animal and zoot coming into play? I'm happy to get a new cert with subjectAltName's as appropriate, but I'm concerned that the issue is an improperly loaded or missing intermediate certificate.
Rich, can you give me some more direction on how to verify that the intermediate certificate is properly deployed?
Thanks for your time,
Aaron
On 02/27/2012 06:26 AM, Aaron Bennett wrote:
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Friday, February 24, 2012 4:37 PM To: richm@stanfordalumni.org Cc: Rich Megginson; Aaron Bennett; openldap-technical@openldap.org Subject: Re: Mozilla NSS -- how to deploy intermediate certificate
Rich Megginson wrote:
On 02/24/2012 01:31 PM, Aaron Bennett wrote:
On other oddity about this is there are two boxes in play -- one's hostname is 'animal.clarku.edu' and the other is 'zoot.clarku.edu'; they are round-robin'd behind the hostname 'ds.clarku.edu.' However the cert I have installed on each box is for ds.clarku.edu.
Not sure how this works with openldap - the usual way to handle this is to use subjectAltName so that the server's cert has animal.clarku.edu zoot.clarku.edu and ds.clarku.edu
That's already documented here: http://www.openldap.org/doc/admin24/tls.html
Obviously there is a standard for it and we implement that spec.
That's great -- and I understand, but the error I'm getting is "The issuer certificate is unknown" from Apache Directory Explorer and "TLS: peer cert untrusted or revoked (0x42)" from ldapwhoami. If the cert that's loaded into Mozilla NSS is for 'ds.clarku.edu' and the request is sent for 'ds.clarku.edu', how are animal and zoot coming into play? I'm happy to get a new cert with subjectAltName's as appropriate, but I'm concerned that the issue is an improperly loaded or missing intermediate certificate.
Rich, can you give me some more direction on how to verify that the intermediate certificate is properly deployed?
On the client: certutil -d /path/to/nss-cert-db-directory -L
Thanks for your time,
Aaron
-----Original Message----- From: Rich Megginson [mailto:rich.megginson@gmail.com] Sent: Monday, February 27, 2012 10:57 AM To: Aaron Bennett Cc: openldap-technical@openldap.org Subject: Re: Mozilla NSS -- how to deploy intermediate certificate
Rich, can you give me some more direction on how to verify that the intermediate certificate is properly deployed?
On the client: certutil -d /path/to/nss-cert-db-directory -L --------------
Rich, you aren't getting what I'm asking...
If I run: "certutil -d /etc/openldap/nssdb/ -L " on the server, it works, and if I try to connect to it from the server using the ldap clients (like ldapwhomi or ldapsearch or whatever) it works.
But, the client is a different computer, in this case, a Windows 7 box running Apache Directory Studio, or an ubuntu workstation running GnuTLS, or whatever, and they don't work -- I get " TLS: peer cert untrusted or revoked (0x42)."
On 02/27/2012 09:14 AM, Aaron Bennett wrote:
-----Original Message----- From: Rich Megginson [mailto:rich.megginson@gmail.com] Sent: Monday, February 27, 2012 10:57 AM To: Aaron Bennett Cc: openldap-technical@openldap.org Subject: Re: Mozilla NSS -- how to deploy intermediate certificate
Rich, can you give me some more direction on how to verify that the intermediate certificate is properly deployed?
On the client: certutil -d /path/to/nss-cert-db-directory -L
Rich, you aren't getting what I'm asking...
If I run: "certutil -d /etc/openldap/nssdb/ -L " on the server, it works, and if I try to connect to it from the server using the ldap clients (like ldapwhomi or ldapsearch or whatever) it works.
But, the client is a different computer, in this case, a Windows 7 box running Apache Directory Studio, or an ubuntu workstation running GnuTLS, or whatever, and they don't work -- I get " TLS: peer cert untrusted or revoked (0x42)."
OK. I don't know how those clients configure their TLS settings. The only think I know for sure is that you have to make sure each of those clients has the entire CA cert chain for the CA that issued the LDAP server cert.
Since this is now the top hit for "openldap Mozilla nss intermediate certificate," here's what I ended up doing:
[rant] First of all, I sincerely hate Mozilla NSS. I don't understand why RH decided to building OpenLdap against it.[/rant]
There, that aside, I noticed in the excellent FAQ at http://www.openldap.org/faq/data/cache/1514.html that "If you previously used OpenLDAP with OpenSSL, and have certificate files, cipher suites, and other TLS settings specified in your configuration files, those settings should work exactly the same way with Mozilla NSS - OpenLDAP with Mozilla NSS knows how to read those settings, files, etc. and apply them in the same way." So, I went to ole-reliable /etc/tls/certs and generated a key and csr, put the key in /etc/tls/private, and put the signed cert in /etc/tls/certs. I also put the geotrust intermediate cert in /etc/tls/certs as well, and then changed cn=config to read:
olcTLSCACertificateFile: /etc/pki/tls/certs/geotrust-intermediate.crt olcTLSCACertificatePath: /etc/pki/tls/certs olcTLSCertificateFile: /etc/pki/tls/certs/ds.clarku.edu.crt olcTLSCertificateKeyFile: /etc/pki/tls/private/ds.clarku.edu.key
Happy TLS'ing everyone.
