Fedora directory users - Jun 2006 - TLS trace: SSL3 alert write:fatal:unknown CA

I am trying to get FDS 1.0.2 working in SSL mode. I am using a OpenSSL 
CA, I have installed the Server Cert and the CA Cert, can start FDS in 
SSL mode, but when I run
ldapsearch -x -ZZ  I get TLS trace: SSL3 alert write:fatal:unknown CA.

In /etc/ldap.conf, I have put in
TLS_CACERT /path/to/cert
TLSREQCERT allow
ssl on
ssl start_tls

If I run
openssl s_client -connect localhost:636 -showcerts -state -CAfile 
/path/to/cacert.pem

It looks OK

Please help

Thanks

-- 
Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783

Jeff Gamsby wrote:
> I am trying to get FDS 1.0.2 working in SSL mode. I am using a OpenSSL 
> CA, I have installed the Server Cert and the CA Cert, can start FDS in 
> SSL mode, but when I run
> ldapsearch -x -ZZ  I get TLS trace: SSL3 alert write:fatal:unknown CA.
Did you follow this -
http://directory.fedora.redhat.com/wiki/Howto:SSL
>
> In /etc/ldap.conf, I have put in
> TLS_CACERT /path/to/cert
Is this the same /path/to/cacert.pem as below?
> TLSREQCERT allow
> ssl on
> ssl start_tls
>
> If I run
> openssl s_client -connect localhost:636 -showcerts -state -CAfile 
> /path/to/cacert.pem
>
> It looks OK
>
> Please help
>
> Thanks
>

Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:
> Jeff Gamsby wrote:
>> I am trying to get FDS 1.0.2 working in SSL mode. I am using a 
>> OpenSSL CA, I have installed the Server Cert and the CA Cert, can 
>> start FDS in SSL mode, but when I run
>> ldapsearch -x -ZZ  I get TLS trace: SSL3 alert write:fatal:unknown CA.
> Did you follow this - http://directory.fedora.redhat.com/wiki/Howto:SSL
I did, but that didn''t work for me. The only thing that I did this time
was generate a request from the "Manage Certificates", sign the
request
using my OpenSSL CA, and install the Server and CA Certs. Then I turned 
on SSL in the Admin console, and restarted the server.

When I followed the instructions from the link, I couldn''t even get FDS
to start in SSL mode.
>>
>> In /etc/ldap.conf, I have put in
>> TLS_CACERT /path/to/cert
> Is this the same /path/to/cacert.pem as below?
Yes
>> TLSREQCERT allow
>> ssl on
>> ssl start_tls
>>
>> If I run
>> openssl s_client -connect localhost:636 -showcerts -state -CAfile 
>> /path/to/cacert.pem
>>
>> It looks OK
>>
>> Please help
>>
>> Thanks
>>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Jeff Gamsby wrote:
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using a 
>>> OpenSSL CA, I have installed the Server Cert and the CA Cert, can 
>>> start FDS in SSL mode, but when I run
>>> ldapsearch -x -ZZ  I get TLS trace: SSL3 alert write:fatal:unknown
CA.
>> Did you follow this - http://directory.fedora.redhat.com/wiki/Howto:SSL
> I did, but that didn''t work for me. The only thing that I did this
> time was generate a request from the "Manage Certificates", sign
the
> request using my OpenSSL CA, and install the Server and CA Certs. Then 
> I turned on SSL in the Admin console, and restarted the server.
>
> When I followed the instructions from the link, I couldn''t even
get
> FDS to start in SSL mode.
One problem may be that ldapsearch is trying to verify the hostname in 
your server cert, which is the value of the cn attribute in the leftmost 
RDN in your server cert''s subject DN.  What is the subject DN of your 
server cert?  You can use certutil -L -n Server-Cert as specified in the 
Howto:SSL to print your cert.
>>>
>>> In /etc/ldap.conf, I have put in
>>> TLS_CACERT /path/to/cert
>> Is this the same /path/to/cacert.pem as below?
> Yes
>>> TLSREQCERT allow
>>> ssl on
>>> ssl start_tls
>>>
>>> If I run
>>> openssl s_client -connect localhost:636 -showcerts -state -CAfile 
>>> /path/to/cacert.pem
>>>
>>> It looks OK
>>>
>>> Please help
>>>
>>> Thanks
>>>
>>
------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:
> Jeff Gamsby wrote:
>>
>> Jeff Gamsby
>> Center for X-Ray Optics
>> Lawrence Berkeley National Laboratory
>> (510) 486-7783
>>
>>
>>
>> Richard Megginson wrote:
>>> Jeff Gamsby wrote:
>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using a 
>>>> OpenSSL CA, I have installed the Server Cert and the CA Cert,
can
>>>> start FDS in SSL mode, but when I run
>>>> ldapsearch -x -ZZ  I get TLS trace: SSL3 alert
write:fatal:unknown CA.
>>> Did you follow this -
http://directory.fedora.redhat.com/wiki/Howto:SSL
>> I did, but that didn''t work for me. The only thing that I did
this
>> time was generate a request from the "Manage Certificates",
sign the
>> request using my OpenSSL CA, and install the Server and CA Certs. 
>> Then I turned on SSL in the Admin console, and restarted the server.
>>
>> When I followed the instructions from the link, I couldn''t
even get
>> FDS to start in SSL mode.
> One problem may be that ldapsearch is trying to verify the hostname in 
> your server cert, which is the value of the cn attribute in the 
> leftmost RDN in your server cert''s subject DN.  What is the
subject DN
> of your server cert?  You can use certutil -L -n Server-Cert as 
> specified in the Howto:SSL to print your cert.
Running cd /opt/fedora-ds/alias ; ../shared/bin/certutil -L -d . -n 
"server-cert" returns:
certutil-bin: Could not find: server-cert
: security library: bad database.

I can see the Subject DN in "Manage Certificates" --> Server Certs
-->
Detail 
 
 It''s the FQDN of the FDS server ( and the OpenSSL CA )

>>>>
>>>> In /etc/ldap.conf, I have put in
>>>> TLS_CACERT /path/to/cert
>>> Is this the same /path/to/cacert.pem as below?
>> Yes
>>>> TLSREQCERT allow
>>>> ssl on
>>>> ssl start_tls
>>>>
>>>> If I run
>>>> openssl s_client -connect localhost:636 -showcerts -state
-CAfile
>>>> /path/to/cacert.pem
>>>>
>>>> It looks OK
>>>>
>>>> Please help
>>>>
>>>> Thanks
>>>>
>>>
------------------------------------------------------------------------
>>>
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:
> Jeff Gamsby wrote:
>>
>> Jeff Gamsby
>> Center for X-Ray Optics
>> Lawrence Berkeley National Laboratory
>> (510) 486-7783
>>
>>
>>
>> Richard Megginson wrote:
>>> Jeff Gamsby wrote:
>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am using a 
>>>> OpenSSL CA, I have installed the Server Cert and the CA Cert,
can
>>>> start FDS in SSL mode, but when I run
>>>> ldapsearch -x -ZZ  I get TLS trace: SSL3 alert
write:fatal:unknown CA.
>>> Did you follow this -
http://directory.fedora.redhat.com/wiki/Howto:SSL
>> I did, but that didn''t work for me. The only thing that I did
this
>> time was generate a request from the "Manage Certificates",
sign the
>> request using my OpenSSL CA, and install the Server and CA Certs. 
>> Then I turned on SSL in the Admin console, and restarted the server.
>>
>> When I followed the instructions from the link, I couldn''t
even get
>> FDS to start in SSL mode.
> One problem may be that ldapsearch is trying to verify the hostname in 
> your server cert, which is the value of the cn attribute in the 
> leftmost RDN in your server cert''s subject DN.  What is the
subject DN
> of your server cert?  You can use certutil -L -n Server-Cert as 
> specified in the Howto:SSL to print your cert.
Sorry. I missed the -P option.

running ../shared/bin/certutil -L -d . -P slapd-server- -n
"server-cert"
returns the Subject *CN* as FQDN of FDS and OpenSSL CA host (ran on same 
machine)
>>>>
>>>> In /etc/ldap.conf, I have put in
>>>> TLS_CACERT /path/to/cert
>>> Is this the same /path/to/cacert.pem as below?
>> Yes
>>>> TLSREQCERT allow
>>>> ssl on
>>>> ssl start_tls
>>>>
>>>> If I run
>>>> openssl s_client -connect localhost:636 -showcerts -state
-CAfile
>>>> /path/to/cacert.pem
>>>>
>>>> It looks OK
>>>>
>>>> Please help
>>>>
>>>> Thanks
>>>>
>>>
------------------------------------------------------------------------
>>>
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Jeff Gamsby wrote:
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am
using a
>>>>> OpenSSL CA, I have installed the Server Cert and the CA
Cert, can
>>>>> start FDS in SSL mode, but when I run
>>>>> ldapsearch -x -ZZ  I get TLS trace: SSL3 alert
write:fatal:unknown
>>>>> CA.
>>>> Did you follow this - 
>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL
>>> I did, but that didn''t work for me. The only thing that I
did this
>>> time was generate a request from the "Manage
Certificates", sign the
>>> request using my OpenSSL CA, and install the Server and CA Certs. 
>>> Then I turned on SSL in the Admin console, and restarted the
server.
>>>
>>> When I followed the instructions from the link, I couldn''t
even get
>>> FDS to start in SSL mode.
>> One problem may be that ldapsearch is trying to verify the hostname 
>> in your server cert, which is the value of the cn attribute in the 
>> leftmost RDN in your server cert''s subject DN.  What is the
subject
>> DN of your server cert?  You can use certutil -L -n Server-Cert as 
>> specified in the Howto:SSL to print your cert.
>
> Sorry. I missed the -P option.
>
> running ../shared/bin/certutil -L -d . -P slapd-server- -n 
> "server-cert" returns the Subject *CN* as FQDN of FDS and OpenSSL
CA
> host (ran on same machine)
Hmm - try ldapsearch with the -v (or -d?) option to get some debugging
info.
>
>>>>>
>>>>> In /etc/ldap.conf, I have put in
>>>>> TLS_CACERT /path/to/cert
>>>> Is this the same /path/to/cacert.pem as below?
>>> Yes
>>>>> TLSREQCERT allow
>>>>> ssl on
>>>>> ssl start_tls
>>>>>
>>>>> If I run
>>>>> openssl s_client -connect localhost:636 -showcerts -state
-CAfile
>>>>> /path/to/cacert.pem
>>>>>
>>>>> It looks OK
>>>>>
>>>>> Please help
>>>>>
>>>>> Thanks
>>>>>
>>>>
------------------------------------------------------------------------
>>>>
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

OK, now I have a different error.

I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i 
/etc/certs/ca-cert.pem -P slapd-server- -d .

and

ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0

Now, I get this error:

TLS: can''t connect.
ldap_perror
ldap_start_tls: Connect error (-11)
        additional info: Start TLS request accepted.Server willing to 
negotiate SSL.


Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:
> Jeff Gamsby wrote:
>>
>> Jeff Gamsby
>> Center for X-Ray Optics
>> Lawrence Berkeley National Laboratory
>> (510) 486-7783
>>
>>
>>
>> Richard Megginson wrote:
>>> Jeff Gamsby wrote:
>>>>
>>>> Jeff Gamsby
>>>> Center for X-Ray Optics
>>>> Lawrence Berkeley National Laboratory
>>>> (510) 486-7783
>>>>
>>>>
>>>>
>>>> Richard Megginson wrote:
>>>>> Jeff Gamsby wrote:
>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am
using a
>>>>>> OpenSSL CA, I have installed the Server Cert and the CA
Cert, can
>>>>>> start FDS in SSL mode, but when I run
>>>>>> ldapsearch -x -ZZ  I get TLS trace: SSL3 alert 
>>>>>> write:fatal:unknown CA.
>>>>> Did you follow this - 
>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>> I did, but that didn''t work for me. The only thing
that I did this
>>>> time was generate a request from the "Manage
Certificates", sign
>>>> the request using my OpenSSL CA, and install the Server and CA 
>>>> Certs. Then I turned on SSL in the Admin console, and restarted
the
>>>> server.
>>>>
>>>> When I followed the instructions from the link, I
couldn''t even get
>>>> FDS to start in SSL mode.
>>> One problem may be that ldapsearch is trying to verify the hostname
>>> in your server cert, which is the value of the cn attribute in the 
>>> leftmost RDN in your server cert''s subject DN.  What is
the subject
>>> DN of your server cert?  You can use certutil -L -n Server-Cert as 
>>> specified in the Howto:SSL to print your cert.
>>
>> Sorry. I missed the -P option.
>>
>> running ../shared/bin/certutil -L -d . -P slapd-server- -n 
>> "server-cert" returns the Subject *CN* as FQDN of FDS and
OpenSSL CA
>> host (ran on same machine)
> Hmm - try ldapsearch with the -v (or -d?) option to get some debugging 
> info.
>>
>>>>>>
>>>>>> In /etc/ldap.conf, I have put in
>>>>>> TLS_CACERT /path/to/cert
>>>>> Is this the same /path/to/cacert.pem as below?
>>>> Yes
>>>>>> TLSREQCERT allow
>>>>>> ssl on
>>>>>> ssl start_tls
>>>>>>
>>>>>> If I run
>>>>>> openssl s_client -connect localhost:636 -showcerts
-state -CAfile
>>>>>> /path/to/cacert.pem
>>>>>>
>>>>>> It looks OK
>>>>>>
>>>>>> Please help
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>
------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>   
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
------------------------------------------------------------------------
>>>
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Jeff Gamsby wrote:
> OK, now I have a different error.
>
> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i 
> /etc/certs/ca-cert.pem -P slapd-server- -d .
>
> and
>
> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0
>
> Now, I get this error:
>
> TLS: can''t connect.
> ldap_perror
> ldap_start_tls: Connect error (-11)
>        additional info: Start TLS request accepted.Server willing to 
> negotiate SSL.
What OS and version are you running?  RHEL3 /etc/openldap/ldap.conf does 
not like the TLS_CACERTDIR directive - you must use the TLS_CACERT 
directive with the full path and filename of the cacert.pem file (e.g. 
/etc/openldap/cacerts/cacert.pem).  What does it say in the fedora ds 
access and error log for this request?

For a successful startTLS request with ldapsearch, you should see 
something like the following in your fedora ds access log:
[02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from 
127.0.0.1 to 127.0.0.1
[02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT 
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 
nentries=0 etime=0
[02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
[02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128
version=3
[02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 nentries=0 
etime=0 dn=""
[02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH
base="dc=example,dc=com"
scope=0 filter="(objectClass=*)" attrs=ALL
[02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 
nentries=1 etime=0
[02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
[02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1
>
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>>
>>>>> Jeff Gamsby
>>>>> Center for X-Ray Optics
>>>>> Lawrence Berkeley National Laboratory
>>>>> (510) 486-7783
>>>>>
>>>>>
>>>>>
>>>>> Richard Megginson wrote:
>>>>>> Jeff Gamsby wrote:
>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I
am using a
>>>>>>> OpenSSL CA, I have installed the Server Cert and
the CA Cert,
>>>>>>> can start FDS in SSL mode, but when I run
>>>>>>> ldapsearch -x -ZZ  I get TLS trace: SSL3 alert 
>>>>>>> write:fatal:unknown CA.
>>>>>> Did you follow this - 
>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>> I did, but that didn''t work for me. The only thing
that I did this
>>>>> time was generate a request from the "Manage
Certificates", sign
>>>>> the request using my OpenSSL CA, and install the Server and
CA
>>>>> Certs. Then I turned on SSL in the Admin console, and
restarted
>>>>> the server.
>>>>>
>>>>> When I followed the instructions from the link, I
couldn''t even
>>>>> get FDS to start in SSL mode.
>>>> One problem may be that ldapsearch is trying to verify the
hostname
>>>> in your server cert, which is the value of the cn attribute in
the
>>>> leftmost RDN in your server cert''s subject DN.  What
is the subject
>>>> DN of your server cert?  You can use certutil -L -n Server-Cert
as
>>>> specified in the Howto:SSL to print your cert.
>>>
>>> Sorry. I missed the -P option.
>>>
>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n 
>>> "server-cert" returns the Subject *CN* as FQDN of FDS and
OpenSSL CA
>>> host (ran on same machine)
>> Hmm - try ldapsearch with the -v (or -d?) option to get some 
>> debugging info.
>>>
>>>>>>>
>>>>>>> In /etc/ldap.conf, I have put in
>>>>>>> TLS_CACERT /path/to/cert
>>>>>> Is this the same /path/to/cacert.pem as below?
>>>>> Yes
>>>>>>> TLSREQCERT allow
>>>>>>> ssl on
>>>>>>> ssl start_tls
>>>>>>>
>>>>>>> If I run
>>>>>>> openssl s_client -connect localhost:636 -showcerts
-state
>>>>>>> -CAfile /path/to/cacert.pem
>>>>>>>
>>>>>>> It looks OK
>>>>>>>
>>>>>>> Please help
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>
------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>   
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
------------------------------------------------------------------------
>>>>
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

I blew away the server and installed a new one, then I used the 
setupssl.sh script to setup SSL. The script completed successfully, and 
the server is listening on port 636, but I''m back to a familiar error:

ldapsearch -x -ZZ -d -1

TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject: /CN=CAcert, 
issuer: /CN=CAcert
TLS certificate verification: Error, self signed certificate in 
certificate chain
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               
......0          
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can''t connect.
ldap_perror
ldap_start_tls: Connect error (-11)
        additional info: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Shouldn''t CN=CAcert be cn=fqdn?

