Hi,
I am running Openldap-2.4.32, BD-5.3.21 and openssl-1.0.1c on RHEL 5.5. I created CA cert and singed it but when I run ldeapsearch with -ZZ I get the following error:
TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 19, subject: /C=US/ST=Mass/O=Curry College/OU=Technology Center/CN=LDAP-SSL.curry.edu/emailAddress=adarouic@curry.edu, issuer: /C=US/ST=Mass/O=Curry College/OU=Technology Center/CN=LDAP-SSL.curry.edu/emailAddress=adarouic@curry.edu TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Please let me know if I missed something in my configuration.
Thanks,
Aziz
On Mon, 15 Oct 2012, Darouichi, Aziz wrote:
TLS trace: SSL3 alert write:fatal:unknown CA
Did you (try to) configure the CA on your client (i.e. in ldap.conf or similar)? For example, a "TLS_CACERT" or "TLS_CACERTDIR" directive that points to the appropriate CA certificate. See also ldap.conf(5) man page.
Yes, I double checked ldap.conf and its pointing to cacert.pem directive.
BASE dc=curry,dc=edu URI ldaps://ldap-ssl.curry.edu TLS_REQCERT allow #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 TLS_CACERTDIR /opt/local/etc/openldap/cacert.pem
Thanks
-----Original Message----- From: Aaron Richton [mailto:richton@nbcs.rutgers.edu] Sent: Monday, October 15, 2012 11:45 AM To: Darouichi, Aziz Cc: openldap-technical@openldap.org Subject: Re: SSL/TLS issue
On Mon, 15 Oct 2012, Darouichi, Aziz wrote:
TLS trace: SSL3 alert write:fatal:unknown CA
Did you (try to) configure the CA on your client (i.e. in ldap.conf or similar)? For example, a "TLS_CACERT" or "TLS_CACERTDIR" directive that points to the appropriate CA certificate. See also ldap.conf(5) man page.
On Mon, 15 Oct 2012, Darouichi, Aziz wrote:
TLS_CACERTDIR /opt/local/etc/openldap/cacert.pem
Not that I want to impose my filename conventions on you, but usually if I had a "cacert.pem" it would be a file, not a directory...and as such, it would be TLS_CACERT instead of TLS_CACERTDIR? Was this intentional?
If it is a directory and you're using OpenSSL, did you remember to do the OpenSSL directory hashing magic?
This is the link I followed to create the CA and sigh it http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#7.0
if I run cert check from client using the following openssl s_client -connect ldap-ssl.curry.edu:636 -CApath /opt/local/etc/openldap/caert.pem
I get a response.
Verify return code: 19 (self signed certificate in certificate chain)
What else am I missing?
Thanks,
Aziz
-----Original Message----- From: Aaron Richton [mailto:richton@nbcs.rutgers.edu] Sent: Monday, October 15, 2012 12:06 PM To: Darouichi, Aziz Cc: openldap-technical@openldap.org Subject: RE: SSL/TLS issue
On Mon, 15 Oct 2012, Darouichi, Aziz wrote:
TLS_CACERTDIR /opt/local/etc/openldap/cacert.pem
Not that I want to impose my filename conventions on you, but usually if I had a "cacert.pem" it would be a file, not a directory...and as such, it would be TLS_CACERT instead of TLS_CACERTDIR? Was this intentional?
If it is a directory and you're using OpenSSL, did you remember to do the OpenSSL directory hashing magic?
On Mon, 15 Oct 2012, Darouichi, Aziz wrote:
This is the link I followed to create the CA and sigh it http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#7.0
Did you read the "Note" at the top of that paper? Worth considering...
if I run cert check from client using the following openssl s_client -connect ldap-ssl.curry.edu:636 -CApath /opt/local/etc/openldap/caert.pem
1. Again, did you really make a directory named "caert.pem"? Because if that's a file, I believe that should be -CAfile instead. (Same as I said that your TLS_CACERTDIR should probably be a TLS_CACERT ldap.conf directive.)
2. In your previous example it was "cacert.pem" but now I see "caert.pem". Whatever's actually on your filesystem -- make sure that you're using it, typo-free. It's unlikely that they're both correct.
Providing us the output of:
"ls -ld /opt/local/etc/openldap/caert.pem /opt/local/etc/openldap/cacert.pem"
might be helpful if this isn't clear.