- Aaron
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Aaron Bennett Sent: Friday, February 24, 2012 1:15 PM To: openldap-technical@openldap.org Subject: Mozilla NSS -- how to deploy intermediate certificate
Hello,
I need to publish the GeoTrust intermediate certificate; I'm using 2.4.29 built against Mozilla NSS. In OpenSSL world, I'd use -- I think -- TLSCACertificateFile /path/to/CA-certificates. Here's what I've tried:
Download GeoTrust cert from https://knowledge.geotrust.com/support/knowledge-base/index?page=content&... ; save as intermediate.crt
Import with:
# certutil -d /etc/openldap/nssdb/ -A -t ",," -n geotrust-intermediate -i intermediate.crt
Certutil -L now shows:
# certutil -d /etc/openldap/nssdb/ -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
geotrust-intermediate ,, ds.clarku.edu Pu,Pu,Pu
cn=config looks like this:
olcTLSCACertificateFile: geotrust-intermediate olcTLSCACertificatePath: /etc/openldap/nssdb olcTLSCertificateFile: ds.clarku.edu
But still clients cannot verify the cert.
Any Mozilla NSS guru's know what I'm going wrong?
Thanks,
Aaron
On 02/27/2012 01:17 PM, Aaron Bennett wrote:
Since this is now the top hit for "openldap Mozilla nss intermediate certificate," here's what I ended up doing:
[rant] First of all, I sincerely hate Mozilla NSS. I don't understand why RH decided to building OpenLdap against it.[/rant]
https://fedoraproject.org/wiki/FedoraCryptoConsolidation
It's not just openldap, it's many other components.
And, if you are a Red Hat customer, please report any problems with using Red Hat products with your support channel. Red Hat is committed to making openldap + mozilla NSS work.
There, that aside, I noticed in the excellent FAQ at http://www.openldap.org/faq/data/cache/1514.html that "If you previously used OpenLDAP with OpenSSL, and have certificate files, cipher suites, and other TLS settings specified in your configuration files, those settings should work exactly the same way with Mozilla NSS - OpenLDAP with Mozilla NSS knows how to read those settings, files, etc. and apply them in the same way." So, I went to ole-reliable /etc/tls/certs and generated a key and csr, put the key in /etc/tls/private, and put the signed cert in /etc/tls/certs. I also put the geotrust intermediate cert in /etc/tls/certs as well, and then changed cn=config to read:
olcTLSCACertificateFile: /etc/pki/tls/certs/geotrust-intermediate.crt
olcTLSCACertificatePath: /etc/pki/tls/certs
olcTLSCertificateFile: /etc/pki/tls/certs/ds.clarku.edu.crt
olcTLSCertificateKeyFile: /etc/pki/tls/private/ds.clarku.edu.key
Happy TLS'ing everyone.
That was the intention - that customers upgrading from openldap + openssl to openldap + moznss should not notice or care about the underlying crypto implementation - it should just work exactly as before.
-Aaron
*From:*openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] *On Behalf Of *Aaron Bennett *Sent:* Friday, February 24, 2012 1:15 PM *To:* openldap-technical@openldap.org *Subject:* Mozilla NSS -- how to deploy intermediate certificate
Hello,
I need to publish the GeoTrust intermediate certificate; I'm using 2.4.29 built against Mozilla NSS. In OpenSSL world, I'd use -- I think -- TLSCACertificateFile /path/to/CA-certificates. Here's what I've tried:
Download GeoTrust cert from https://knowledge.geotrust.com/support/knowledge-base/index?page=content&... https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422 ; save as intermediate.crt
Import with:
# certutil -d /etc/openldap/nssdb/ -A -t ",," -n geotrust-intermediate -i intermediate.crt
Certutil -L now shows:
# certutil -d /etc/openldap/nssdb/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
geotrust-intermediate ,,
ds.clarku.edu Pu,Pu,Pu
cn=config looks like this:
olcTLSCACertificateFile: geotrust-intermediate
olcTLSCACertificatePath: /etc/openldap/nssdb
olcTLSCertificateFile: ds.clarku.edu
But still clients cannot verify the cert.
Any Mozilla NSS guru's know what I'm going wrong?
Thanks,
Aaron
openldap-technical@openldap.org
-
Aaron Bennett -
Chris Jacobs -
Howard Chu -
Rich Megginson