This is all that the errors log says

[02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES in 
backend userRoot, attempting to create one...
[02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully generated 
and stored
[02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES in 
backend userRoot, attempting to create one...
[02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully 
generated and stored
[02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES in 
backend NetscapeRoot, attempting to create one...
[02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully generated 
and stored
[02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES in 
backend NetscapeRoot, attempting to create one...
[02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully 
generated and stored
[02/Jun/2006:14:21:01 -0700] - slapd started.  Listening on All 
Interfaces port 389 for LDAP requests
[02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port 636 for 
LDAPS requests

Thanks for your help




Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:
> Jeff Gamsby wrote:
>> OK, now I have a different error.
>>
>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i 
>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>
>> and
>>
>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0
>>
>> Now, I get this error:
>>
>> TLS: can''t connect.
>> ldap_perror
>> ldap_start_tls: Connect error (-11)
>>        additional info: Start TLS request accepted.Server willing to 
>> negotiate SSL.
> What OS and version are you running?  RHEL3 /etc/openldap/ldap.conf 
> does not like the TLS_CACERTDIR directive - you must use the 
> TLS_CACERT directive with the full path and filename of the cacert.pem 
> file (e.g. /etc/openldap/cacerts/cacert.pem).  What does it say in the 
> fedora ds access and error log for this request?
>
> For a successful startTLS request with ldapsearch, you should see 
> something like the following in your fedora ds access log:
> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from 
> 127.0.0.1 to 127.0.0.1
> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT 
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 
> nentries=0 etime=0
> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128
version=3
> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 
> nentries=0 etime=0 dn=""
> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH 
> base="dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL
> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 
> nentries=1 etime=0
> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1
>
>>
>>
>> Jeff Gamsby
>> Center for X-Ray Optics
>> Lawrence Berkeley National Laboratory
>> (510) 486-7783
>>
>>
>>
>> Richard Megginson wrote:
>>> Jeff Gamsby wrote:
>>>>
>>>> Jeff Gamsby
>>>> Center for X-Ray Optics
>>>> Lawrence Berkeley National Laboratory
>>>> (510) 486-7783
>>>>
>>>>
>>>>
>>>> Richard Megginson wrote:
>>>>> Jeff Gamsby wrote:
>>>>>>
>>>>>> Jeff Gamsby
>>>>>> Center for X-Ray Optics
>>>>>> Lawrence Berkeley National Laboratory
>>>>>> (510) 486-7783
>>>>>>
>>>>>>
>>>>>>
>>>>>> Richard Megginson wrote:
>>>>>>> Jeff Gamsby wrote:
>>>>>>>> I am trying to get FDS 1.0.2 working in SSL
mode. I am using a
>>>>>>>> OpenSSL CA, I have installed the Server Cert
and the CA Cert,
>>>>>>>> can start FDS in SSL mode, but when I run
>>>>>>>> ldapsearch -x -ZZ  I get TLS trace: SSL3 alert 
>>>>>>>> write:fatal:unknown CA.
>>>>>>> Did you follow this - 
>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>> I did, but that didn''t work for me. The only
thing that I did
>>>>>> this time was generate a request from the "Manage
Certificates",
>>>>>> sign the request using my OpenSSL CA, and install the
Server and
>>>>>> CA Certs. Then I turned on SSL in the Admin console,
and
>>>>>> restarted the server.
>>>>>>
>>>>>> When I followed the instructions from the link, I
couldn''t even
>>>>>> get FDS to start in SSL mode.
>>>>> One problem may be that ldapsearch is trying to verify the 
>>>>> hostname in your server cert, which is the value of the cn 
>>>>> attribute in the leftmost RDN in your server
cert''s subject DN.
>>>>> What is the subject DN of your server cert?  You can use
certutil
>>>>> -L -n Server-Cert as specified in the Howto:SSL to print
your cert.
>>>>
>>>> Sorry. I missed the -P option.
>>>>
>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n 
>>>> "server-cert" returns the Subject *CN* as FQDN of FDS
and OpenSSL
>>>> CA host (ran on same machine)
>>> Hmm - try ldapsearch with the -v (or -d?) option to get some 
>>> debugging info.
>>>>
>>>>>>>>
>>>>>>>> In /etc/ldap.conf, I have put in
>>>>>>>> TLS_CACERT /path/to/cert
>>>>>>> Is this the same /path/to/cacert.pem as below?
>>>>>> Yes
>>>>>>>> TLSREQCERT allow
>>>>>>>> ssl on
>>>>>>>> ssl start_tls
>>>>>>>>
>>>>>>>> If I run
>>>>>>>> openssl s_client -connect localhost:636
-showcerts -state
>>>>>>>> -CAfile /path/to/cacert.pem
>>>>>>>>
>>>>>>>> It looks OK
>>>>>>>>
>>>>>>>> Please help
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>
------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>   
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>   
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
------------------------------------------------------------------------
>>>
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

I''m running FC4 and I made sure that /etc/openldap/ldap.conf has
TLS_CACERT.

I also have OpenLDAP built on this machine, but it''s not running.

I have another box running FC5, I''ll try it on that machine while
I''m
trying to figure out what to do.

Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Jeff Gamsby wrote:
> I blew away the server and installed a new one, then I used the 
> setupssl.sh script to setup SSL. The script completed successfully, 
> and the server is listening on port 636, but I''m back to a
familiar
> error:
>
> ldapsearch -x -ZZ -d -1
>
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 1, err: 19, subject: /CN=CAcert, 
> issuer: /CN=CAcert
> TLS certificate verification: Error, self signed certificate in 
> certificate chain
> tls_write: want=7, written=7
>  0000:  15 03 01 00 02 02 30                               
> ......0          TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can''t connect.
> ldap_perror
> ldap_start_tls: Connect error (-11)
>        additional info: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> Shouldn''t CN=CAcert be cn=fqdn?
>
> This is all that the errors log says
>
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES 
> in backend userRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully 
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES 
> in backend userRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully 
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES 
> in backend NetscapeRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully 
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES 
> in backend NetscapeRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully 
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - slapd started.  Listening on All 
> Interfaces port 389 for LDAP requests
> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port 636 
> for LDAPS requests
>
> Thanks for your help
>
>
>
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>> OK, now I have a different error.
>>>
>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C"
-i
>>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>>
>>> and
>>>
>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0
>>>
>>> Now, I get this error:
>>>
>>> TLS: can''t connect.
>>> ldap_perror
>>> ldap_start_tls: Connect error (-11)
>>>        additional info: Start TLS request accepted.Server willing
to
>>> negotiate SSL.
>> What OS and version are you running?  RHEL3 /etc/openldap/ldap.conf 
>> does not like the TLS_CACERTDIR directive - you must use the 
>> TLS_CACERT directive with the full path and filename of the 
>> cacert.pem file (e.g. /etc/openldap/cacerts/cacert.pem).  What does 
>> it say in the fedora ds access and error log for this request?
>>
>> For a successful startTLS request with ldapsearch, you should see 
>> something like the following in your fedora ds access log:
>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from 
>> 127.0.0.1 to 127.0.0.1
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT 
>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 
>> nentries=0 etime=0
>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn=""
method=128
>> version=3
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 
>> nentries=0 etime=0 dn=""
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH 
>> base="dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 
>> nentries=1 etime=0
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1
>>
>>>
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>>
>>>>> Jeff Gamsby
>>>>> Center for X-Ray Optics
>>>>> Lawrence Berkeley National Laboratory
>>>>> (510) 486-7783
>>>>>
>>>>>
>>>>>
>>>>> Richard Megginson wrote:
>>>>>> Jeff Gamsby wrote:
>>>>>>>
>>>>>>> Jeff Gamsby
>>>>>>> Center for X-Ray Optics
>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>> (510) 486-7783
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Richard Megginson wrote:
>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL
mode. I am using a
>>>>>>>>> OpenSSL CA, I have installed the Server
Cert and the CA Cert,
>>>>>>>>> can start FDS in SSL mode, but when I run
>>>>>>>>> ldapsearch -x -ZZ  I get TLS trace: SSL3
alert
>>>>>>>>> write:fatal:unknown CA.
>>>>>>>> Did you follow this - 
>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>> I did, but that didn''t work for me. The
only thing that I did
>>>>>>> this time was generate a request from the
"Manage Certificates",
>>>>>>> sign the request using my OpenSSL CA, and install
the Server and
>>>>>>> CA Certs. Then I turned on SSL in the Admin
console, and
>>>>>>> restarted the server.
>>>>>>>
>>>>>>> When I followed the instructions from the link, I
couldn''t even
>>>>>>> get FDS to start in SSL mode.
>>>>>> One problem may be that ldapsearch is trying to verify
the
>>>>>> hostname in your server cert, which is the value of the
cn
>>>>>> attribute in the leftmost RDN in your server
cert''s subject DN.
>>>>>> What is the subject DN of your server cert?  You can
use certutil
>>>>>> -L -n Server-Cert as specified in the Howto:SSL to
print your cert.
>>>>>
>>>>> Sorry. I missed the -P option.
>>>>>
>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n 
>>>>> "server-cert" returns the Subject *CN* as FQDN of
FDS and OpenSSL
>>>>> CA host (ran on same machine)
>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some 
>>>> debugging info.
>>>>>
>>>>>>>>>
>>>>>>>>> In /etc/ldap.conf, I have put in
>>>>>>>>> TLS_CACERT /path/to/cert
>>>>>>>> Is this the same /path/to/cacert.pem as below?
>>>>>>> Yes
>>>>>>>>> TLSREQCERT allow
>>>>>>>>> ssl on
>>>>>>>>> ssl start_tls
>>>>>>>>>
>>>>>>>>> If I run
>>>>>>>>> openssl s_client -connect localhost:636
-showcerts -state
>>>>>>>>> -CAfile /path/to/cacert.pem
>>>>>>>>>
>>>>>>>>> It looks OK
>>>>>>>>>
>>>>>>>>> Please help
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>>
>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>   
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>   
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
------------------------------------------------------------------------
>>>>
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Jeff Gamsby wrote:
> I blew away the server and installed a new one, then I used the 
> setupssl.sh script to setup SSL. The script completed successfully, 
> and the server is listening on port 636, but I''m back to a
familiar
> error:
>
> ldapsearch -x -ZZ -d -1
>
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 1, err: 19, subject: /CN=CAcert, 
> issuer: /CN=CAcert
> TLS certificate verification: Error, self signed certificate in 
> certificate chain
> tls_write: want=7, written=7
>  0000:  15 03 01 00 02 02 30                               
> ......0          TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can''t connect.
> ldap_perror
> ldap_start_tls: Connect error (-11)
>        additional info: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> Shouldn''t CN=CAcert be cn=fqdn?
No, no hostname validation is done on the CA cert, only on the LDAP 
server cert.

Did you configure openldap to use the new CA cert?  
http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients
>
> This is all that the errors log says
How about the access log?
>
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES 
> in backend userRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully 
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES 
> in backend userRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully 
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES 
> in backend NetscapeRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully 
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES 
> in backend NetscapeRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully 
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - slapd started.  Listening on All 
> Interfaces port 389 for LDAP requests
> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port 636 
> for LDAPS requests
>
> Thanks for your help
>
>
>
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>> OK, now I have a different error.
>>>
>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C"
-i
>>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>>
>>> and
>>>
>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0
>>>
>>> Now, I get this error:
>>>
>>> TLS: can''t connect.
>>> ldap_perror
>>> ldap_start_tls: Connect error (-11)
>>>        additional info: Start TLS request accepted.Server willing
to
>>> negotiate SSL.
>> What OS and version are you running?  RHEL3 /etc/openldap/ldap.conf 
>> does not like the TLS_CACERTDIR directive - you must use the 
>> TLS_CACERT directive with the full path and filename of the 
>> cacert.pem file (e.g. /etc/openldap/cacerts/cacert.pem).  What does 
>> it say in the fedora ds access and error log for this request?
>>
>> For a successful startTLS request with ldapsearch, you should see 
>> something like the following in your fedora ds access log:
>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from 
>> 127.0.0.1 to 127.0.0.1
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT 
>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 
>> nentries=0 etime=0
>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn=""
method=128
>> version=3
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 
>> nentries=0 etime=0 dn=""
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH 
>> base="dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 
>> nentries=1 etime=0
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1
>>
>>>
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>>
>>>>> Jeff Gamsby
>>>>> Center for X-Ray Optics
>>>>> Lawrence Berkeley National Laboratory
>>>>> (510) 486-7783
>>>>>
>>>>>
>>>>>
>>>>> Richard Megginson wrote:
>>>>>> Jeff Gamsby wrote:
>>>>>>>
>>>>>>> Jeff Gamsby
>>>>>>> Center for X-Ray Optics
>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>> (510) 486-7783
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Richard Megginson wrote:
>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL
mode. I am using a
>>>>>>>>> OpenSSL CA, I have installed the Server
Cert and the CA Cert,
>>>>>>>>> can start FDS in SSL mode, but when I run
>>>>>>>>> ldapsearch -x -ZZ  I get TLS trace: SSL3
alert
>>>>>>>>> write:fatal:unknown CA.
>>>>>>>> Did you follow this - 
>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>> I did, but that didn''t work for me. The
only thing that I did
>>>>>>> this time was generate a request from the
"Manage Certificates",
>>>>>>> sign the request using my OpenSSL CA, and install
the Server and
>>>>>>> CA Certs. Then I turned on SSL in the Admin
console, and
>>>>>>> restarted the server.
>>>>>>>
>>>>>>> When I followed the instructions from the link, I
couldn''t even
>>>>>>> get FDS to start in SSL mode.
>>>>>> One problem may be that ldapsearch is trying to verify
the
>>>>>> hostname in your server cert, which is the value of the
cn
>>>>>> attribute in the leftmost RDN in your server
cert''s subject DN.
>>>>>> What is the subject DN of your server cert?  You can
use certutil
>>>>>> -L -n Server-Cert as specified in the Howto:SSL to
print your cert.
>>>>>
>>>>> Sorry. I missed the -P option.
>>>>>
>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n 
>>>>> "server-cert" returns the Subject *CN* as FQDN of
FDS and OpenSSL
>>>>> CA host (ran on same machine)
>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some 
>>>> debugging info.
>>>>>
>>>>>>>>>
>>>>>>>>> In /etc/ldap.conf, I have put in
>>>>>>>>> TLS_CACERT /path/to/cert
>>>>>>>> Is this the same /path/to/cacert.pem as below?
>>>>>>> Yes
>>>>>>>>> TLSREQCERT allow
>>>>>>>>> ssl on
>>>>>>>>> ssl start_tls
>>>>>>>>>
>>>>>>>>> If I run
>>>>>>>>> openssl s_client -connect localhost:636
-showcerts -state
>>>>>>>>> -CAfile /path/to/cacert.pem
>>>>>>>>>
>>>>>>>>> It looks OK
>>>>>>>>>
>>>>>>>>> Please help
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>>
>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>   
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>   
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
------------------------------------------------------------------------
>>>>
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:
> Jeff Gamsby wrote:
>> I blew away the server and installed a new one, then I used the 
>> setupssl.sh script to setup SSL. The script completed successfully, 
>> and the server is listening on port 636, but I''m back to a
familiar
>> error:
>>
>> ldapsearch -x -ZZ -d -1
>>
>> TLS trace: SSL_connect:SSLv3 read server hello A
>> TLS certificate verification: depth: 1, err: 19, subject: /CN=CAcert, 
>> issuer: /CN=CAcert
>> TLS certificate verification: Error, self signed certificate in 
>> certificate chain
>> tls_write: want=7, written=7
>>  0000:  15 03 01 00 02 02 30                               
>> ......0          TLS trace: SSL3 alert write:fatal:unknown CA
>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>> TLS: can''t connect.
>> ldap_perror
>> ldap_start_tls: Connect error (-11)
>>        additional info: error:14090086:SSL 
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>
>> Shouldn''t CN=CAcert be cn=fqdn?
> No, no hostname validation is done on the CA cert, only on the LDAP 
> server cert.
>
> Did you configure openldap to use the new CA cert?  
> http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients
Yes.