I ran into this problem about a year ago. It took me about 3 months to resolve. The code isn't broken, it works. All these guys are telling you the detail, and detail is important. But.... My problem was resolved, when I understood the concept: Ca-self signed certificate [ or just a certificate ] Read through how that is supposed to work logically: I sat down with another sys admin and I explained it to him, and then looked at what I had done [actually that forced me to look at what I had done]. I had not done, what I had explained had to be done. Well that was stupid, but it was easy to fix.
The self signed certificate doc is at WWW.openladap.org/faq/data/cache/185.html You might want to review it from a logical stand point, and understand what the objective is. Then it's easy to setup.
Sometimes it's not the razor, Sometimes it's your face.
Hope that clears up [well, not your face, just...] the problem. I am sure your face was excellent to begin with.
tob
On 10/15/12 1:11 PM, "Aaron Richton" richton@nbcs.rutgers.edu wrote:
On Mon, 15 Oct 2012, Darouichi, Aziz wrote:
This is the link I followed to create the CA and sigh it http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#7.0
Did you read the "Note" at the top of that paper? Worth considering...
if I run cert check from client using the following openssl s_client -connect ldap-ssl.curry.edu:636 -CApath /opt/local/etc/openldap/caert.pem
- Again, did you really make a directory named "caert.pem"? Because if
that's a file, I believe that should be -CAfile instead. (Same as I said that your TLS_CACERTDIR should probably be a TLS_CACERT ldap.conf directive.)
- In your previous example it was "cacert.pem" but now I see "caert.pem".
Whatever's actually on your filesystem -- make sure that you're using it, typo-free. It's unlikely that they're both correct.
Providing us the output of:
"ls -ld /opt/local/etc/openldap/caert.pem /opt/local/etc/openldap/cacert.pem"
might be helpful if this isn't clear.
Aaron,
1 - I made change as you indicated to ldap.conf to point to the cacert file "TLS_CACERT /opt/local/etc/openldap/cacert.pem"
2 - Sorry it was a typo 3- the output ls -ld " -rw-r--r-- 1 root root 3213 Oct 11 09:38 /opt/local/etc/openldap/cacert.pem"
Thanks,
Aziz
-----Original Message----- From: Aaron Richton [mailto:richton@nbcs.rutgers.edu] Sent: Monday, October 15, 2012 1:11 PM To: Darouichi, Aziz Cc: openldap-technical@openldap.org Subject: RE: SSL/TLS issue
On Mon, 15 Oct 2012, Darouichi, Aziz wrote:
This is the link I followed to create the CA and sigh it http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#7.0
Did you read the "Note" at the top of that paper? Worth considering...
if I run cert check from client using the following openssl s_client -connect ldap-ssl.curry.edu:636 -CApath /opt/local/etc/openldap/cacert.pem
1. Again, did you really make a directory named "caert.pem"? Because if that's a file, I believe that should be -CAfile instead. (Same as I said that your TLS_CACERTDIR should probably be a TLS_CACERT ldap.conf directive.)
2. In your previous example it was "cacert.pem" but now I see "caert.pem". Whatever's actually on your filesystem -- make sure that you're using it, typo-free. It's unlikely that they're both correct.
Providing us the output of:
"ls -ld /opt/local/etc/openldap/caert.pem /opt/local/etc/openldap/cacert.pem"
might be helpful if this isn't clear.
-When you create the certificate did you use the FQDN of your server? -Did you compile openldap with tls support?
On 10/15/2012 10:36 AM, Darouichi, Aziz wrote:
Hi, I am running Openldap-2.4.32, BD-5.3.21 and openssl-1.0.1c on RHEL 5.5. I created CA cert and singed it but when I run ldeapsearch with --ZZ I get the following error: TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 19, subject: /C=US/ST=Mass/O=Curry College/OU=Technology Center/CN=LDAP-SSL.curry.edu/emailAddress=adarouic@curry.edu, issuer: /C=US/ST=Mass/O=Curry College/OU=Technology Center/CN=LDAP-SSL.curry.edu/emailAddress=adarouic@curry.edu TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Please let me know if I missed something in my configuration. Thanks, Aziz
openldap-technical@openldap.org
-
Aaron Richton -
cbulist -
Darouichi, Aziz -
John Tobin