Hi - I'm using osixia/openldap docker container.
I've created self signed client and server certs.
I'm receiving the following error when trying to perform ldapsearch from the Arch linux docker host. Here is a summary of the error:
# ldapsearch -x -d1 -b 'dc=ldap,dc=gohilton,dc=com' -D "cn=admin,dc=ldap,dc=gohilton,dc=com" -H ldaps://127.0.0.1:636 -W -LLL d ldap_url_parse_ext(ldaps://127.0.0.1:636) ldap_create ldap_url_parse_ext(ldaps://127.0.0.1:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 127.0.0.1:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS read server hello TLS certificate verification: depth: 0, err: 0, subject: /C=US/ST=IL/L=CH/O=domain.com/CN=openldap/emailAddress=user@domain.com, issuer: /C=US/ST=IL/L=CH/O=domain.com/CN=Docker OpenLDAP CA/emailAddress=user@domain.com TLS trace: SSL_connect:SSLv3/TLS read server certificate TLS trace: SSL_connect:SSLv3/TLS read server key exchange TLS trace: SSL_connect:SSLv3/TLS read server certificate request TLS trace: SSL_connect:SSLv3/TLS read server done TLS trace: SSL_connect:SSLv3/TLS write client certificate TLS trace: SSL_connect:SSLv3/TLS write client key exchange TLS trace: SSL_connect:SSLv3/TLS write change cipher spec TLS trace: SSL_connect:SSLv3/TLS write finished TLS trace: SSL_connect:error in SSLv3/TLS write finished TLS: can't connect: . ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The server logs the error as the following: f7a7260 conn=1007 fd=12 ACCEPT from IP=172.18.0.1:34350 (IP=0.0.0.0:636) TLS: can't accept: No certificate was found.. 5f7a7260 conn=1007 fd=12 closed (TLS negotiation failure)
This error only occurs if on the server I use the following server setting: LDAP_TLS_VERIFY_CLIENT=try
Is this possibly a permissions issue? I've verified the chain of trust for client certificate upon creation. Both client and server certificates were signed with same user created CA.
kevhilton@gmail.com schrieb am 05.10.2020 um 03:22 in Nachricht
20201005012213.798.68795@hypatia.openldap.org:
Hi - I'm using osixia/openldap docker container.
I've created self signed client and server certs.
I'm receiving the following error when trying to perform ldapsearch from the Arch linux docker host. Here is a summary of the error:
# ldapsearch -x -d1 -b 'dc=ldap,dc=gohilton,dc=com' -D "cn=admin,dc=ldap,dc=gohilton,dc=com" -H ldaps://127.0.0.1:636 -W -LLL d
I wonder: How should an SSL certificate for localhost (127.0.0.1) look like? I would not recommend either to include "localhost" or "IP:127.0.0.1" to the certificate, meaning: Does it work when you connect using the official IP address from a remote host?
ldap_url_parse_ext(ldaps://127.0.0.1:636) ldap_create ldap_url_parse_ext(ldaps://127.0.0.1:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 127.0.0.1:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS read server hello TLS certificate verification: depth: 0, err: 0, subject: /C=US/ST=IL/L=CH/O=domain.com/CN=openldap/emailAddress=user@domain.com, issuer: /C=US/ST=IL/L=CH/O=domain.com/CN=Docker OpenLDAP CA/emailAddress=user@domain.com TLS trace: SSL_connect:SSLv3/TLS read server certificate TLS trace: SSL_connect:SSLv3/TLS read server key exchange TLS trace: SSL_connect:SSLv3/TLS read server certificate request TLS trace: SSL_connect:SSLv3/TLS read server done TLS trace: SSL_connect:SSLv3/TLS write client certificate TLS trace: SSL_connect:SSLv3/TLS write client key exchange TLS trace: SSL_connect:SSLv3/TLS write change cipher spec TLS trace: SSL_connect:SSLv3/TLS write finished TLS trace: SSL_connect:error in SSLv3/TLS write finished TLS: can't connect: . ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The server logs the error as the following: f7a7260 conn=1007 fd=12 ACCEPT from IP=172.18.0.1:34350 (IP=0.0.0.0:636) TLS: can't accept: No certificate was found.. 5f7a7260 conn=1007 fd=12 closed (TLS negotiation failure)
This error only occurs if on the server I use the following server setting: LDAP_TLS_VERIFY_CLIENT=try
Is this possibly a permissions issue? I've verified the chain of trust for client certificate upon creation. Both client and server certificates were signed with same user created CA.
--On Monday, October 5, 2020 10:49 AM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
kevhilton@gmail.com schrieb am 05.10.2020 um 03:22 in Nachricht
20201005012213.798.68795@hypatia.openldap.org:
Hi - I'm using osixia/openldap docker container.