This is what the access log says

[02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 
nentries=0 etime=0
[02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection from 
127.0.0.1 to 127.0.0.1
[02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT 
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 
nentries=0 etime=0
[02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer does not 
recognize and trust the CA that issued your certificate.
>
>>
>> This is all that the errors log says
> How about the access log?
>>
>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES 
>> in backend userRoot, attempting to create one...
>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully 
>> generated and stored
>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES 
>> in backend userRoot, attempting to create one...
>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully 
>> generated and stored
>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher AES 
>> in backend NetscapeRoot, attempting to create one...
>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully 
>> generated and stored
>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 3DES 
>> in backend NetscapeRoot, attempting to create one...
>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully 
>> generated and stored
>> [02/Jun/2006:14:21:01 -0700] - slapd started.  Listening on All 
>> Interfaces port 389 for LDAP requests
>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port 636 
>> for LDAPS requests
>>
>> Thanks for your help
>>
>>
>>
>>
>> Jeff Gamsby
>> Center for X-Ray Optics
>> Lawrence Berkeley National Laboratory
>> (510) 486-7783
>>
>>
>>
>> Richard Megginson wrote:
>>> Jeff Gamsby wrote:
>>>> OK, now I have a different error.
>>>>
>>>> I ran ../shared/bin/certutil -A -n cert-name -t
"C,C,C" -i
>>>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>>>
>>>> and
>>>>
>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0
>>>>
>>>> Now, I get this error:
>>>>
>>>> TLS: can''t connect.
>>>> ldap_perror
>>>> ldap_start_tls: Connect error (-11)
>>>>        additional info: Start TLS request accepted.Server
willing
>>>> to negotiate SSL.
>>> What OS and version are you running?  RHEL3 /etc/openldap/ldap.conf
>>> does not like the TLS_CACERTDIR directive - you must use the 
>>> TLS_CACERT directive with the full path and filename of the 
>>> cacert.pem file (e.g. /etc/openldap/cacerts/cacert.pem).  What does
>>> it say in the fedora ds access and error log for this request?
>>>
>>> For a successful startTLS request with ldapsearch, you should see 
>>> something like the following in your fedora ds access log:
>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection from 
>>> 127.0.0.1 to 127.0.0.1
>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT 
>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 
>>> nentries=0 etime=0
>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn=""
method=128
>>> version=3
>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 
>>> nentries=0 etime=0 dn=""
>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH 
>>> base="dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL
>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 
>>> nentries=1 etime=0
>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1
>>>
>>>>
>>>>
>>>> Jeff Gamsby
>>>> Center for X-Ray Optics
>>>> Lawrence Berkeley National Laboratory
>>>> (510) 486-7783
>>>>
>>>>
>>>>
>>>> Richard Megginson wrote:
>>>>> Jeff Gamsby wrote:
>>>>>>
>>>>>> Jeff Gamsby
>>>>>> Center for X-Ray Optics
>>>>>> Lawrence Berkeley National Laboratory
>>>>>> (510) 486-7783
>>>>>>
>>>>>>
>>>>>>
>>>>>> Richard Megginson wrote:
>>>>>>> Jeff Gamsby wrote:
>>>>>>>>
>>>>>>>> Jeff Gamsby
>>>>>>>> Center for X-Ray Optics
>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>> (510) 486-7783
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Richard Megginson wrote:
>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>> I am trying to get FDS 1.0.2 working in
SSL mode. I am using
>>>>>>>>>> a OpenSSL CA, I have installed the
Server Cert and the CA
>>>>>>>>>> Cert, can start FDS in SSL mode, but
when I run
>>>>>>>>>> ldapsearch -x -ZZ  I get TLS trace:
SSL3 alert
>>>>>>>>>> write:fatal:unknown CA.
>>>>>>>>> Did you follow this - 
>>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>> I did, but that didn''t work for me.
The only thing that I did
>>>>>>>> this time was generate a request from the
"Manage
>>>>>>>> Certificates", sign the request using my
OpenSSL CA, and
>>>>>>>> install the Server and CA Certs. Then I turned
on SSL in the
>>>>>>>> Admin console, and restarted the server.
>>>>>>>>
>>>>>>>> When I followed the instructions from the link,
I couldn''t even
>>>>>>>> get FDS to start in SSL mode.
>>>>>>> One problem may be that ldapsearch is trying to
verify the
>>>>>>> hostname in your server cert, which is the value of
the cn
>>>>>>> attribute in the leftmost RDN in your server
cert''s subject DN.
>>>>>>> What is the subject DN of your server cert?  You
can use
>>>>>>> certutil -L -n Server-Cert as specified in the
Howto:SSL to
>>>>>>> print your cert.
>>>>>>
>>>>>> Sorry. I missed the -P option.
>>>>>>
>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server-
-n
>>>>>> "server-cert" returns the Subject *CN* as
FQDN of FDS and OpenSSL
>>>>>> CA host (ran on same machine)
>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get
some
>>>>> debugging info.
>>>>>>
>>>>>>>>>>
>>>>>>>>>> In /etc/ldap.conf, I have put in
>>>>>>>>>> TLS_CACERT /path/to/cert
>>>>>>>>> Is this the same /path/to/cacert.pem as
below?
>>>>>>>> Yes
>>>>>>>>>> TLSREQCERT allow
>>>>>>>>>> ssl on
>>>>>>>>>> ssl start_tls
>>>>>>>>>>
>>>>>>>>>> If I run
>>>>>>>>>> openssl s_client -connect localhost:636
-showcerts -state
>>>>>>>>>> -CAfile /path/to/cacert.pem
>>>>>>>>>>
>>>>>>>>>> It looks OK
>>>>>>>>>>
>>>>>>>>>> Please help
>>>>>>>>>>
>>>>>>>>>> Thanks
>>>>>>>>>>
>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>   
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>
------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>   
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>   
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
------------------------------------------------------------------------
>>>
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Jeff Gamsby wrote:
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>> I blew away the server and installed a new one, then I used the 
>>> setupssl.sh script to setup SSL. The script completed successfully,
>>> and the server is listening on port 636, but I''m back to a
familiar
>>> error:
>>>
>>> ldapsearch -x -ZZ -d -1
>>>
>>> TLS trace: SSL_connect:SSLv3 read server hello A
>>> TLS certificate verification: depth: 1, err: 19, subject: 
>>> /CN=CAcert, issuer: /CN=CAcert
>>> TLS certificate verification: Error, self signed certificate in 
>>> certificate chain
>>> tls_write: want=7, written=7
>>>  0000:  15 03 01 00 02 02 30                               
>>> ......0          TLS trace: SSL3 alert write:fatal:unknown CA
>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>>> TLS: can''t connect.
>>> ldap_perror
>>> ldap_start_tls: Connect error (-11)
>>>        additional info: error:14090086:SSL 
>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>
>>> Shouldn''t CN=CAcert be cn=fqdn?
>> No, no hostname validation is done on the CA cert, only on the LDAP 
>> server cert.
>>
>> Did you configure openldap to use the new CA cert?  
>>
http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients
>
> Yes.
>
> This is what the access log says
>
> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 
> nentries=0 etime=0
> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection from 
> 127.0.0.1 to 127.0.0.1
> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT 
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 
> nentries=0 etime=0
> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer does 
> not recognize and trust the CA that issued your certificate.
This means that the CA cert that /etc/openldap/ldap.conf is using is not 
the cert of the CA that issued the Fedora DS server
cert.
>>
>>>
>>> This is all that the errors log says
>> How about the access log?
>>>
>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher
AES
>>> in backend userRoot, attempting to create one...
>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully 
>>> generated and stored
>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 
>>> 3DES in backend userRoot, attempting to create one...
>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully 
>>> generated and stored
>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher
AES
>>> in backend NetscapeRoot, attempting to create one...
>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully 
>>> generated and stored
>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 
>>> 3DES in backend NetscapeRoot, attempting to create one...
>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully 
>>> generated and stored
>>> [02/Jun/2006:14:21:01 -0700] - slapd started.  Listening on All 
>>> Interfaces port 389 for LDAP requests
>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port 636
>>> for LDAPS requests
>>>
>>> Thanks for your help
>>>
>>>
>>>
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>> OK, now I have a different error.
>>>>>
>>>>> I ran ../shared/bin/certutil -A -n cert-name -t
"C,C,C" -i
>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>>>>
>>>>> and
>>>>>
>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in
ca-cert.pem`.0
>>>>>
>>>>> Now, I get this error:
>>>>>
>>>>> TLS: can''t connect.
>>>>> ldap_perror
>>>>> ldap_start_tls: Connect error (-11)
>>>>>        additional info: Start TLS request accepted.Server
willing
>>>>> to negotiate SSL.
>>>> What OS and version are you running?  RHEL3
/etc/openldap/ldap.conf
>>>> does not like the TLS_CACERTDIR directive - you must use the 
>>>> TLS_CACERT directive with the full path and filename of the 
>>>> cacert.pem file (e.g. /etc/openldap/cacerts/cacert.pem).  What
does
>>>> it say in the fedora ds access and error log for this request?
>>>>
>>>> For a successful startTLS request with ldapsearch, you should
see
>>>> something like the following in your fedora ds access log:
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection
from
>>>> 127.0.0.1 to 127.0.0.1
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT 
>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 
>>>> nentries=0 etime=0
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn=""
method=128
>>>> version=3
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 
>>>> nentries=0 etime=0 dn=""
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH 
>>>> base="dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 
>>>> nentries=1 etime=0
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1
>>>>
>>>>>
>>>>>
>>>>> Jeff Gamsby
>>>>> Center for X-Ray Optics
>>>>> Lawrence Berkeley National Laboratory
>>>>> (510) 486-7783
>>>>>
>>>>>
>>>>>
>>>>> Richard Megginson wrote:
>>>>>> Jeff Gamsby wrote:
>>>>>>>
>>>>>>> Jeff Gamsby
>>>>>>> Center for X-Ray Optics
>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>> (510) 486-7783
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Richard Megginson wrote:
>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>
>>>>>>>>> Jeff Gamsby
>>>>>>>>> Center for X-Ray Optics
>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>> (510) 486-7783
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>> I am trying to get FDS 1.0.2
working in SSL mode. I am using
>>>>>>>>>>> a OpenSSL CA, I have installed the
Server Cert and the CA
>>>>>>>>>>> Cert, can start FDS in SSL mode,
but when I run
>>>>>>>>>>> ldapsearch -x -ZZ  I get TLS trace:
SSL3 alert
>>>>>>>>>>> write:fatal:unknown CA.
>>>>>>>>>> Did you follow this - 
>>>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>> I did, but that didn''t work for
me. The only thing that I did
>>>>>>>>> this time was generate a request from the
"Manage
>>>>>>>>> Certificates", sign the request using
my OpenSSL CA, and
>>>>>>>>> install the Server and CA Certs. Then I
turned on SSL in the
>>>>>>>>> Admin console, and restarted the server.
>>>>>>>>>
>>>>>>>>> When I followed the instructions from the
link, I couldn''t
>>>>>>>>> even get FDS to start in SSL mode.
>>>>>>>> One problem may be that ldapsearch is trying to
verify the
>>>>>>>> hostname in your server cert, which is the
value of the cn
>>>>>>>> attribute in the leftmost RDN in your server
cert''s subject
>>>>>>>> DN.  What is the subject DN of your server
cert?  You can use
>>>>>>>> certutil -L -n Server-Cert as specified in the
Howto:SSL to
>>>>>>>> print your cert.
>>>>>>>
>>>>>>> Sorry. I missed the -P option.
>>>>>>>
>>>>>>> running ../shared/bin/certutil -L -d . -P
slapd-server- -n
>>>>>>> "server-cert" returns the Subject *CN* as
FQDN of FDS and
>>>>>>> OpenSSL CA host (ran on same machine)
>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get
some
>>>>>> debugging info.
>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> In /etc/ldap.conf, I have put in
>>>>>>>>>>> TLS_CACERT /path/to/cert
>>>>>>>>>> Is this the same /path/to/cacert.pem as
below?
>>>>>>>>> Yes
>>>>>>>>>>> TLSREQCERT allow
>>>>>>>>>>> ssl on
>>>>>>>>>>> ssl start_tls
>>>>>>>>>>>
>>>>>>>>>>> If I run
>>>>>>>>>>> openssl s_client -connect
localhost:636 -showcerts -state
>>>>>>>>>>> -CAfile /path/to/cacert.pem
>>>>>>>>>>>
>>>>>>>>>>> It looks OK
>>>>>>>>>>>
>>>>>>>>>>> Please help
>>>>>>>>>>>
>>>>>>>>>>> Thanks
>>>>>>>>>>>
>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>   
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>   
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>   
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
------------------------------------------------------------------------
>>>>
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:
> Jeff Gamsby wrote:
>>
>> Jeff Gamsby
>> Center for X-Ray Optics
>> Lawrence Berkeley National Laboratory
>> (510) 486-7783
>>
>>
>>
>> Richard Megginson wrote:
>>> Jeff Gamsby wrote:
>>>> I blew away the server and installed a new one, then I used the
>>>> setupssl.sh script to setup SSL. The script completed
successfully,
>>>> and the server is listening on port 636, but I''m back
to a familiar
>>>> error:
>>>>
>>>> ldapsearch -x -ZZ -d -1
>>>>
>>>> TLS trace: SSL_connect:SSLv3 read server hello A
>>>> TLS certificate verification: depth: 1, err: 19, subject: 
>>>> /CN=CAcert, issuer: /CN=CAcert
>>>> TLS certificate verification: Error, self signed certificate in
>>>> certificate chain
>>>> tls_write: want=7, written=7
>>>>  0000:  15 03 01 00 02 02 30                               
>>>> ......0          TLS trace: SSL3 alert write:fatal:unknown CA
>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>>>> TLS: can''t connect.
>>>> ldap_perror
>>>> ldap_start_tls: Connect error (-11)
>>>>        additional info: error:14090086:SSL 
>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>>
>>>> Shouldn''t CN=CAcert be cn=fqdn?
>>> No, no hostname validation is done on the CA cert, only on the LDAP
>>> server cert.
>>>
>>> Did you configure openldap to use the new CA cert?  
>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients
>>>
>>
>> Yes.
>>
>> This is what the access log says
>>
>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 
>> nentries=0 etime=0
>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection from 
>> 127.0.0.1 to 127.0.0.1
>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT 
>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 
>> nentries=0 etime=0
>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer does 
>> not recognize and trust the CA that issued your certificate.
>
> This means that the CA cert that /etc/openldap/ldap.conf is using is 
> not the cert of the CA that issued the Fedora DS server cert.
OK.  I had the old cert in there.

I followed the instructions and did a

cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in 
cacert.asc`.0

and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still get the 
same error

[02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection from 
127.0.0.1 to 127.0.0.1
[02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT 
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 
nentries=0 etime=0
[02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer does not 
recognize and trust the CA that issued your certificate.

 
 
