Hello,
I just got an SSL certificate issued by Comodo which doesn't work as expected with slapd. Which means I get an untrusted certificate warning in Thunderbird. Probably I just missed something.
For Apache2 for example, I just configured
SSLCACertificateFile mycert.ca-bundle SSLCertificateFile mycert.crt SSLCertificateKeyFile mycert.key
and I don't get any warnings in Firefox. Also if I test the connection using openssl s_client it looks fine:
office:~# openssl s_client -connect localhost:443 CONNECTED(00000003) depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
To achieve the same with OpenLDAP, I tried:
TLSCACertificateFile mycert.ca-bundle TLSCertificateFile mycert.crt TLSCertificateKeyFile mycert.key
But the result is different, Thunderbird doesn't trust the certificate and throws a corresponding warning and the output of openssl s_client looks like this:
office:~# openssl s_client -connect localhost:636 CONNECTED(00000003) depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de verify error:num=27:certificate not trusted verify return:1 depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
Seems like the ca-bundle wouldn't be used at all, does slapd expect a different format or something?
Maybe someone could shed some light on this for me, thanks a lot in advance.
Regards, Iruwen
--On Monday, October 12, 2009 3:02 PM +0200 Iruwen iruwen@gmx.net wrote:
Seems like the ca-bundle wouldn't be used at all, does slapd expect a different format or something?
Maybe someone could shed some light on this for me, thanks a lot in advance.
You need to provide the full train of trust when using Comodo certs.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Monday, October 12, 2009 11:18 AM -0700 Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Monday, October 12, 2009 3:02 PM +0200 Iruwen iruwen@gmx.net wrote:
Seems like the ca-bundle wouldn't be used at all, does slapd expect a different format or something?
Maybe someone could shed some light on this for me, thanks a lot in advance.
You need to provide the full train of trust when using Comodo certs.
s/train/chain/ :P
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount schrieb:
--On Monday, October 12, 2009 11:18 AM -0700 Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Monday, October 12, 2009 3:02 PM +0200 Iruwen iruwen@gmx.net wrote:
Seems like the ca-bundle wouldn't be used at all, does slapd expect a different format or something?
Maybe someone could shed some light on this for me, thanks a lot in advance.
You need to provide the full train of trust when using Comodo certs.
s/train/chain/ :P
So... I'd have to change what exactly? ;)
I created the ca-bundle following the information this page:
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&...
And the format generally seems to be correct since it works for HTTPS (and SMTP with TLS in postfix, just tried that too).
HTTPS:
office:/etc/ssl/private# openssl s_client -connect localhost:443 CONNECTED(00000003) depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
SMTP with TLS:
office:/etc/ssl/private# openssl s_client -connect localhost:25 -starttls smtp CONNECTED(00000003) depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
But LDAPS:
office:/etc/ssl/private# openssl s_client -connect localhost:636 CONNECTED(00000003) depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de verify error:num=27:certificate not trusted verify return:1 depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
I don't get it :(
--On Monday, October 12, 2009 10:36 PM +0200 Iruwen iruwen@gmx.net wrote:
Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
I don't get it :(
Comodo's cert is signed by someone else, you have to add that issuer to the CA chain. And it changes periodically too, in my experience from using their certs. So you need to examine their CA cert, and find who signed it, and then add that to the chain.
For example, the one I was using at one time, was signed by the GTE CyberTrust CA, so I needed to have that cert in the chain in addition to comodo's.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
--On Monday, October 12, 2009 10:36 PM +0200 Iruweniruwen@gmx.net wrote:
Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
I don't get it :(
Comodo's cert is signed by someone else, you have to add that issuer to the CA chain. And it changes periodically too, in my experience from using their certs. So you need to examine their CA cert, and find who signed it, and then add that to the chain.
For example, the one I was using at one time, was signed by the GTE CyberTrust CA, so I needed to have that cert in the chain in addition to comodo's.
Judging from his debug output, that's not the issue here. The first question you should have asked is - what OS, OpenLDAP version, and TLS library?
Howard Chu schrieb:
Quanah Gibson-Mount wrote:
--On Monday, October 12, 2009 10:36 PM +0200 Iruweniruwen@gmx.net wrote:
Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
I don't get it :(
Comodo's cert is signed by someone else, you have to add that issuer to the CA chain. And it changes periodically too, in my experience from using their certs. So you need to examine their CA cert, and find who signed it, and then add that to the chain.
For example, the one I was using at one time, was signed by the GTE CyberTrust CA, so I needed to have that cert in the chain in addition to comodo's.
Judging from his debug output, that's not the issue here. The first question you should have asked is - what OS, OpenLDAP version, and TLS library?
I'm sorry: Debian 5.0 (lenny), OpenLDAP 2.4.11-1, GNU TLS 2.4.2-6.
openldap-technical@openldap.org
-
Howard Chu -
Iruwen -
Quanah Gibson-Mount