I've created self signed client and server certs.
I'm receiving the following error when trying to perform ldapsearch from the Arch linux docker host. Here is a summary of the error:
# ldapsearch -x -d1 -b 'dc=ldap,dc=gohilton,dc=com' -D "cn=admin,dc=ldap,dc=gohilton,dc=com" -H ldaps://127.0.0.1:636 -W -LLL d
I wonder: How should an SSL certificate for localhost (127.0.0.1) look like? I would not recommend either to include "localhost" or "IP:127.0.0.1" to the certificate, meaning: Does it work when you connect using the official IP address from a remote host?
There's an example in the OpenLDAP 2.5 test suite.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thanks guys for all your input. I believe my problem lies in client authentication on behalf of the server, and not server authentication on behalf of the client.
I didn't include the official IP in either the server or client certificate (I don't believe client needs this), since the server sits on a docker network, and I believe the IP addresses internal to the docker network may change and aren't applicable to servers outside the docker network.
The problem may in fact be the method I used to make my self-signed TLS certificates, since I really cobbled the information from a variety of sources, and in actuality the sources had a lot to do with SSL certificates and not so much to do with TLS certificates. I created my own CA.
The openssl.conf file I used in process is as follows:
[ca] default_ca = my_ca
[ my_ca ] dir = /etc/docker/compose/authelia/certs/openldap #certs = $dir/certs crl_dir = $dir/crl new_certs_dir = ./ database = $dir/index.txt serial = $dir/ca.srl RANDFILE = $dir/.rand
# The root key and root certificate. private_key = $dir/ca/ca-key.pem certificate = $dir/ca/ca.pem
# For certificate revocation lists. crlnumber = $dir/crlnumber crl = $dir/crl/ca-crl.pem crl_extensions = crl_ext default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256
name_opt = ca_default cert_opt = ca_default default_days = 3750 preserve = no policy = policy_loose
copy_extensions = copy
[ policy_loose ] # Allow the intermediate CA to sign a more diverse range of certificates. # See the POLICY FORMAT section of the `ca` man page. countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional
[req] default_bits = 4096 default_md = sha256 x509_extensions = v3_ca distinguished_name = req_distinguished_name string_mask = utf8only
[req_distinguished_name] # See https://en.wikipedia.org/wiki/Certificate_signing_request. countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name 0.organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = Common Name emailAddress = Email Address
# Optionally, specify some defaults. countryName_default = US stateOrProvinceName_default = CA localityName_default = CH 0.organizationName_default = domain.com organizationalUnitName_default = emailAddress_default = user@domain.com
[ v3_ca ] basicConstraints = critical,CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ client_cert ] basicConstraints = CA:FALSE nsComment = "OpenSSL Generated Self-Signed Client Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth
[ server_cert ] basicConstraints = CA:FALSE nsComment = "OpenSSL Generated Self-Sign Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names
[alt_names] DNS.1 = openldap.domain.com DNS.2 = ldap.domain.com DNS.3 = openldap IP.1 = 127.0.0.1 IP.2 = ::1
[ crl_ext ] # Extension for CRLs (`man x509v3_config`). authorityKeyIdentifier=keyid:always
I created the server and client cert via the following method according to my notes:
Create Server and client Keys and Certificates Generate Server and Client Keys openssl genrsa -out ./client/key.pem 2048 openssl genrsa -out ./server/key.pem 2048
Generate the certificate Signing Requests openssl req -config openssl.cnf -key ./client/key.pem -new -sha256 -out ./client/cert.csr openssl req -config openssl.cnf -key ./server/key.pem -new -sha256 -out ./server/cert.csr
Create the Server and Client Certificates openssl ca -config openssl.cnf -extensions server-cert -days 3750 -notext -md sha256 -in ./server/cert.csr -out ./server/cert.pem openssl ca -config openssl.cnf -extensions client-cert -days 3750 -notext -md sha256 -in ./client/cert.csr -out ./client/cert.pem
Perhaps I truly don't under understand how to properly create TLS client and server certs which may be part of the issue.
In terms of localhost I included 127.0.0.1 as an alternative name for the server cert. This was mostly for testing purposes and for the reason my ldap server runs as a docker container on a linux container. I was trying to reach the openldap container from the docker host.
--On Monday, October 5, 2020 2:22 AM +0000 kevhilton@gmail.com wrote:
TLS certificate verification: depth: 0, err: 0, subject: /C=US/ST=IL/L=CH/O=domain.com/CN=openldap/emailAddress=user@domain.com, issuer: /C=US/ST=IL/L=CH/O=domain.com/CN=Docker OpenLDAP CA/emailAddress=user@domain.com
This looks like a user cert, not a server cert.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org