>>>
>>>>
>>>> This is all that the errors log says
>>> How about the access log?
>>>>
>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
cipher
>>>> AES in backend userRoot, attempting to create one...
>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully 
>>>> generated and stored
>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
cipher
>>>> 3DES in backend userRoot, attempting to create one...
>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully
>>>> generated and stored
>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
cipher
>>>> AES in backend NetscapeRoot, attempting to create one...
>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully 
>>>> generated and stored
>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
cipher
>>>> 3DES in backend NetscapeRoot, attempting to create one...
>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully
>>>> generated and stored
>>>> [02/Jun/2006:14:21:01 -0700] - slapd started.  Listening on All
>>>> Interfaces port 389 for LDAP requests
>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port
636
>>>> for LDAPS requests
>>>>
>>>> Thanks for your help
>>>>
>>>>
>>>>
>>>>
>>>> Jeff Gamsby
>>>> Center for X-Ray Optics
>>>> Lawrence Berkeley National Laboratory
>>>> (510) 486-7783
>>>>
>>>>
>>>>
>>>> Richard Megginson wrote:
>>>>> Jeff Gamsby wrote:
>>>>>> OK, now I have a different error.
>>>>>>
>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t
"C,C,C" -i
>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>>>>>
>>>>>> and
>>>>>>
>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in
ca-cert.pem`.0
>>>>>>
>>>>>> Now, I get this error:
>>>>>>
>>>>>> TLS: can''t connect.
>>>>>> ldap_perror
>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>        additional info: Start TLS request
accepted.Server willing
>>>>>> to negotiate SSL.
>>>>> What OS and version are you running?  RHEL3 
>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR
directive
>>>>> - you must use the TLS_CACERT directive with the full path
and
>>>>> filename of the cacert.pem file (e.g. 
>>>>> /etc/openldap/cacerts/cacert.pem).  What does it say in the
fedora
>>>>> ds access and error log for this request?
>>>>>
>>>>> For a successful startTLS request with ldapsearch, you
should see
>>>>> something like the following in your fedora ds access log:
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64
connection from
>>>>> 127.0.0.1 to 127.0.0.1
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT 
>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0
tag=120
>>>>> nentries=0 etime=0
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND
dn="" method=128
>>>>> version=3
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0
tag=97
>>>>> nentries=0 etime=0 dn=""
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH 
>>>>> base="dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0
tag=101
>>>>> nentries=1 etime=0
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1
>>>>>
>>>>>>
>>>>>>
>>>>>> Jeff Gamsby
>>>>>> Center for X-Ray Optics
>>>>>> Lawrence Berkeley National Laboratory
>>>>>> (510) 486-7783
>>>>>>
>>>>>>
>>>>>>
>>>>>> Richard Megginson wrote:
>>>>>>> Jeff Gamsby wrote:
>>>>>>>>
>>>>>>>> Jeff Gamsby
>>>>>>>> Center for X-Ray Optics
>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>> (510) 486-7783
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Richard Megginson wrote:
>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>
>>>>>>>>>> Jeff Gamsby
>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>> (510) 486-7783
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>> I am trying to get FDS 1.0.2
working in SSL mode. I am
>>>>>>>>>>>> using a OpenSSL CA, I have
installed the Server Cert and
>>>>>>>>>>>> the CA Cert, can start FDS in
SSL mode, but when I run
>>>>>>>>>>>> ldapsearch -x -ZZ  I get TLS
trace: SSL3 alert
>>>>>>>>>>>> write:fatal:unknown CA.
>>>>>>>>>>> Did you follow this - 
>>>>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>> I did, but that didn''t work
for me. The only thing that I did
>>>>>>>>>> this time was generate a request from
the "Manage
>>>>>>>>>> Certificates", sign the request
using my OpenSSL CA, and
>>>>>>>>>> install the Server and CA Certs. Then I
turned on SSL in the
>>>>>>>>>> Admin console, and restarted the
server.
>>>>>>>>>>
>>>>>>>>>> When I followed the instructions from
the link, I couldn''t
>>>>>>>>>> even get FDS to start in SSL mode.
>>>>>>>>> One problem may be that ldapsearch is
trying to verify the
>>>>>>>>> hostname in your server cert, which is the
value of the cn
>>>>>>>>> attribute in the leftmost RDN in your
server cert''s subject
>>>>>>>>> DN.  What is the subject DN of your server
cert?  You can use
>>>>>>>>> certutil -L -n Server-Cert as specified in
the Howto:SSL to
>>>>>>>>> print your cert.
>>>>>>>>
>>>>>>>> Sorry. I missed the -P option.
>>>>>>>>
>>>>>>>> running ../shared/bin/certutil -L -d . -P
slapd-server- -n
>>>>>>>> "server-cert" returns the Subject
*CN* as FQDN of FDS and
>>>>>>>> OpenSSL CA host (ran on same machine)
>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to
get some
>>>>>>> debugging info.
>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> In /etc/ldap.conf, I have put
in
>>>>>>>>>>>> TLS_CACERT /path/to/cert
>>>>>>>>>>> Is this the same
/path/to/cacert.pem as below?
>>>>>>>>>> Yes
>>>>>>>>>>>> TLSREQCERT allow
>>>>>>>>>>>> ssl on
>>>>>>>>>>>> ssl start_tls
>>>>>>>>>>>>
>>>>>>>>>>>> If I run
>>>>>>>>>>>> openssl s_client -connect
localhost:636 -showcerts -state
>>>>>>>>>>>> -CAfile /path/to/cacert.pem
>>>>>>>>>>>>
>>>>>>>>>>>> It looks OK
>>>>>>>>>>>>
>>>>>>>>>>>> Please help
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks
>>>>>>>>>>>>
>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>   
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>   
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>
------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>   
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>   
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
------------------------------------------------------------------------
>>>
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Jeff Gamsby wrote:
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>> I blew away the server and installed a new one, then I used
the
>>>>> setupssl.sh script to setup SSL. The script completed 
>>>>> successfully, and the server is listening on port 636, but
I''m
>>>>> back to a familiar error:
>>>>>
>>>>> ldapsearch -x -ZZ -d -1
>>>>>
>>>>> TLS trace: SSL_connect:SSLv3 read server hello A
>>>>> TLS certificate verification: depth: 1, err: 19, subject: 
>>>>> /CN=CAcert, issuer: /CN=CAcert
>>>>> TLS certificate verification: Error, self signed
certificate in
>>>>> certificate chain
>>>>> tls_write: want=7, written=7
>>>>>  0000:  15 03 01 00 02 02 30                               
>>>>> ......0          TLS trace: SSL3 alert write:fatal:unknown
CA
>>>>> TLS trace: SSL_connect:error in SSLv3 read server
certificate B
>>>>> TLS trace: SSL_connect:error in SSLv3 read server
certificate B
>>>>> TLS: can''t connect.
>>>>> ldap_perror
>>>>> ldap_start_tls: Connect error (-11)
>>>>>        additional info: error:14090086:SSL 
>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
>>>>>
>>>>> Shouldn''t CN=CAcert be cn=fqdn?
>>>> No, no hostname validation is done on the CA cert, only on the
LDAP
>>>> server cert.
>>>>
>>>> Did you configure openldap to use the new CA cert?  
>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients
>>>>
>>>
>>> Yes.
>>>
>>> This is what the access log says
>>>
>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 
>>> nentries=0 etime=0
>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection from
>>> 127.0.0.1 to 127.0.0.1
>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT 
>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 
>>> nentries=0 etime=0
>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer
does
>>> not recognize and trust the CA that issued your certificate.
>>
>> This means that the CA cert that /etc/openldap/ldap.conf is using is 
>> not the cert of the CA that issued the Fedora DS server cert.
> OK.  I had the old cert in there.
>
> I followed the instructions and did a
>
> cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in 
> cacert.asc`.0
>
> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still get 
> the same error
But does the file /etc/openldap/cacerts/cacert.asc exist?  If not, you 
need to copy that file in there.  I guess the docs are not explicit 
enough - if you use TLS_CACERTDIR, you must have the file <hash>.0 in 
the cacerts directory.  If you use TLS_CACERT, you must have the file 
/etc/openldap/cacerts/cacert.asc.
>
> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection from 
> 127.0.0.1 to 127.0.0.1
> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT 
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 
> nentries=0 etime=0
> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer does 
> not recognize and trust the CA that issued your certificate.
>
>
>
>
>>>>
>>>>>
>>>>> This is all that the errors log says
>>>> How about the access log?
>>>>>
>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
cipher
>>>>> AES in backend userRoot, attempting to create one...
>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
successfully
>>>>> generated and stored
>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
cipher
>>>>> 3DES in backend userRoot, attempting to create one...
>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
successfully
>>>>> generated and stored
>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
cipher
>>>>> AES in backend NetscapeRoot, attempting to create one...
>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
successfully
>>>>> generated and stored
>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
cipher
>>>>> 3DES in backend NetscapeRoot, attempting to create one...
>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
successfully
>>>>> generated and stored
>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started.  Listening on
All
>>>>> Interfaces port 389 for LDAP requests
>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces
port
>>>>> 636 for LDAPS requests
>>>>>
>>>>> Thanks for your help
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Jeff Gamsby
>>>>> Center for X-Ray Optics
>>>>> Lawrence Berkeley National Laboratory
>>>>> (510) 486-7783
>>>>>
>>>>>
>>>>>
>>>>> Richard Megginson wrote:
>>>>>> Jeff Gamsby wrote:
>>>>>>> OK, now I have a different error.
>>>>>>>
>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t
"C,C,C" -i
>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>>>>>>
>>>>>>> and
>>>>>>>
>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in
ca-cert.pem`.0
>>>>>>>
>>>>>>> Now, I get this error:
>>>>>>>
>>>>>>> TLS: can''t connect.
>>>>>>> ldap_perror
>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>        additional info: Start TLS request
accepted.Server
>>>>>>> willing to negotiate SSL.
>>>>>> What OS and version are you running?  RHEL3 
>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR
directive
>>>>>> - you must use the TLS_CACERT directive with the full
path and
>>>>>> filename of the cacert.pem file (e.g. 
>>>>>> /etc/openldap/cacerts/cacert.pem).  What does it say in
the
>>>>>> fedora ds access and error log for this request?
>>>>>>
>>>>>> For a successful startTLS request with ldapsearch, you
should see
>>>>>> something like the following in your fedora ds access
log:
>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64
connection
>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT 
>>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0
tag=120
>>>>>> nentries=0 etime=0
>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND
dn="" method=128
>>>>>> version=3
>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0
tag=97
>>>>>> nentries=0 etime=0 dn=""
>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH 
>>>>>> base="dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL
>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0
tag=101
>>>>>> nentries=1 etime=0
>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed
- U1
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Jeff Gamsby
>>>>>>> Center for X-Ray Optics
>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>> (510) 486-7783
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Richard Megginson wrote:
>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>
>>>>>>>>> Jeff Gamsby
>>>>>>>>> Center for X-Ray Optics
>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>> (510) 486-7783
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>
>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>> Lawrence Berkeley National
Laboratory
>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>> I am trying to get FDS
1.0.2 working in SSL mode. I am
>>>>>>>>>>>>> using a OpenSSL CA, I have
installed the Server Cert and
>>>>>>>>>>>>> the CA Cert, can start FDS
in SSL mode, but when I run
>>>>>>>>>>>>> ldapsearch -x -ZZ  I get
TLS trace: SSL3 alert
>>>>>>>>>>>>> write:fatal:unknown CA.
>>>>>>>>>>>> Did you follow this - 
>>>>>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>> I did, but that didn''t
work for me. The only thing that I
>>>>>>>>>>> did this time was generate a
request from the "Manage
>>>>>>>>>>> Certificates", sign the
request using my OpenSSL CA, and
>>>>>>>>>>> install the Server and CA Certs.
Then I turned on SSL in the
>>>>>>>>>>> Admin console, and restarted the
server.
>>>>>>>>>>>
>>>>>>>>>>> When I followed the instructions
from the link, I couldn''t
>>>>>>>>>>> even get FDS to start in SSL mode.
>>>>>>>>>> One problem may be that ldapsearch is
trying to verify the
>>>>>>>>>> hostname in your server cert, which is
the value of the cn
>>>>>>>>>> attribute in the leftmost RDN in your
server cert''s subject
>>>>>>>>>> DN.  What is the subject DN of your
server cert?  You can use
>>>>>>>>>> certutil -L -n Server-Cert as specified
in the Howto:SSL to
>>>>>>>>>> print your cert.
>>>>>>>>>
>>>>>>>>> Sorry. I missed the -P option.
>>>>>>>>>
>>>>>>>>> running ../shared/bin/certutil -L -d . -P
slapd-server- -n
>>>>>>>>> "server-cert" returns the Subject
*CN* as FQDN of FDS and
>>>>>>>>> OpenSSL CA host (ran on same machine)
>>>>>>>> Hmm - try ldapsearch with the -v (or -d?)
option to get some
>>>>>>>> debugging info.
>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> In /etc/ldap.conf, I have
put in
>>>>>>>>>>>>> TLS_CACERT /path/to/cert
>>>>>>>>>>>> Is this the same
/path/to/cacert.pem as below?
>>>>>>>>>>> Yes
>>>>>>>>>>>>> TLSREQCERT allow
>>>>>>>>>>>>> ssl on
>>>>>>>>>>>>> ssl start_tls
>>>>>>>>>>>>>
>>>>>>>>>>>>> If I run
>>>>>>>>>>>>> openssl s_client -connect
localhost:636 -showcerts -state
>>>>>>>>>>>>> -CAfile /path/to/cacert.pem
>>>>>>>>>>>>>
>>>>>>>>>>>>> It looks OK
>>>>>>>>>>>>>
>>>>>>>>>>>>> Please help
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>
>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> Fedora-directory-users mailing
list
>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>   
>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>   
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>   
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>   
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
------------------------------------------------------------------------
>>>>
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:
> Jeff Gamsby wrote:
>>
>> Jeff Gamsby
>> Center for X-Ray Optics
>> Lawrence Berkeley National Laboratory
>> (510) 486-7783
>>
>>
>>
>> Richard Megginson wrote:
>>> Jeff Gamsby wrote:
>>>>
>>>> Jeff Gamsby
>>>> Center for X-Ray Optics
>>>> Lawrence Berkeley National Laboratory
>>>> (510) 486-7783
>>>>
>>>>
>>>>
>>>> Richard Megginson wrote:
>>>>> Jeff Gamsby wrote:
>>>>>> I blew away the server and installed a new one, then I
used the
>>>>>> setupssl.sh script to setup SSL. The script completed 
>>>>>> successfully, and the server is listening on port 636,
but I''m
>>>>>> back to a familiar error:
>>>>>>
>>>>>> ldapsearch -x -ZZ -d -1
>>>>>>
>>>>>> TLS trace: SSL_connect:SSLv3 read server hello A
>>>>>> TLS certificate verification: depth: 1, err: 19,
subject:
>>>>>> /CN=CAcert, issuer: /CN=CAcert
>>>>>> TLS certificate verification: Error, self signed
certificate in
>>>>>> certificate chain
>>>>>> tls_write: want=7, written=7
>>>>>>  0000:  15 03 01 00 02 02 30
>>>>>> ......0          TLS trace: SSL3 alert
write:fatal:unknown CA
>>>>>> TLS trace: SSL_connect:error in SSLv3 read server
certificate B
>>>>>> TLS trace: SSL_connect:error in SSLv3 read server
certificate B
>>>>>> TLS: can''t connect.
>>>>>> ldap_perror
>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>        additional info: error:14090086:SSL 
>>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
>>>>>>
>>>>>> Shouldn''t CN=CAcert be cn=fqdn?
>>>>> No, no hostname validation is done on the CA cert, only on
the
>>>>> LDAP server cert.
>>>>>
>>>>> Did you configure openldap to use the new CA cert?  
>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients
>>>>>
>>>>
>>>> Yes.
>>>>
>>>> This is what the access log says
>>>>
>>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101
>>>> nentries=0 etime=0
>>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection
from
>>>> 127.0.0.1 to 127.0.0.1
>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT 
>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120
>>>> nentries=0 etime=0
>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer
>>>> does not recognize and trust the CA that issued your
certificate.
>>>
>>> This means that the CA cert that /etc/openldap/ldap.conf is using
is
>>> not the cert of the CA that issued the Fedora DS server cert.
>> OK.  I had the old cert in there.
>>
>> I followed the instructions and did a
>>
>> cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in 
>> cacert.asc`.0
>>
>> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still get 
>> the same error
> But does the file /etc/openldap/cacerts/cacert.asc exist?  If not, you 
> need to copy that file in there.  I guess the docs are not explicit 
> enough - if you use TLS_CACERTDIR, you must have the file <hash>.0 in
> the cacerts directory.  If you use TLS_CACERT, you must have the file 
> /etc/openldap/cacerts/cacert.asc.
It does exist, and I''m using TLS_CACERT
/etc/openldap/cacerts/cacert.asc

Same error.
[02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection from 
127.0.0.1 to 127.0.0.1
[02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT 
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120 
nentries=0 etime=0
[02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer does not 
recognize and trust the CA that issued your certificate.

I also put the same info in /etc/ldap.conf

Also, here are the certs

../shared/bin/certutil -L -P slapd-server- -d .
CA certificate                                               CTu,u,u
server-cert                                                  u,u,u
Server-Cert                                                  u,u,u

Does that look right?
>>
>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection from 
>> 127.0.0.1 to 127.0.0.1
>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT 
>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 
>> nentries=0 etime=0
>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer does 
>> not recognize and trust the CA that issued your certificate.
>>
>>
>>
>>
>>>>>
>>>>>>
>>>>>> This is all that the errors log says
>>>>> How about the access log?
>>>>>>
>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found
for cipher
>>>>>> AES in backend userRoot, attempting to create one...
>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
successfully
>>>>>> generated and stored
>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found
for cipher
>>>>>> 3DES in backend userRoot, attempting to create one...
>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
successfully
>>>>>> generated and stored
>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found
for cipher
>>>>>> AES in backend NetscapeRoot, attempting to create
one...
>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
successfully
>>>>>> generated and stored
>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found
for cipher
>>>>>> 3DES in backend NetscapeRoot, attempting to create
one...
>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
successfully
>>>>>> generated and stored
>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. 
Listening on All
>>>>>> Interfaces port 389 for LDAP requests
>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All
Interfaces port
>>>>>> 636 for LDAPS requests
>>>>>>
>>>>>> Thanks for your help
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Jeff Gamsby
>>>>>> Center for X-Ray Optics
>>>>>> Lawrence Berkeley National Laboratory
>>>>>> (510) 486-7783
>>>>>>
>>>>>>
>>>>>>
>>>>>> Richard Megginson wrote:
>>>>>>> Jeff Gamsby wrote:
>>>>>>>> OK, now I have a different error.
>>>>>>>>
>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t
"C,C,C" -i
>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>>>>>>>
>>>>>>>> and
>>>>>>>>
>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash
-in ca-cert.pem`.0
>>>>>>>>
>>>>>>>> Now, I get this error:
>>>>>>>>
>>>>>>>> TLS: can''t connect.
>>>>>>>> ldap_perror
>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>        additional info: Start TLS request
accepted.Server
>>>>>>>> willing to negotiate SSL.
>>>>>>> What OS and version are you running?  RHEL3 
>>>>>>> /etc/openldap/ldap.conf does not like the
TLS_CACERTDIR
>>>>>>> directive - you must use the TLS_CACERT directive
with the full
>>>>>>> path and filename of the cacert.pem file (e.g. 
>>>>>>> /etc/openldap/cacerts/cacert.pem).  What does it
say in the
>>>>>>> fedora ds access and error log for this request?
>>>>>>>
>>>>>>> For a successful startTLS request with ldapsearch,
you should
>>>>>>> see something like the following in your fedora ds
access log:
>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64
connection
>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT 
>>>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT
err=0 tag=120
>>>>>>> nentries=0 etime=0
>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit
AES
>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND
dn="" method=128
>>>>>>> version=3
>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT
err=0 tag=97
>>>>>>> nentries=0 etime=0 dn=""
>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH 
>>>>>>> base="dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL
>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT
err=0 tag=101
>>>>>>> nentries=1 etime=0
>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64
closed - U1
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Jeff Gamsby
>>>>>>>> Center for X-Ray Optics
>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>> (510) 486-7783
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Richard Megginson wrote:
>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>
>>>>>>>>>> Jeff Gamsby
>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>> (510) 486-7783
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>> Lawrence Berkeley National
Laboratory
>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>> I am trying to get FDS
1.0.2 working in SSL mode. I am
>>>>>>>>>>>>>> using a OpenSSL CA, I
have installed the Server Cert and
>>>>>>>>>>>>>> the CA Cert, can start
FDS in SSL mode, but when I run
>>>>>>>>>>>>>> ldapsearch -x -ZZ  I
get TLS trace: SSL3 alert
>>>>>>>>>>>>>> write:fatal:unknown CA.
>>>>>>>>>>>>> Did you follow this - 
>>>>>>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>>> I did, but that didn''t
work for me. The only thing that I
>>>>>>>>>>>> did this time was generate a
request from the "Manage
>>>>>>>>>>>> Certificates", sign the
request using my OpenSSL CA, and
>>>>>>>>>>>> install the Server and CA
Certs. Then I turned on SSL in
>>>>>>>>>>>> the Admin console, and
restarted the server.
>>>>>>>>>>>>
>>>>>>>>>>>> When I followed the
instructions from the link, I couldn''t
>>>>>>>>>>>> even get FDS to start in SSL
mode.
>>>>>>>>>>> One problem may be that ldapsearch
is trying to verify the
>>>>>>>>>>> hostname in your server cert, which
is the value of the cn
>>>>>>>>>>> attribute in the leftmost RDN in
your server cert''s subject
>>>>>>>>>>> DN.  What is the subject DN of your
server cert?  You can
>>>>>>>>>>> use certutil -L -n Server-Cert as
specified in the Howto:SSL
>>>>>>>>>>> to print your cert.
>>>>>>>>>>
>>>>>>>>>> Sorry. I missed the -P option.
>>>>>>>>>>
>>>>>>>>>> running ../shared/bin/certutil -L -d .
-P slapd-server- -n
>>>>>>>>>> "server-cert" returns the
Subject *CN* as FQDN of FDS and
>>>>>>>>>> OpenSSL CA host (ran on same machine)
>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?)
option to get some
>>>>>>>>> debugging info.
>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> In /etc/ldap.conf, I
have put in
>>>>>>>>>>>>>> TLS_CACERT
/path/to/cert
>>>>>>>>>>>>> Is this the same
/path/to/cacert.pem as below?
>>>>>>>>>>>> Yes
>>>>>>>>>>>>>> TLSREQCERT allow
>>>>>>>>>>>>>> ssl on
>>>>>>>>>>>>>> ssl start_tls
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If I run
>>>>>>>>>>>>>> openssl s_client
-connect localhost:636 -showcerts -state
>>>>>>>>>>>>>> -CAfile
/path/to/cacert.pem
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> It looks OK
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Please help
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> -- 
>>>>>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>
>>>>>>>>>>>>>   
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> Fedora-directory-users mailing
list
>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>   
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>   
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>
------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>   
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>   
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
------------------------------------------------------------------------
>>>
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Jeff Gamsby wrote:
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>>
>>>>> Jeff Gamsby
>>>>> Center for X-Ray Optics
>>>>> Lawrence Berkeley National Laboratory
>>>>> (510) 486-7783
>>>>>
>>>>>
>>>>>
>>>>> Richard Megginson wrote:
>>>>>> Jeff Gamsby wrote:
>>>>>>> I blew away the server and installed a new one,
then I used the
>>>>>>> setupssl.sh script to setup SSL. The script
completed
>>>>>>> successfully, and the server is listening on port
636, but I''m
>>>>>>> back to a familiar error:
>>>>>>>
>>>>>>> ldapsearch -x -ZZ -d -1
>>>>>>>
>>>>>>> TLS trace: SSL_connect:SSLv3 read server hello A
>>>>>>> TLS certificate verification: depth: 1, err: 19,
subject:
>>>>>>> /CN=CAcert, issuer: /CN=CAcert
>>>>>>> TLS certificate verification: Error, self signed
certificate in
>>>>>>> certificate chain
>>>>>>> tls_write: want=7, written=7
>>>>>>>  0000:  15 03 01 00 02 02 30
>>>>>>> ......0          TLS trace: SSL3 alert
write:fatal:unknown CA
>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server
certificate B
>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server
certificate B
>>>>>>> TLS: can''t connect.
>>>>>>> ldap_perror
>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>        additional info: error:14090086:SSL 
>>>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
>>>>>>>
>>>>>>> Shouldn''t CN=CAcert be cn=fqdn?
>>>>>> No, no hostname validation is done on the CA cert, only
on the
>>>>>> LDAP server cert.
>>>>>>
>>>>>> Did you configure openldap to use the new CA cert?  
>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients
>>>>>>
>>>>>
>>>>> Yes.
>>>>>
>>>>> This is what the access log says
>>>>>
>>>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0
tag=101
>>>>> nentries=0 etime=0
>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68
connection
>>>>> from 127.0.0.1 to 127.0.0.1
>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT 
>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0
tag=120
>>>>> nentries=0 etime=0
>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed -
Peer
>>>>> does not recognize and trust the CA that issued your
certificate.
>>>>
>>>> This means that the CA cert that /etc/openldap/ldap.conf is
using
>>>> is not the cert of the CA that issued the Fedora DS server
cert.
>>> OK.  I had the old cert in there.
>>>
>>> I followed the instructions and did a
>>>
>>> cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in 
>>> cacert.asc`.0
>>>
>>> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still get
>>> the same error
>> But does the file /etc/openldap/cacerts/cacert.asc exist?  If not, 
>> you need to copy that file in there.  I guess the docs are not 
>> explicit enough - if you use TLS_CACERTDIR, you must have the file 
>> <hash>.0 in the cacerts directory.  If you use TLS_CACERT, you
must
>> have the file /etc/openldap/cacerts/cacert.asc.
>
> It does exist, and I''m using TLS_CACERT
/etc/openldap/cacerts/cacert.asc
>
> Same error.
> [02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection from 
> 127.0.0.1 to 127.0.0.1
> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT 
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120 
> nentries=0 etime=0
> [02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer does 
> not recognize and trust the CA that issued your certificate.
>
> I also put the same info in /etc/ldap.conf
That file is only used by pam_ldap and nss_ldap, so it shouldn''t
matter.
>
> Also, here are the certs
>
> ../shared/bin/certutil -L -P slapd-server- -d .
> CA certificate                                               CTu,u,u
> server-cert                                                  u,u,u
> Server-Cert                                                  u,u,u
>
> Does that look right?
Try this:
../shared/bin/certutil -L -P slapd-server- -d . -n "CA certificate" -a
>
mycacert.asc

diff mycacert.asc /etc/openldap/cacerts/cacert.asc

If they are the same, then CA certificate is not the cert of the CA that 
issued Server-Cert.
>
>>>
>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection from 
>>> 127.0.0.1 to 127.0.0.1
>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT 
>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 
>>> nentries=0 etime=0
>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer does
>>> not recognize and trust the CA that issued your certificate.
>>>
>>>
>>>
>>>
>>>>>>
>>>>>>>
>>>>>>> This is all that the errors log says
>>>>>> How about the access log?
>>>>>>>
>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key
found for cipher
>>>>>>> AES in backend userRoot, attempting to create
one...
>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
successfully
>>>>>>> generated and stored
>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key
found for cipher
>>>>>>> 3DES in backend userRoot, attempting to create
one...
>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
successfully
>>>>>>> generated and stored
>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key
found for cipher
>>>>>>> AES in backend NetscapeRoot, attempting to create
one...
>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
successfully
>>>>>>> generated and stored
>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key
found for cipher
>>>>>>> 3DES in backend NetscapeRoot, attempting to create
one...
>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
successfully
>>>>>>> generated and stored
>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. 
Listening on All
>>>>>>> Interfaces port 389 for LDAP requests
>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All
Interfaces port
>>>>>>> 636 for LDAPS requests
>>>>>>>
>>>>>>> Thanks for your help
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Jeff Gamsby
>>>>>>> Center for X-Ray Optics
>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>> (510) 486-7783
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Richard Megginson wrote:
>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>> OK, now I have a different error.
>>>>>>>>>
>>>>>>>>> I ran ../shared/bin/certutil -A -n
cert-name -t "C,C,C" -i
>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d
.
>>>>>>>>>
>>>>>>>>> and
>>>>>>>>>
>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout
-hash -in ca-cert.pem`.0
>>>>>>>>>
>>>>>>>>> Now, I get this error:
>>>>>>>>>
>>>>>>>>> TLS: can''t connect.
>>>>>>>>> ldap_perror
>>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>>        additional info: Start TLS request
accepted.Server
>>>>>>>>> willing to negotiate SSL.
>>>>>>>> What OS and version are you running?  RHEL3 
>>>>>>>> /etc/openldap/ldap.conf does not like the
TLS_CACERTDIR
>>>>>>>> directive - you must use the TLS_CACERT
directive with the full
>>>>>>>> path and filename of the cacert.pem file (e.g. 
>>>>>>>> /etc/openldap/cacerts/cacert.pem).  What does
it say in the
>>>>>>>> fedora ds access and error log for this
request?
>>>>>>>>
>>>>>>>> For a successful startTLS request with
ldapsearch, you should
>>>>>>>> see something like the following in your fedora
ds access log:
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64
slot=64 connection
>>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT 
>>>>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0
RESULT err=0 tag=120
>>>>>>>> nentries=0 etime=0
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL
256-bit AES
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND
dn="" method=128
>>>>>>>> version=3
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1
RESULT err=0 tag=97
>>>>>>>> nentries=0 etime=0 dn=""
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH 
>>>>>>>> base="dc=example,dc=com" scope=0
filter="(objectClass=*)"
>>>>>>>> attrs=ALL
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2
RESULT err=0 tag=101
>>>>>>>> nentries=1 etime=0
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3
UNBIND
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64
closed - U1
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jeff Gamsby
>>>>>>>>> Center for X-Ray Optics
>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>> (510) 486-7783
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>
>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>> Lawrence Berkeley National
Laboratory
>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>> Lawrence Berkeley National
Laboratory
>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>> I am trying to get
FDS 1.0.2 working in SSL mode. I am
>>>>>>>>>>>>>>> using a OpenSSL CA,
I have installed the Server Cert and
>>>>>>>>>>>>>>> the CA Cert, can
start FDS in SSL mode, but when I run
>>>>>>>>>>>>>>> ldapsearch -x -ZZ 
I get TLS trace: SSL3 alert
>>>>>>>>>>>>>>> write:fatal:unknown
CA.
>>>>>>>>>>>>>> Did you follow this - 
>>>>>>>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>>>> I did, but that
didn''t work for me. The only thing that I
>>>>>>>>>>>>> did this time was generate
a request from the "Manage
>>>>>>>>>>>>> Certificates", sign
the request using my OpenSSL CA, and
>>>>>>>>>>>>> install the Server and CA
Certs. Then I turned on SSL in
>>>>>>>>>>>>> the Admin console, and
restarted the server.
>>>>>>>>>>>>>
>>>>>>>>>>>>> When I followed the
instructions from the link, I couldn''t
>>>>>>>>>>>>> even get FDS to start in
SSL mode.
>>>>>>>>>>>> One problem may be that
ldapsearch is trying to verify the
>>>>>>>>>>>> hostname in your server cert,
which is the value of the cn
>>>>>>>>>>>> attribute in the leftmost RDN
in your server cert''s subject
>>>>>>>>>>>> DN.  What is the subject DN of
your server cert?  You can
>>>>>>>>>>>> use certutil -L -n Server-Cert
as specified in the
>>>>>>>>>>>> Howto:SSL to print your cert.
>>>>>>>>>>>
>>>>>>>>>>> Sorry. I missed the -P option.
>>>>>>>>>>>
>>>>>>>>>>> running ../shared/bin/certutil -L
-d . -P slapd-server- -n
>>>>>>>>>>> "server-cert" returns the
Subject *CN* as FQDN of FDS and
>>>>>>>>>>> OpenSSL CA host (ran on same
machine)
>>>>>>>>>> Hmm - try ldapsearch with the -v (or
-d?) option to get some
>>>>>>>>>> debugging info.
>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> In /etc/ldap.conf,
I have put in
>>>>>>>>>>>>>>> TLS_CACERT
/path/to/cert
>>>>>>>>>>>>>> Is this the same
/path/to/cacert.pem as below?
>>>>>>>>>>>>> Yes
>>>>>>>>>>>>>>> TLSREQCERT allow
>>>>>>>>>>>>>>> ssl on
>>>>>>>>>>>>>>> ssl start_tls
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If I run
>>>>>>>>>>>>>>> openssl s_client
-connect localhost:636 -showcerts
>>>>>>>>>>>>>>> -state -CAfile
/path/to/cacert.pem
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> It looks OK
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Please help
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>   
>>>>>>>>>>>>>
>>>>>>>>>>>>> -- 
>>>>>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>
>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> Fedora-directory-users mailing
list
>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>   
>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>   
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>   
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>   
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
------------------------------------------------------------------------
>>>>
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:
> Jeff Gamsby wrote:
>>
>> Jeff Gamsby
>> Center for X-Ray Optics
>> Lawrence Berkeley National Laboratory
>> (510) 486-7783
>>
>>
>>
>> Richard Megginson wrote:
>>> Jeff Gamsby wrote:
>>>>
>>>> Jeff Gamsby
>>>> Center for X-Ray Optics
>>>> Lawrence Berkeley National Laboratory
>>>> (510) 486-7783
>>>>
>>>>
>>>>
>>>> Richard Megginson wrote:
>>>>> Jeff Gamsby wrote:
>>>>>>
>>>>>> Jeff Gamsby
>>>>>> Center for X-Ray Optics
>>>>>> Lawrence Berkeley National Laboratory
>>>>>> (510) 486-7783
>>>>>>
>>>>>>
>>>>>>
>>>>>> Richard Megginson wrote:
>>>>>>> Jeff Gamsby wrote:
>>>>>>>> I blew away the server and installed a new one,
then I used the
>>>>>>>> setupssl.sh script to setup SSL. The script
completed
>>>>>>>> successfully, and the server is listening on
port 636, but I''m
>>>>>>>> back to a familiar error:
>>>>>>>>
>>>>>>>> ldapsearch -x -ZZ -d -1
>>>>>>>>
>>>>>>>> TLS trace: SSL_connect:SSLv3 read server hello
A
>>>>>>>> TLS certificate verification: depth: 1, err:
19, subject:
>>>>>>>> /CN=CAcert, issuer: /CN=CAcert
>>>>>>>> TLS certificate verification: Error, self
signed certificate in
>>>>>>>> certificate chain
>>>>>>>> tls_write: want=7, written=7
>>>>>>>>  0000:  15 03 01 00 02 02 30
>>>>>>>> ......0          TLS trace: SSL3 alert
write:fatal:unknown CA
>>>>>>>> TLS trace: SSL_connect:error in SSLv3 read
server certificate B
>>>>>>>> TLS trace: SSL_connect:error in SSLv3 read
server certificate B
>>>>>>>> TLS: can''t connect.
>>>>>>>> ldap_perror
>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>        additional info: error:14090086:SSL 
>>>>>>>>
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>>>>>>
>>>>>>>> Shouldn''t CN=CAcert be cn=fqdn?
>>>>>>> No, no hostname validation is done on the CA cert,
only on the
>>>>>>> LDAP server cert.
>>>>>>>
>>>>>>> Did you configure openldap to use the new CA cert?
>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients
>>>>>>>
>>>>>>
>>>>>> Yes.
>>>>>>
>>>>>> This is what the access log says
>>>>>>
>>>>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0
tag=101
>>>>>> nentries=0 etime=0
>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68
connection
>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT 
>>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0
tag=120
>>>>>> nentries=0 etime=0
>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68
closed - Peer
>>>>>> does not recognize and trust the CA that issued your
certificate.
>>>>>
>>>>> This means that the CA cert that /etc/openldap/ldap.conf is
using
>>>>> is not the cert of the CA that issued the Fedora DS server
cert.
>>>> OK.  I had the old cert in there.
>>>>
>>>> I followed the instructions and did a
>>>>
>>>> cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash
-in
>>>> cacert.asc`.0
>>>>
>>>> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still
get
>>>> the same error
>>> But does the file /etc/openldap/cacerts/cacert.asc exist?  If not, 
>>> you need to copy that file in there.  I guess the docs are not 
>>> explicit enough - if you use TLS_CACERTDIR, you must have the file 
>>> <hash>.0 in the cacerts directory.  If you use TLS_CACERT,
you must
>>> have the file /etc/openldap/cacerts/cacert.asc.
>>
>> It does exist, and I''m using TLS_CACERT
/etc/openldap/cacerts/cacert.asc
>>
>> Same error.
>> [02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection from 
>> 127.0.0.1 to 127.0.0.1
>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT 
>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120 
>> nentries=0 etime=0
>> [02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer does 
>> not recognize and trust the CA that issued your certificate.
>>
>> I also put the same info in /etc/ldap.conf
> That file is only used by pam_ldap and nss_ldap, so it shouldn''t
matter.
>>
>> Also, here are the certs
>>
>> ../shared/bin/certutil -L -P slapd-server- -d .
>> CA certificate                                               CTu,u,u
>> server-cert                                                  u,u,u
>> Server-Cert                                                  u,u,u
>>
>> Does that look right?
> Try this:
> ../shared/bin/certutil -L -P slapd-server- -d . -n "CA
certificate" -a
> > mycacert.asc
>
> diff mycacert.asc /etc/openldap/cacerts/cacert.asc
>
> If they are the same, then CA certificate is not the cert of the CA 
> that issued Server-Cert.
 They are the same.

I''m not sure that I understand.
>>
>>>>
>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection
from
>>>> 127.0.0.1 to 127.0.0.1
>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT 
>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 
>>>> nentries=0 etime=0
>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer
does
>>>> not recognize and trust the CA that issued your certificate.
>>>>
>>>>
>>>>
>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> This is all that the errors log says
>>>>>>> How about the access log?
>>>>>>>>
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key
found for
>>>>>>>> cipher AES in backend userRoot, attempting to
create one...
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher
AES successfully
>>>>>>>> generated and stored
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key
found for
>>>>>>>> cipher 3DES in backend userRoot, attempting to
create one...
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher
3DES successfully
>>>>>>>> generated and stored
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key
found for
>>>>>>>> cipher AES in backend NetscapeRoot, attempting
to create one...
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher
AES successfully
>>>>>>>> generated and stored
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key
found for
>>>>>>>> cipher 3DES in backend NetscapeRoot, attempting
to create one...
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher
3DES successfully
>>>>>>>> generated and stored
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. 
Listening on All
>>>>>>>> Interfaces port 389 for LDAP requests
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All
Interfaces port
>>>>>>>> 636 for LDAPS requests
>>>>>>>>
>>>>>>>> Thanks for your help
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Jeff Gamsby
>>>>>>>> Center for X-Ray Optics
>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>> (510) 486-7783
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Richard Megginson wrote:
>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>> OK, now I have a different error.
>>>>>>>>>>
>>>>>>>>>> I ran ../shared/bin/certutil -A -n
cert-name -t "C,C,C" -i
>>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server-
-d .
>>>>>>>>>>
>>>>>>>>>> and
>>>>>>>>>>
>>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout
-hash -in ca-cert.pem`.0
>>>>>>>>>>
>>>>>>>>>> Now, I get this error:
>>>>>>>>>>
>>>>>>>>>> TLS: can''t connect.
>>>>>>>>>> ldap_perror
>>>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>>>        additional info: Start TLS
request accepted.Server
>>>>>>>>>> willing to negotiate SSL.
>>>>>>>>> What OS and version are you running?  RHEL3
>>>>>>>>> /etc/openldap/ldap.conf does not like the
TLS_CACERTDIR
>>>>>>>>> directive - you must use the TLS_CACERT
directive with the
>>>>>>>>> full path and filename of the cacert.pem
file (e.g.
>>>>>>>>> /etc/openldap/cacerts/cacert.pem).  What
does it say in the
>>>>>>>>> fedora ds access and error log for this
request?
>>>>>>>>>
>>>>>>>>> For a successful startTLS request with
ldapsearch, you should
>>>>>>>>> see something like the following in your
fedora ds access log:
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64
slot=64 connection
>>>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0
EXT
>>>>>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0
RESULT err=0 tag=120
>>>>>>>>> nentries=0 etime=0
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL
256-bit AES
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1
BIND dn=""
>>>>>>>>> method=128 version=3
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1
RESULT err=0 tag=97
>>>>>>>>> nentries=0 etime=0 dn=""
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2
SRCH
>>>>>>>>> base="dc=example,dc=com" scope=0
filter="(objectClass=*)"
>>>>>>>>> attrs=ALL
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2
RESULT err=0 tag=101
>>>>>>>>> nentries=1 etime=0
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3
UNBIND
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3
fd=64 closed - U1
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Jeff Gamsby
>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>> (510) 486-7783
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>> Lawrence Berkeley National
Laboratory
>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>>> Lawrence Berkeley
National Laboratory
>>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Richard Megginson
wrote:
>>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>> I am trying to
get FDS 1.0.2 working in SSL mode. I am
>>>>>>>>>>>>>>>> using a OpenSSL
CA, I have installed the Server Cert
>>>>>>>>>>>>>>>> and the CA
Cert, can start FDS in SSL mode, but when I run
>>>>>>>>>>>>>>>> ldapsearch -x
-ZZ  I get TLS trace: SSL3 alert
>>>>>>>>>>>>>>>>
write:fatal:unknown CA.
>>>>>>>>>>>>>>> Did you follow this
-
>>>>>>>>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>>>>> I did, but that
didn''t work for me. The only thing that I
>>>>>>>>>>>>>> did this time was
generate a request from the "Manage
>>>>>>>>>>>>>> Certificates",
sign the request using my OpenSSL CA, and
>>>>>>>>>>>>>> install the Server and
CA Certs. Then I turned on SSL in
>>>>>>>>>>>>>> the Admin console, and
restarted the server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> When I followed the
instructions from the link, I
>>>>>>>>>>>>>> couldn''t even
get FDS to start in SSL mode.
>>>>>>>>>>>>> One problem may be that
ldapsearch is trying to verify the
>>>>>>>>>>>>> hostname in your server
cert, which is the value of the cn
>>>>>>>>>>>>> attribute in the leftmost
RDN in your server cert''s
>>>>>>>>>>>>> subject DN.  What is the
subject DN of your server cert?
>>>>>>>>>>>>> You can use certutil -L -n
Server-Cert as specified in the
>>>>>>>>>>>>> Howto:SSL to print your
cert.
>>>>>>>>>>>>
>>>>>>>>>>>> Sorry. I missed the -P option.
>>>>>>>>>>>>
>>>>>>>>>>>> running ../shared/bin/certutil
-L -d . -P slapd-server- -n
>>>>>>>>>>>> "server-cert" returns
the Subject *CN* as FQDN of FDS and
>>>>>>>>>>>> OpenSSL CA host (ran on same
machine)
>>>>>>>>>>> Hmm - try ldapsearch with the -v
(or -d?) option to get some
>>>>>>>>>>> debugging info.
>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> In
/etc/ldap.conf, I have put in
>>>>>>>>>>>>>>>> TLS_CACERT
/path/to/cert
>>>>>>>>>>>>>>> Is this the same
/path/to/cacert.pem as below?
>>>>>>>>>>>>>> Yes
>>>>>>>>>>>>>>>> TLSREQCERT
allow
>>>>>>>>>>>>>>>> ssl on
>>>>>>>>>>>>>>>> ssl start_tls
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> If I run
>>>>>>>>>>>>>>>> openssl
s_client -connect localhost:636 -showcerts
>>>>>>>>>>>>>>>> -state -CAfile
/path/to/cacert.pem
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> It looks OK
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Please help
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>   
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> -- 
>>>>>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>
>>>>>>>>>>>>>   
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> Fedora-directory-users mailing
list
>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>   
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>   
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>
------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>   
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>   
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
------------------------------------------------------------------------
>>>
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:
> Jeff Gamsby wrote:
>>
>> Jeff Gamsby
>> Center for X-Ray Optics
>> Lawrence Berkeley National Laboratory
>> (510) 486-7783
>>
>>
>>
>> Richard Megginson wrote:
>>> Jeff Gamsby wrote:
>>>>
>>>> Jeff Gamsby
>>>> Center for X-Ray Optics
>>>> Lawrence Berkeley National Laboratory
>>>> (510) 486-7783
>>>>
>>>>
>>>>
>>>> Richard Megginson wrote:
>>>>> Jeff Gamsby wrote:
>>>>>>
>>>>>> Jeff Gamsby
>>>>>> Center for X-Ray Optics
>>>>>> Lawrence Berkeley National Laboratory
>>>>>> (510) 486-7783
>>>>>>
>>>>>>
>>>>>>
>>>>>> Richard Megginson wrote:
>>>>>>> Jeff Gamsby wrote:
>>>>>>>> I blew away the server and installed a new one,
then I used the
>>>>>>>> setupssl.sh script to setup SSL. The script
completed
>>>>>>>> successfully, and the server is listening on
port 636, but I''m
>>>>>>>> back to a familiar error:
>>>>>>>>
>>>>>>>> ldapsearch -x -ZZ -d -1
>>>>>>>>
>>>>>>>> TLS trace: SSL_connect:SSLv3 read server hello
A
>>>>>>>> TLS certificate verification: depth: 1, err:
19, subject:
>>>>>>>> /CN=CAcert, issuer: /CN=CAcert
>>>>>>>> TLS certificate verification: Error, self
signed certificate in
>>>>>>>> certificate chain
>>>>>>>> tls_write: want=7, written=7
>>>>>>>>  0000:  15 03 01 00 02 02 30
>>>>>>>> ......0          TLS trace: SSL3 alert
write:fatal:unknown CA
>>>>>>>> TLS trace: SSL_connect:error in SSLv3 read
server certificate B
>>>>>>>> TLS trace: SSL_connect:error in SSLv3 read
server certificate B
>>>>>>>> TLS: can''t connect.
>>>>>>>> ldap_perror
>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>        additional info: error:14090086:SSL 
>>>>>>>>
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>>>>>>
>>>>>>>> Shouldn''t CN=CAcert be cn=fqdn?
>>>>>>> No, no hostname validation is done on the CA cert,
only on the
>>>>>>> LDAP server cert.
>>>>>>>
>>>>>>> Did you configure openldap to use the new CA cert?
>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients
>>>>>>>
>>>>>>
>>>>>> Yes.
>>>>>>
>>>>>> This is what the access log says
>>>>>>
>>>>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0
tag=101
>>>>>> nentries=0 etime=0
>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68
connection
>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT 
>>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0
tag=120
>>>>>> nentries=0 etime=0
>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68
closed - Peer
>>>>>> does not recognize and trust the CA that issued your
certificate.
>>>>>
>>>>> This means that the CA cert that /etc/openldap/ldap.conf is
using
>>>>> is not the cert of the CA that issued the Fedora DS server
cert.
>>>> OK.  I had the old cert in there.
>>>>
>>>> I followed the instructions and did a
>>>>
>>>> cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash
-in
>>>> cacert.asc`.0
>>>>
>>>> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still
get
>>>> the same error
>>> But does the file /etc/openldap/cacerts/cacert.asc exist?  If not, 
>>> you need to copy that file in there.  I guess the docs are not 
>>> explicit enough - if you use TLS_CACERTDIR, you must have the file 
>>> <hash>.0 in the cacerts directory.  If you use TLS_CACERT,
you must
>>> have the file /etc/openldap/cacerts/cacert.asc.
>>
>> It does exist, and I''m using TLS_CACERT
/etc/openldap/cacerts/cacert.asc
>>
>> Same error.
>> [02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection from 
>> 127.0.0.1 to 127.0.0.1
>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT 
>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120 
>> nentries=0 etime=0
>> [02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer does 
>> not recognize and trust the CA that issued your certificate.
>>
>> I also put the same info in /etc/ldap.conf
> That file is only used by pam_ldap and nss_ldap, so it shouldn''t
matter.
>>
>> Also, here are the certs
>>
>> ../shared/bin/certutil -L -P slapd-server- -d .
>> CA certificate                                               CTu,u,u
>> server-cert                                                  u,u,u
>> Server-Cert                                                  u,u,u
>>
>> Does that look right?
> Try this:
> ../shared/bin/certutil -L -P slapd-server- -d . -n "CA
certificate" -a
> > mycacert.asc
>
> diff mycacert.asc /etc/openldap/cacerts/cacert.asc
>
> If they are the same, then CA certificate is not the cert of the CA 
> that issued Server-Cert.
They are the same.

How is that possible if they all were generated using the setupssl.sh 
script?
>>
>>>>
>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection
from
>>>> 127.0.0.1 to 127.0.0.1
>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT 
>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 
>>>> nentries=0 etime=0
>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer
does
>>>> not recognize and trust the CA that issued your certificate.
>>>>
>>>>
>>>>
>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> This is all that the errors log says
>>>>>>> How about the access log?
>>>>>>>>
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key
found for
>>>>>>>> cipher AES in backend userRoot, attempting to
create one...
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher
AES successfully
>>>>>>>> generated and stored
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key
found for
>>>>>>>> cipher 3DES in backend userRoot, attempting to
create one...
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher
3DES successfully
>>>>>>>> generated and stored
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key
found for
>>>>>>>> cipher AES in backend NetscapeRoot, attempting
to create one...
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher
AES successfully
>>>>>>>> generated and stored
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key
found for
>>>>>>>> cipher 3DES in backend NetscapeRoot, attempting
to create one...
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher
3DES successfully
>>>>>>>> generated and stored
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started. 
Listening on All
>>>>>>>> Interfaces port 389 for LDAP requests
>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All
Interfaces port
>>>>>>>> 636 for LDAPS requests
>>>>>>>>
>>>>>>>> Thanks for your help
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Jeff Gamsby
>>>>>>>> Center for X-Ray Optics
>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>> (510) 486-7783
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Richard Megginson wrote:
>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>> OK, now I have a different error.
>>>>>>>>>>
>>>>>>>>>> I ran ../shared/bin/certutil -A -n
cert-name -t "C,C,C" -i
>>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server-
-d .
>>>>>>>>>>
>>>>>>>>>> and
>>>>>>>>>>
>>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout
-hash -in ca-cert.pem`.0
>>>>>>>>>>
>>>>>>>>>> Now, I get this error:
>>>>>>>>>>
>>>>>>>>>> TLS: can''t connect.
>>>>>>>>>> ldap_perror
>>>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>>>        additional info: Start TLS
request accepted.Server
>>>>>>>>>> willing to negotiate SSL.
>>>>>>>>> What OS and version are you running?  RHEL3
>>>>>>>>> /etc/openldap/ldap.conf does not like the
TLS_CACERTDIR
>>>>>>>>> directive - you must use the TLS_CACERT
directive with the
>>>>>>>>> full path and filename of the cacert.pem
file (e.g.
>>>>>>>>> /etc/openldap/cacerts/cacert.pem).  What
does it say in the
>>>>>>>>> fedora ds access and error log for this
request?
>>>>>>>>>
>>>>>>>>> For a successful startTLS request with
ldapsearch, you should
>>>>>>>>> see something like the following in your
fedora ds access log:
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64
slot=64 connection
>>>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0
EXT
>>>>>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0
RESULT err=0 tag=120
>>>>>>>>> nentries=0 etime=0
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL
256-bit AES
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1
BIND dn=""
>>>>>>>>> method=128 version=3
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1
RESULT err=0 tag=97
>>>>>>>>> nentries=0 etime=0 dn=""
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2
SRCH
>>>>>>>>> base="dc=example,dc=com" scope=0
filter="(objectClass=*)"
>>>>>>>>> attrs=ALL
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2
RESULT err=0 tag=101
>>>>>>>>> nentries=1 etime=0
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3
UNBIND
>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3
fd=64 closed - U1
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Jeff Gamsby
>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>> (510) 486-7783
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>> Lawrence Berkeley National
Laboratory
>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>>> Lawrence Berkeley
National Laboratory
>>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Richard Megginson
wrote:
>>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>> I am trying to
get FDS 1.0.2 working in SSL mode. I am
>>>>>>>>>>>>>>>> using a OpenSSL
CA, I have installed the Server Cert
>>>>>>>>>>>>>>>> and the CA
Cert, can start FDS in SSL mode, but when I run
>>>>>>>>>>>>>>>> ldapsearch -x
-ZZ  I get TLS trace: SSL3 alert
>>>>>>>>>>>>>>>>
write:fatal:unknown CA.
>>>>>>>>>>>>>>> Did you follow this
-
>>>>>>>>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>>>>> I did, but that
didn''t work for me. The only thing that I
>>>>>>>>>>>>>> did this time was
generate a request from the "Manage
>>>>>>>>>>>>>> Certificates",
sign the request using my OpenSSL CA, and
>>>>>>>>>>>>>> install the Server and
CA Certs. Then I turned on SSL in
>>>>>>>>>>>>>> the Admin console, and
restarted the server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> When I followed the
instructions from the link, I
>>>>>>>>>>>>>> couldn''t even
get FDS to start in SSL mode.
>>>>>>>>>>>>> One problem may be that
ldapsearch is trying to verify the
>>>>>>>>>>>>> hostname in your server
cert, which is the value of the cn
>>>>>>>>>>>>> attribute in the leftmost
RDN in your server cert''s
>>>>>>>>>>>>> subject DN.  What is the
subject DN of your server cert?
>>>>>>>>>>>>> You can use certutil -L -n
Server-Cert as specified in the
>>>>>>>>>>>>> Howto:SSL to print your
cert.
>>>>>>>>>>>>
>>>>>>>>>>>> Sorry. I missed the -P option.
>>>>>>>>>>>>
>>>>>>>>>>>> running ../shared/bin/certutil
-L -d . -P slapd-server- -n
>>>>>>>>>>>> "server-cert" returns
the Subject *CN* as FQDN of FDS and
>>>>>>>>>>>> OpenSSL CA host (ran on same
machine)
>>>>>>>>>>> Hmm - try ldapsearch with the -v
(or -d?) option to get some
>>>>>>>>>>> debugging info.
>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> In
/etc/ldap.conf, I have put in
>>>>>>>>>>>>>>>> TLS_CACERT
/path/to/cert
>>>>>>>>>>>>>>> Is this the same
/path/to/cacert.pem as below?
>>>>>>>>>>>>>> Yes
>>>>>>>>>>>>>>>> TLSREQCERT
allow
>>>>>>>>>>>>>>>> ssl on
>>>>>>>>>>>>>>>> ssl start_tls
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> If I run
>>>>>>>>>>>>>>>> openssl
s_client -connect localhost:636 -showcerts
>>>>>>>>>>>>>>>> -state -CAfile
/path/to/cacert.pem
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> It looks OK
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Please help
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>   
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> -- 
>>>>>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>
>>>>>>>>>>>>>   
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> Fedora-directory-users mailing
list
>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>   
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>   
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>
------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>   
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>   
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
------------------------------------------------------------------------
>>>
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Jeff Gamsby wrote:
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>>
>>>>> Jeff Gamsby
>>>>> Center for X-Ray Optics
>>>>> Lawrence Berkeley National Laboratory
>>>>> (510) 486-7783
>>>>>
>>>>>
>>>>>
>>>>> Richard Megginson wrote:
>>>>>> Jeff Gamsby wrote:
>>>>>>>
>>>>>>> Jeff Gamsby
>>>>>>> Center for X-Ray Optics
>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>> (510) 486-7783
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Richard Megginson wrote:
>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>> I blew away the server and installed a new
one, then I used
>>>>>>>>> the setupssl.sh script to setup SSL. The
script completed
>>>>>>>>> successfully, and the server is listening
on port 636, but I''m
>>>>>>>>> back to a familiar error:
>>>>>>>>>
>>>>>>>>> ldapsearch -x -ZZ -d -1
>>>>>>>>>
>>>>>>>>> TLS trace: SSL_connect:SSLv3 read server
hello A
>>>>>>>>> TLS certificate verification: depth: 1,
err: 19, subject:
>>>>>>>>> /CN=CAcert, issuer: /CN=CAcert
>>>>>>>>> TLS certificate verification: Error, self
signed certificate
>>>>>>>>> in certificate chain
>>>>>>>>> tls_write: want=7, written=7
>>>>>>>>>  0000:  15 03 01 00 02 02 30
>>>>>>>>> ......0          TLS trace: SSL3 alert
write:fatal:unknown CA
>>>>>>>>> TLS trace: SSL_connect:error in SSLv3 read
server certificate B
>>>>>>>>> TLS trace: SSL_connect:error in SSLv3 read
server certificate B
>>>>>>>>> TLS: can''t connect.
>>>>>>>>> ldap_perror
>>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>>        additional info: error:14090086:SSL 
>>>>>>>>>
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>>>>>>>
>>>>>>>>> Shouldn''t CN=CAcert be cn=fqdn?
>>>>>>>> No, no hostname validation is done on the CA
cert, only on the
>>>>>>>> LDAP server cert.
>>>>>>>>
>>>>>>>> Did you configure openldap to use the new CA
cert?
>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients
>>>>>>>>
>>>>>>>
>>>>>>> Yes.
>>>>>>>
>>>>>>> This is what the access log says
>>>>>>>
>>>>>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT
err=0 tag=101
>>>>>>> nentries=0 etime=0
>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68
connection
>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT 
>>>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT
err=0 tag=120
>>>>>>> nentries=0 etime=0
>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68
closed - Peer
>>>>>>> does not recognize and trust the CA that issued
your certificate.
>>>>>>
>>>>>> This means that the CA cert that
/etc/openldap/ldap.conf is using
>>>>>> is not the cert of the CA that issued the Fedora DS
server cert.
>>>>> OK.  I had the old cert in there.
>>>>>
>>>>> I followed the instructions and did a
>>>>>
>>>>> cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout
-hash -in
>>>>> cacert.asc`.0
>>>>>
>>>>> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I
still
>>>>> get the same error
>>>> But does the file /etc/openldap/cacerts/cacert.asc exist?  If
not,
>>>> you need to copy that file in there.  I guess the docs are not 
>>>> explicit enough - if you use TLS_CACERTDIR, you must have the
file
>>>> <hash>.0 in the cacerts directory.  If you use
TLS_CACERT, you must
>>>> have the file /etc/openldap/cacerts/cacert.asc.
>>>
>>> It does exist, and I''m using TLS_CACERT 
>>> /etc/openldap/cacerts/cacert.asc
>>>
>>> Same error.
>>> [02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection from 
>>> 127.0.0.1 to 127.0.0.1
>>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT 
>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120 
>>> nentries=0 etime=0
>>> [02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer does
>>> not recognize and trust the CA that issued your certificate.
>>>
>>> I also put the same info in /etc/ldap.conf
>> That file is only used by pam_ldap and nss_ldap, so it
shouldn''t matter.
>>>
>>> Also, here are the certs
>>>
>>> ../shared/bin/certutil -L -P slapd-server- -d .
>>> CA certificate                                              
CTu,u,u
>>> server-cert                                                  u,u,u
>>> Server-Cert                                                  u,u,u
>>>
>>> Does that look right?
>> Try this:
>> ../shared/bin/certutil -L -P slapd-server- -d . -n "CA
certificate"
>> -a > mycacert.asc
>>
>> diff mycacert.asc /etc/openldap/cacerts/cacert.asc
>>
>> If they are the same, then CA certificate is not the cert of the CA 
>> that issued Server-Cert.
>
> They are the same.
>
> I''m not sure that I understand.
I''m not sure I understand what''s going on either, but the
message "Peer
does not recognize and trust the CA that issued your certificate." means 
that ldapsearch did not verify your LDAP server certificate 
(Server-Cert).  This is usually due to one or both of the following:
1) The value of the cn attribute in the leftmost RDN of the subjectDN in 
the LDAP server cert is not the fqdn of the LDAP server host, or the 
client cannot resolve it.
2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of the 
CA that issued the LDAP server certificate (Server-Cert)

I''m not sure which one it is.  You might try dumping out the server 
certificate (../shared/bin/certutil -L -P slapd-server- -d . -n 
"Server-Cert" -a > fdscert.pem) and using openssl to verify the
cert e.g.
openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem

If you get an error, this means that the CA whose cert is 
/etc/openldap/cacerts/cacert.asc did not issue the fedora ds server 
certificate.
>
>>>
>>>>>
>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67
connection from
>>>>> 127.0.0.1 to 127.0.0.1
>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT 
>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0
tag=120
>>>>> nentries=0 etime=0
>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed -
Peer
>>>>> does not recognize and trust the CA that issued your
certificate.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>> This is all that the errors log says
>>>>>>>> How about the access log?
>>>>>>>>>
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric
key found for
>>>>>>>>> cipher AES in backend userRoot, attempting
to create one...
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for
cipher AES successfully
>>>>>>>>> generated and stored
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric
key found for
>>>>>>>>> cipher 3DES in backend userRoot, attempting
to create one...
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for
cipher 3DES
>>>>>>>>> successfully generated and stored
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric
key found for
>>>>>>>>> cipher AES in backend NetscapeRoot,
attempting to create one...
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for
cipher AES successfully
>>>>>>>>> generated and stored
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric
key found for
>>>>>>>>> cipher 3DES in backend NetscapeRoot,
attempting to create one...
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for
cipher 3DES
>>>>>>>>> successfully generated and stored
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd
started.  Listening on
>>>>>>>>> All Interfaces port 389 for LDAP requests
>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on
All Interfaces
>>>>>>>>> port 636 for LDAPS requests
>>>>>>>>>
>>>>>>>>> Thanks for your help
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jeff Gamsby
>>>>>>>>> Center for X-Ray Optics
>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>> (510) 486-7783
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>> OK, now I have a different error.
>>>>>>>>>>>
>>>>>>>>>>> I ran ../shared/bin/certutil -A -n
cert-name -t "C,C,C" -i
>>>>>>>>>>> /etc/certs/ca-cert.pem -P
slapd-server- -d .
>>>>>>>>>>>
>>>>>>>>>>> and
>>>>>>>>>>>
>>>>>>>>>>> ln -s ca-cert.pem `openssl x509
-noout -hash -in ca-cert.pem`.0
>>>>>>>>>>>
>>>>>>>>>>> Now, I get this error:
>>>>>>>>>>>
>>>>>>>>>>> TLS: can''t connect.
>>>>>>>>>>> ldap_perror
>>>>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>>>>        additional info: Start TLS
request accepted.Server
>>>>>>>>>>> willing to negotiate SSL.
>>>>>>>>>> What OS and version are you running? 
RHEL3
>>>>>>>>>> /etc/openldap/ldap.conf does not like
the TLS_CACERTDIR
>>>>>>>>>> directive - you must use the TLS_CACERT
directive with the
>>>>>>>>>> full path and filename of the
cacert.pem file (e.g.
>>>>>>>>>> /etc/openldap/cacerts/cacert.pem). 
What does it say in the
>>>>>>>>>> fedora ds access and error log for this
request?
>>>>>>>>>>
>>>>>>>>>> For a successful startTLS request with
ldapsearch, you should
>>>>>>>>>> see something like the following in
your fedora ds access log:
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11
fd=64 slot=64 connection
>>>>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11
op=0 EXT
>>>>>>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11
op=0 RESULT err=0
>>>>>>>>>> tag=120 nentries=0 etime=0
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11
SSL 256-bit AES
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11
op=1 BIND dn=""
>>>>>>>>>> method=128 version=3
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11
op=1 RESULT err=0 tag=97
>>>>>>>>>> nentries=0 etime=0 dn=""
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11
op=2 SRCH
>>>>>>>>>> base="dc=example,dc=com"
scope=0 filter="(objectClass=*)"
>>>>>>>>>> attrs=ALL
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11
op=2 RESULT err=0
>>>>>>>>>> tag=101 nentries=1 etime=0
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11
op=3 UNBIND
>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11
op=3 fd=64 closed - U1
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>> Lawrence Berkeley National
Laboratory
>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>> Lawrence Berkeley National
Laboratory
>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>>> Center for X-Ray
Optics
>>>>>>>>>>>>>>> Lawrence Berkeley
National Laboratory
>>>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Richard Megginson
wrote:
>>>>>>>>>>>>>>>> Jeff Gamsby
wrote:
>>>>>>>>>>>>>>>>> I am trying
to get FDS 1.0.2 working in SSL mode. I am
>>>>>>>>>>>>>>>>> using a
OpenSSL CA, I have installed the Server Cert
>>>>>>>>>>>>>>>>> and the CA
Cert, can start FDS in SSL mode, but when I
>>>>>>>>>>>>>>>>> run
>>>>>>>>>>>>>>>>> ldapsearch
-x -ZZ  I get TLS trace: SSL3 alert
>>>>>>>>>>>>>>>>>
write:fatal:unknown CA.
>>>>>>>>>>>>>>>> Did you follow
this -
>>>>>>>>>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>>>>>> I did, but that
didn''t work for me. The only thing that
>>>>>>>>>>>>>>> I did this time was
generate a request from the "Manage
>>>>>>>>>>>>>>> Certificates",
sign the request using my OpenSSL CA, and
>>>>>>>>>>>>>>> install the Server
and CA Certs. Then I turned on SSL in
>>>>>>>>>>>>>>> the Admin console,
and restarted the server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> When I followed the
instructions from the link, I
>>>>>>>>>>>>>>> couldn''t
even get FDS to start in SSL mode.
>>>>>>>>>>>>>> One problem may be that
ldapsearch is trying to verify
>>>>>>>>>>>>>> the hostname in your
server cert, which is the value of
>>>>>>>>>>>>>> the cn attribute in the
leftmost RDN in your server
>>>>>>>>>>>>>> cert''s subject
DN.  What is the subject DN of your server
>>>>>>>>>>>>>> cert?  You can use
certutil -L -n Server-Cert as
>>>>>>>>>>>>>> specified in the
Howto:SSL to print your cert.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Sorry. I missed the -P
option.
>>>>>>>>>>>>>
>>>>>>>>>>>>> running
../shared/bin/certutil -L -d . -P slapd-server- -n
>>>>>>>>>>>>> "server-cert"
returns the Subject *CN* as FQDN of FDS and
>>>>>>>>>>>>> OpenSSL CA host (ran on
same machine)
>>>>>>>>>>>> Hmm - try ldapsearch with the
-v (or -d?) option to get
>>>>>>>>>>>> some debugging info.
>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> In
/etc/ldap.conf, I have put in
>>>>>>>>>>>>>>>>> TLS_CACERT
/path/to/cert
>>>>>>>>>>>>>>>> Is this the
same /path/to/cacert.pem as below?
>>>>>>>>>>>>>>> Yes
>>>>>>>>>>>>>>>>> TLSREQCERT
allow
>>>>>>>>>>>>>>>>> ssl on
>>>>>>>>>>>>>>>>> ssl
start_tls
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> If I run
>>>>>>>>>>>>>>>>> openssl
s_client -connect localhost:636 -showcerts
>>>>>>>>>>>>>>>>> -state
-CAfile /path/to/cacert.pem
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> It looks OK
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Please help
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>   
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>   
>>>>>>>>>>>>>
>>>>>>>>>>>>> -- 
>>>>>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>
>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> Fedora-directory-users mailing
list
>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>   
>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>   
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>   
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>   
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
------------------------------------------------------------------------
>>>>
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Richard Megginson wrote:
> Jeff Gamsby wrote:
>>
>> Jeff Gamsby
>> Center for X-Ray Optics
>> Lawrence Berkeley National Laboratory
>> (510) 486-7783
>>
>>
>>
>> Richard Megginson wrote:
>>> Jeff Gamsby wrote:
>>>>
>>>> Jeff Gamsby
>>>> Center for X-Ray Optics
>>>> Lawrence Berkeley National Laboratory
>>>> (510) 486-7783
>>>>
>>>>
>>>>
>>>> Richard Megginson wrote:
>>>>> Jeff Gamsby wrote:
>>>>>>
>>>>>> Jeff Gamsby
>>>>>> Center for X-Ray Optics
>>>>>> Lawrence Berkeley National Laboratory
>>>>>> (510) 486-7783
>>>>>>
>>>>>>
>>>>>>
>>>>>> Richard Megginson wrote:
>>>>>>> Jeff Gamsby wrote:
>>>>>>>>
>>>>>>>> Jeff Gamsby
>>>>>>>> Center for X-Ray Optics
>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>> (510) 486-7783
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Richard Megginson wrote:
>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>> I blew away the server and installed a
new one, then I used
>>>>>>>>>> the setupssl.sh script to setup SSL.
The script completed
>>>>>>>>>> successfully, and the server is
listening on port 636, but
>>>>>>>>>> I''m back to a familiar error:
>>>>>>>>>>
>>>>>>>>>> ldapsearch -x -ZZ -d -1
>>>>>>>>>>
>>>>>>>>>> TLS trace: SSL_connect:SSLv3 read
server hello A
>>>>>>>>>> TLS certificate verification: depth: 1,
err: 19, subject:
>>>>>>>>>> /CN=CAcert, issuer: /CN=CAcert
>>>>>>>>>> TLS certificate verification: Error,
self signed certificate
>>>>>>>>>> in certificate chain
>>>>>>>>>> tls_write: want=7, written=7
>>>>>>>>>>  0000:  15 03 01 00 02 02 30
>>>>>>>>>> ......0          TLS trace: SSL3 alert
write:fatal:unknown CA
>>>>>>>>>> TLS trace: SSL_connect:error in SSLv3
read server certificate B
>>>>>>>>>> TLS trace: SSL_connect:error in SSLv3
read server certificate B
>>>>>>>>>> TLS: can''t connect.
>>>>>>>>>> ldap_perror
>>>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>>>        additional info:
error:14090086:SSL
>>>>>>>>>>
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>>>>>>>>
>>>>>>>>>> Shouldn''t CN=CAcert be
cn=fqdn?
>>>>>>>>> No, no hostname validation is done on the
CA cert, only on the
>>>>>>>>> LDAP server cert.
>>>>>>>>>
>>>>>>>>> Did you configure openldap to use the new
CA cert?
>>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients
>>>>>>>>>
>>>>>>>>
>>>>>>>> Yes.
>>>>>>>>
>>>>>>>> This is what the access log says
>>>>>>>>
>>>>>>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462
RESULT err=0 tag=101
>>>>>>>> nentries=0 etime=0
>>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68
slot=68 connection
>>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT 
>>>>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0
RESULT err=0 tag=120
>>>>>>>> nentries=0 etime=0
>>>>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1
fd=68 closed - Peer
>>>>>>>> does not recognize and trust the CA that issued
your certificate.
>>>>>>>
>>>>>>> This means that the CA cert that
/etc/openldap/ldap.conf is
>>>>>>> using is not the cert of the CA that issued the
Fedora DS server
>>>>>>> cert.
>>>>>> OK.  I had the old cert in there.
>>>>>>
>>>>>> I followed the instructions and did a
>>>>>>
>>>>>> cp cacert.asc /etc/openldap/cacerts/`openssl x509
-noout -hash
>>>>>> -in cacert.asc`.0
>>>>>>
>>>>>> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc.
I still
>>>>>> get the same error
>>>>> But does the file /etc/openldap/cacerts/cacert.asc exist? 
If not,
>>>>> you need to copy that file in there.  I guess the docs are
not
>>>>> explicit enough - if you use TLS_CACERTDIR, you must have
the file
>>>>> <hash>.0 in the cacerts directory.  If you use
TLS_CACERT, you
>>>>> must have the file /etc/openldap/cacerts/cacert.asc.
>>>>
>>>> It does exist, and I''m using TLS_CACERT 
>>>> /etc/openldap/cacerts/cacert.asc
>>>>
>>>> Same error.
>>>> [02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection
from
>>>> 127.0.0.1 to 127.0.0.1
>>>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT 
>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120 
>>>> nentries=0 etime=0
>>>> [02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer
does
>>>> not recognize and trust the CA that issued your certificate.
>>>>
>>>> I also put the same info in /etc/ldap.conf
>>> That file is only used by pam_ldap and nss_ldap, so it
shouldn''t
>>> matter.
>>>>
>>>> Also, here are the certs
>>>>
>>>> ../shared/bin/certutil -L -P slapd-server- -d .
>>>> CA certificate                                              
CTu,u,u
>>>> server-cert                                                 
u,u,u
>>>> Server-Cert                                                 
u,u,u
>>>>
>>>> Does that look right?
>>> Try this:
>>> ../shared/bin/certutil -L -P slapd-server- -d . -n "CA
certificate"
>>> -a > mycacert.asc
>>>
>>> diff mycacert.asc /etc/openldap/cacerts/cacert.asc
>>>
>>> If they are the same, then CA certificate is not the cert of the CA
>>> that issued Server-Cert.
>>
>> They are the same.
>>
>> I''m not sure that I understand.
> I''m not sure I understand what''s going on either, but the
message
> "Peer does not recognize and trust the CA that issued your 
> certificate." means that ldapsearch did not verify your LDAP server 
> certificate (Server-Cert).  This is usually due to one or both of the 
> following:
> 1) The value of the cn attribute in the leftmost RDN of the subjectDN 
> in the LDAP server cert is not the fqdn of the LDAP server host, or 
> the client cannot resolve it.
> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of the 
> CA that issued the LDAP server certificate (Server-Cert)
>
> I''m not sure which one it is.  You might try dumping out the
server
> certificate (../shared/bin/certutil -L -P slapd-server- -d . -n 
> "Server-Cert" -a > fdscert.pem) and using openssl to verify
the cert e.g.
> openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem
>
> If you get an error, this means that the CA whose cert is 
> /etc/openldap/cacerts/cacert.asc did not issue the fedora ds server 
> certificate.
I get fdscert.pem: OK
>>
>>>>
>>>>>>
>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67
connection
>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT 
>>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0
tag=120
>>>>>> nentries=0 etime=0
>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed
- Peer
>>>>>> does not recognize and trust the CA that issued your
certificate.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> This is all that the errors log says
>>>>>>>>> How about the access log?
>>>>>>>>>>
>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No
symmetric key found for
>>>>>>>>>> cipher AES in backend userRoot,
attempting to create one...
>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for
cipher AES
>>>>>>>>>> successfully generated and stored
>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No
symmetric key found for
>>>>>>>>>> cipher 3DES in backend userRoot,
attempting to create one...
>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for
cipher 3DES
>>>>>>>>>> successfully generated and stored
>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No
symmetric key found for
>>>>>>>>>> cipher AES in backend NetscapeRoot,
attempting to create one...
>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for
cipher AES
>>>>>>>>>> successfully generated and stored
>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No
symmetric key found for
>>>>>>>>>> cipher 3DES in backend NetscapeRoot,
attempting to create one...
>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for
cipher 3DES
>>>>>>>>>> successfully generated and stored
>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd
started.  Listening on
>>>>>>>>>> All Interfaces port 389 for LDAP
requests
>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] -
Listening on All Interfaces
>>>>>>>>>> port 636 for LDAPS requests
>>>>>>>>>>
>>>>>>>>>> Thanks for your help
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Jeff Gamsby
>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>> (510) 486-7783
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>> OK, now I have a different
error.
>>>>>>>>>>>>
>>>>>>>>>>>> I ran ../shared/bin/certutil -A
-n cert-name -t "C,C,C" -i
>>>>>>>>>>>> /etc/certs/ca-cert.pem -P
slapd-server- -d .
>>>>>>>>>>>>
>>>>>>>>>>>> and
>>>>>>>>>>>>
>>>>>>>>>>>> ln -s ca-cert.pem `openssl x509
-noout -hash -in
>>>>>>>>>>>> ca-cert.pem`.0
>>>>>>>>>>>>
>>>>>>>>>>>> Now, I get this error:
>>>>>>>>>>>>
>>>>>>>>>>>> TLS: can''t connect.
>>>>>>>>>>>> ldap_perror
>>>>>>>>>>>> ldap_start_tls: Connect error
(-11)
>>>>>>>>>>>>        additional info: Start
TLS request accepted.Server
>>>>>>>>>>>> willing to negotiate SSL.
>>>>>>>>>>> What OS and version are you
running?  RHEL3
>>>>>>>>>>> /etc/openldap/ldap.conf does not
like the TLS_CACERTDIR
>>>>>>>>>>> directive - you must use the
TLS_CACERT directive with the
>>>>>>>>>>> full path and filename of the
cacert.pem file (e.g.
>>>>>>>>>>> /etc/openldap/cacerts/cacert.pem). 
What does it say in the
>>>>>>>>>>> fedora ds access and error log for
this request?
>>>>>>>>>>>
>>>>>>>>>>> For a successful startTLS request
with ldapsearch, you
>>>>>>>>>>> should see something like the
following in your fedora ds
>>>>>>>>>>> access log:
>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 fd=64 slot=64
>>>>>>>>>>> connection from 127.0.0.1 to
127.0.0.1
>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 op=0 EXT
>>>>>>>>>>>
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 op=0 RESULT err=0
>>>>>>>>>>> tag=120 nentries=0 etime=0
>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 SSL 256-bit AES
>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 op=1 BIND dn=""
>>>>>>>>>>> method=128 version=3
>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 op=1 RESULT err=0
>>>>>>>>>>> tag=97 nentries=0 etime=0
dn=""
>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 op=2 SRCH
>>>>>>>>>>> base="dc=example,dc=com"
scope=0 filter="(objectClass=*)"
>>>>>>>>>>> attrs=ALL
>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 op=2 RESULT err=0
>>>>>>>>>>> tag=101 nentries=1 etime=0
>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 op=3 UNBIND
>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 op=3 fd=64 closed - U1
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>> Lawrence Berkeley National
Laboratory
>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>>> Lawrence Berkeley
National Laboratory
>>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Richard Megginson
wrote:
>>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>>>> Center for
X-Ray Optics
>>>>>>>>>>>>>>>> Lawrence
Berkeley National Laboratory
>>>>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Richard
Megginson wrote:
>>>>>>>>>>>>>>>>> Jeff Gamsby
wrote:
>>>>>>>>>>>>>>>>>> I am
trying to get FDS 1.0.2 working in SSL mode. I
>>>>>>>>>>>>>>>>>> am
using a OpenSSL CA, I have installed the Server
>>>>>>>>>>>>>>>>>> Cert
and the CA Cert, can start FDS in SSL mode, but
>>>>>>>>>>>>>>>>>> when I
run
>>>>>>>>>>>>>>>>>>
ldapsearch -x -ZZ  I get TLS trace: SSL3 alert
>>>>>>>>>>>>>>>>>>
write:fatal:unknown CA.
>>>>>>>>>>>>>>>>> Did you
follow this -
>>>>>>>>>>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>>>>>>> I did, but that
didn''t work for me. The only thing that
>>>>>>>>>>>>>>>> I did this time
was generate a request from the "Manage
>>>>>>>>>>>>>>>>
Certificates", sign the request using my OpenSSL CA,
>>>>>>>>>>>>>>>> and install the
Server and CA Certs. Then I turned on
>>>>>>>>>>>>>>>> SSL in the
Admin console, and restarted the server.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> When I followed
the instructions from the link, I
>>>>>>>>>>>>>>>>
couldn''t even get FDS to start in SSL mode.
>>>>>>>>>>>>>>> One problem may be
that ldapsearch is trying to verify
>>>>>>>>>>>>>>> the hostname in
your server cert, which is the value of
>>>>>>>>>>>>>>> the cn attribute in
the leftmost RDN in your server
>>>>>>>>>>>>>>> cert''s
subject DN.  What is the subject DN of your
>>>>>>>>>>>>>>> server cert?  You
can use certutil -L -n Server-Cert as
>>>>>>>>>>>>>>> specified in the
Howto:SSL to print your cert.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Sorry. I missed the -P
option.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> running
../shared/bin/certutil -L -d . -P slapd-server-
>>>>>>>>>>>>>> -n
"server-cert" returns the Subject *CN* as FQDN of FDS
>>>>>>>>>>>>>> and OpenSSL CA host
(ran on same machine)
>>>>>>>>>>>>> Hmm - try ldapsearch with
the -v (or -d?) option to get
>>>>>>>>>>>>> some debugging info.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> In
/etc/ldap.conf, I have put in
>>>>>>>>>>>>>>>>>>
TLS_CACERT /path/to/cert
>>>>>>>>>>>>>>>>> Is this the
same /path/to/cacert.pem as below?
>>>>>>>>>>>>>>>> Yes
>>>>>>>>>>>>>>>>>>
TLSREQCERT allow
>>>>>>>>>>>>>>>>>> ssl on
>>>>>>>>>>>>>>>>>> ssl
start_tls
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> If I
run
>>>>>>>>>>>>>>>>>> openssl
s_client -connect localhost:636 -showcerts
>>>>>>>>>>>>>>>>>> -state
-CAfile /path/to/cacert.pem
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> It
looks OK
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Please
help
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>   
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>   
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> -- 
>>>>>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>
>>>>>>>>>>>>>   
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> Fedora-directory-users mailing
list
>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>   
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>   
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>
------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>   
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>   
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
------------------------------------------------------------------------
>>>
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Jeff Gamsby wrote:
>> I''m not sure I understand what''s going on either, but
the message
>> "Peer does not recognize and trust the CA that issued your 
>> certificate." means that ldapsearch did not verify your LDAP
server
>> certificate (Server-Cert).  This is usually due to one or both of the 
>> following:
>> 1) The value of the cn attribute in the leftmost RDN of the subjectDN 
>> in the LDAP server cert is not the fqdn of the LDAP server host, or 
>> the client cannot resolve it.
>> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of 
>> the CA that issued the LDAP server certificate (Server-Cert)
>>
>> I''m not sure which one it is.  You might try dumping out the
server
>> certificate (../shared/bin/certutil -L -P slapd-server- -d . -n 
>> "Server-Cert" -a > fdscert.pem) and using openssl to
verify the cert
>> e.g.
>> openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem
>>
>> If you get an error, this means that the CA whose cert is 
>> /etc/openldap/cacerts/cacert.asc did not issue the fedora ds server 
>> certificate.
>
> I get fdscert.pem: OK
I dunno - perhaps the CA doesn''t have the appropriate trust flags? 
This
is what I get:
../shared/bin/certutil -d . -P slapd-localhost- -L
CA certificate                                               CTu,u,u
Server-Cert                                                  u,u,u
>>>
>>>>>
>>>>>>>
>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67
connection
>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT 
>>>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT
err=0 tag=120
>>>>>>> nentries=0 etime=0
>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67
closed - Peer
>>>>>>> does not recognize and trust the CA that issued
your certificate.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> This is all that the errors log
says
>>>>>>>>>> How about the access log?
>>>>>>>>>>>
>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No
symmetric key found for
>>>>>>>>>>> cipher AES in backend userRoot,
attempting to create one...
>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key
for cipher AES
>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No
symmetric key found for
>>>>>>>>>>> cipher 3DES in backend userRoot,
attempting to create one...
>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key
for cipher 3DES
>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No
symmetric key found for
>>>>>>>>>>> cipher AES in backend NetscapeRoot,
attempting to create one...
>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key
for cipher AES
>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No
symmetric key found for
>>>>>>>>>>> cipher 3DES in backend
NetscapeRoot, attempting to create
>>>>>>>>>>> one...
>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key
for cipher 3DES
>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] -
slapd started.  Listening on
>>>>>>>>>>> All Interfaces port 389 for LDAP
requests
>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] -
Listening on All Interfaces
>>>>>>>>>>> port 636 for LDAPS requests
>>>>>>>>>>>
>>>>>>>>>>> Thanks for your help
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>> Lawrence Berkeley National
Laboratory
>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>> OK, now I have a different
error.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I ran
../shared/bin/certutil -A -n cert-name -t "C,C,C" -i
>>>>>>>>>>>>> /etc/certs/ca-cert.pem -P
slapd-server- -d .
>>>>>>>>>>>>>
>>>>>>>>>>>>> and
>>>>>>>>>>>>>
>>>>>>>>>>>>> ln -s ca-cert.pem `openssl
x509 -noout -hash -in
>>>>>>>>>>>>> ca-cert.pem`.0
>>>>>>>>>>>>>
>>>>>>>>>>>>> Now, I get this error:
>>>>>>>>>>>>>
>>>>>>>>>>>>> TLS: can''t
connect.
>>>>>>>>>>>>> ldap_perror
>>>>>>>>>>>>> ldap_start_tls: Connect
error (-11)
>>>>>>>>>>>>>        additional info:
Start TLS request accepted.Server
>>>>>>>>>>>>> willing to negotiate SSL.
>>>>>>>>>>>> What OS and version are you
running?  RHEL3
>>>>>>>>>>>> /etc/openldap/ldap.conf does
not like the TLS_CACERTDIR
>>>>>>>>>>>> directive - you must use the
TLS_CACERT directive with the
>>>>>>>>>>>> full path and filename of the
cacert.pem file (e.g.
>>>>>>>>>>>>
/etc/openldap/cacerts/cacert.pem).  What does it say in the
>>>>>>>>>>>> fedora ds access and error log
for this request?
>>>>>>>>>>>>
>>>>>>>>>>>> For a successful startTLS
request with ldapsearch, you
>>>>>>>>>>>> should see something like the
following in your fedora ds
>>>>>>>>>>>> access log:
>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 fd=64 slot=64
>>>>>>>>>>>> connection from 127.0.0.1 to
127.0.0.1
>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 op=0 EXT
>>>>>>>>>>>>
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 op=0 RESULT err=0
>>>>>>>>>>>> tag=120 nentries=0 etime=0
>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 SSL 256-bit AES
>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 op=1 BIND dn=""
>>>>>>>>>>>> method=128 version=3
>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 op=1 RESULT err=0
>>>>>>>>>>>> tag=97 nentries=0 etime=0
dn=""
>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 op=2 SRCH
>>>>>>>>>>>>
base="dc=example,dc=com" scope=0 filter="(objectClass=*)"
>>>>>>>>>>>> attrs=ALL
>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 op=2 RESULT err=0
>>>>>>>>>>>> tag=101 nentries=1 etime=0
>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 op=3 UNBIND
>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600]
conn=11 op=3 fd=64 closed - U1
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>> Lawrence Berkeley National
Laboratory
>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>>> Center for X-Ray
Optics
>>>>>>>>>>>>>>> Lawrence Berkeley
National Laboratory
>>>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Richard Megginson
wrote:
>>>>>>>>>>>>>>>> Jeff Gamsby
wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>>>>> Center for
X-Ray Optics
>>>>>>>>>>>>>>>>> Lawrence
Berkeley National Laboratory
>>>>>>>>>>>>>>>>> (510)
486-7783
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Richard
Megginson wrote:
>>>>>>>>>>>>>>>>>> Jeff
Gamsby wrote:
>>>>>>>>>>>>>>>>>>> I
am trying to get FDS 1.0.2 working in SSL mode. I
>>>>>>>>>>>>>>>>>>> am
using a OpenSSL CA, I have installed the Server
>>>>>>>>>>>>>>>>>>>
Cert and the CA Cert, can start FDS in SSL mode, but
>>>>>>>>>>>>>>>>>>>
when I run
>>>>>>>>>>>>>>>>>>>
ldapsearch -x -ZZ  I get TLS trace: SSL3 alert
>>>>>>>>>>>>>>>>>>>
write:fatal:unknown CA.
>>>>>>>>>>>>>>>>>> Did you
follow this -
>>>>>>>>>>>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>>>>>>>> I did, but
that didn''t work for me. The only thing
>>>>>>>>>>>>>>>>> that I did
this time was generate a request from the
>>>>>>>>>>>>>>>>>
"Manage Certificates", sign the request using my
>>>>>>>>>>>>>>>>> OpenSSL CA,
and install the Server and CA Certs. Then
>>>>>>>>>>>>>>>>> I turned on
SSL in the Admin console, and restarted
>>>>>>>>>>>>>>>>> the server.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> When I
followed the instructions from the link, I
>>>>>>>>>>>>>>>>>
couldn''t even get FDS to start in SSL mode.
>>>>>>>>>>>>>>>> One problem may
be that ldapsearch is trying to verify
>>>>>>>>>>>>>>>> the hostname in
your server cert, which is the value of
>>>>>>>>>>>>>>>> the cn
attribute in the leftmost RDN in your server
>>>>>>>>>>>>>>>> cert''s
subject DN.  What is the subject DN of your
>>>>>>>>>>>>>>>> server cert? 
You can use certutil -L -n Server-Cert as
>>>>>>>>>>>>>>>> specified in
the Howto:SSL to print your cert.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Sorry. I missed the
-P option.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> running
../shared/bin/certutil -L -d . -P slapd-server-
>>>>>>>>>>>>>>> -n
"server-cert" returns the Subject *CN* as FQDN of FDS
>>>>>>>>>>>>>>> and OpenSSL CA host
(ran on same machine)
>>>>>>>>>>>>>> Hmm - try ldapsearch
with the -v (or -d?) option to get
>>>>>>>>>>>>>> some debugging info.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> In
/etc/ldap.conf, I have put in
>>>>>>>>>>>>>>>>>>>
TLS_CACERT /path/to/cert
>>>>>>>>>>>>>>>>>> Is this
the same /path/to/cacert.pem as below?
>>>>>>>>>>>>>>>>> Yes
>>>>>>>>>>>>>>>>>>>
TLSREQCERT allow
>>>>>>>>>>>>>>>>>>> ssl
on
>>>>>>>>>>>>>>>>>>> ssl
start_tls
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> If
I run
>>>>>>>>>>>>>>>>>>>
openssl s_client -connect localhost:636 -showcerts
>>>>>>>>>>>>>>>>>>>
-state -CAfile /path/to/cacert.pem
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> It
looks OK
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Please help
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Thanks
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>   
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>   
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>   
>>>>>>>>>>>>>
>>>>>>>>>>>>> -- 
>>>>>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>
>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> Fedora-directory-users mailing
list
>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>   
>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>   
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>   
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>   
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
------------------------------------------------------------------------
>>>>
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Richard Megginson wrote:
> Jeff Gamsby wrote:
>>> I''m not sure I understand what''s going on either,
but the message
>>> "Peer does not recognize and trust the CA that issued your 
>>> certificate." means that ldapsearch did not verify your LDAP
server
>>> certificate (Server-Cert).  This is usually due to one or both of
the
>>> following:
>>> 1) The value of the cn attribute in the leftmost RDN of the
subjectDN
>>> in the LDAP server cert is not the fqdn of the LDAP server host, or
>>> the client cannot resolve it.
>>> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of 
>>> the CA that issued the LDAP server certificate (Server-Cert)
>>>
>>> I''m not sure which one it is.  You might try dumping out
the server
>>> certificate (../shared/bin/certutil -L -P slapd-server- -d . -n 
>>> "Server-Cert" -a > fdscert.pem) and using openssl to
verify the cert
>>> e.g.
>>> openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem
>>>
>>> If you get an error, this means that the CA whose cert is 
>>> /etc/openldap/cacerts/cacert.asc did not issue the fedora ds server
>>> certificate.
>>
>> I get fdscert.pem: OK
> I dunno - perhaps the CA doesn''t have the appropriate trust flags?
This
> is what I get:
> ../shared/bin/certutil -d . -P slapd-localhost- -L
> CA certificate                                               CTu,u,u
> Server-Cert                                                  u,u,u
> 
Another thing you can try is verifying the server certificate:

% ../shared/bin/certutil certutil -V -u V -n Server-Cert -d . -P 
slapd-localhost-
certutil: certificate is valid

Can you try the FDS ldapsearch (shared/bin/ldapsearch)? It will 
eliminate the OpenSSL certificate so we can help see where the problem 
is. You can have it use the same cert database as the server and that 
should help confirm that the CA and Server certificates are ok. If that 
works then it''s likely something with your OpenSSL config that is the 
problem.

rob
>>>>
>>>>>>
>>>>>>>>
>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67
slot=67 connection
>>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT 
>>>>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0
RESULT err=0 tag=120
>>>>>>>> nentries=0 etime=0
>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1
fd=67 closed - Peer
>>>>>>>> does not recognize and trust the CA that issued
your certificate.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> This is all that the errors log
says
>>>>>>>>>>> How about the access log?
>>>>>>>>>>>>
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] -
No symmetric key found for
>>>>>>>>>>>> cipher AES in backend userRoot,
attempting to create one...
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] -
Key for cipher AES
>>>>>>>>>>>> successfully generated and
stored
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] -
No symmetric key found for
>>>>>>>>>>>> cipher 3DES in backend
userRoot, attempting to create one...
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] -
Key for cipher 3DES
>>>>>>>>>>>> successfully generated and
stored
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] -
No symmetric key found for
>>>>>>>>>>>> cipher AES in backend
NetscapeRoot, attempting to create one...
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] -
Key for cipher AES
>>>>>>>>>>>> successfully generated and
stored
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] -
No symmetric key found for
>>>>>>>>>>>> cipher 3DES in backend
NetscapeRoot, attempting to create
>>>>>>>>>>>> one...
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] -
Key for cipher 3DES
>>>>>>>>>>>> successfully generated and
stored
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] -
slapd started.  Listening on
>>>>>>>>>>>> All Interfaces port 389 for
LDAP requests
>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] -
Listening on All Interfaces
>>>>>>>>>>>> port 636 for LDAPS requests
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks for your help
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>> Lawrence Berkeley National
Laboratory
>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>> OK, now I have a
different error.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I ran
../shared/bin/certutil -A -n cert-name -t "C,C,C" -i
>>>>>>>>>>>>>> /etc/certs/ca-cert.pem
-P slapd-server- -d .
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ln -s ca-cert.pem
`openssl x509 -noout -hash -in
>>>>>>>>>>>>>> ca-cert.pem`.0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Now, I get this error:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> TLS: can''t
connect.
>>>>>>>>>>>>>> ldap_perror
>>>>>>>>>>>>>> ldap_start_tls: Connect
error (-11)
>>>>>>>>>>>>>>        additional info:
Start TLS request accepted.Server
>>>>>>>>>>>>>> willing to negotiate
SSL.
>>>>>>>>>>>>> What OS and version are you
running?  RHEL3
>>>>>>>>>>>>> /etc/openldap/ldap.conf
does not like the TLS_CACERTDIR
>>>>>>>>>>>>> directive - you must use
the TLS_CACERT directive with the
>>>>>>>>>>>>> full path and filename of
the cacert.pem file (e.g.
>>>>>>>>>>>>>
/etc/openldap/cacerts/cacert.pem).  What does it say in the
>>>>>>>>>>>>> fedora ds access and error
log for this request?
>>>>>>>>>>>>>
>>>>>>>>>>>>> For a successful startTLS
request with ldapsearch, you
>>>>>>>>>>>>> should see something like
the following in your fedora ds
>>>>>>>>>>>>> access log:
>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 fd=64 slot=64
>>>>>>>>>>>>> connection from 127.0.0.1
to 127.0.0.1
>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=0 EXT
>>>>>>>>>>>>>
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=0 RESULT err=0
>>>>>>>>>>>>> tag=120 nentries=0 etime=0
>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 SSL 256-bit AES
>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=1 BIND dn=""
>>>>>>>>>>>>> method=128 version=3
>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=1 RESULT err=0
>>>>>>>>>>>>> tag=97 nentries=0 etime=0
dn=""
>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=2 SRCH
>>>>>>>>>>>>>
base="dc=example,dc=com" scope=0 filter="(objectClass=*)"
>>>>>>>>>>>>> attrs=ALL
>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=2 RESULT err=0
>>>>>>>>>>>>> tag=101 nentries=1 etime=0
>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=3 UNBIND
>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=3 fd=64 closed - U1
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>>> Lawrence Berkeley
National Laboratory
>>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Richard Megginson
wrote:
>>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>>>> Center for
X-Ray Optics
>>>>>>>>>>>>>>>> Lawrence
Berkeley National Laboratory
>>>>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Richard
Megginson wrote:
>>>>>>>>>>>>>>>>> Jeff Gamsby
wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Jeff
Gamsby
>>>>>>>>>>>>>>>>>> Center
for X-Ray Optics
>>>>>>>>>>>>>>>>>>
Lawrence Berkeley National Laboratory
>>>>>>>>>>>>>>>>>> (510)
486-7783
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Richard
Megginson wrote:
>>>>>>>>>>>>>>>>>>>
Jeff Gamsby wrote:
>>>>>>>>>>>>>>>>>>>>
I am trying to get FDS 1.0.2 working in SSL mode. I
>>>>>>>>>>>>>>>>>>>>
am using a OpenSSL CA, I have installed the Server
>>>>>>>>>>>>>>>>>>>>
Cert and the CA Cert, can start FDS in SSL mode, but
>>>>>>>>>>>>>>>>>>>>
when I run
>>>>>>>>>>>>>>>>>>>>
ldapsearch -x -ZZ  I get TLS trace: SSL3 alert
>>>>>>>>>>>>>>>>>>>>
write:fatal:unknown CA.
>>>>>>>>>>>>>>>>>>> Did
you follow this -
>>>>>>>>>>>>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>>>>>>>>> I did,
but that didn''t work for me. The only thing
>>>>>>>>>>>>>>>>>> that I
did this time was generate a request from the
>>>>>>>>>>>>>>>>>>
"Manage Certificates", sign the request using my
>>>>>>>>>>>>>>>>>> OpenSSL
CA, and install the Server and CA Certs. Then
>>>>>>>>>>>>>>>>>> I
turned on SSL in the Admin console, and restarted
>>>>>>>>>>>>>>>>>> the
server.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> When I
followed the instructions from the link, I
>>>>>>>>>>>>>>>>>>
couldn''t even get FDS to start in SSL mode.
>>>>>>>>>>>>>>>>> One problem
may be that ldapsearch is trying to verify
>>>>>>>>>>>>>>>>> the
hostname in your server cert, which is the value of
>>>>>>>>>>>>>>>>> the cn
attribute in the leftmost RDN in your server
>>>>>>>>>>>>>>>>>
cert''s subject DN.  What is the subject DN of your
>>>>>>>>>>>>>>>>> server
cert?  You can use certutil -L -n Server-Cert as
>>>>>>>>>>>>>>>>> specified
in the Howto:SSL to print your cert.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Sorry. I missed
the -P option.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> running
../shared/bin/certutil -L -d . -P slapd-server-
>>>>>>>>>>>>>>>> -n
"server-cert" returns the Subject *CN* as FQDN of FDS
>>>>>>>>>>>>>>>> and OpenSSL CA
host (ran on same machine)
>>>>>>>>>>>>>>> Hmm - try
ldapsearch with the -v (or -d?) option to get
>>>>>>>>>>>>>>> some debugging
info.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
In /etc/ldap.conf, I have put in
>>>>>>>>>>>>>>>>>>>>
TLS_CACERT /path/to/cert
>>>>>>>>>>>>>>>>>>> Is
this the same /path/to/cacert.pem as below?
>>>>>>>>>>>>>>>>>> Yes
>>>>>>>>>>>>>>>>>>>>
TLSREQCERT allow
>>>>>>>>>>>>>>>>>>>>
ssl on
>>>>>>>>>>>>>>>>>>>>
ssl start_tls
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
If I run
>>>>>>>>>>>>>>>>>>>>
openssl s_client -connect localhost:636 -showcerts
>>>>>>>>>>>>>>>>>>>>
-state -CAfile /path/to/cacert.pem
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
It looks OK
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
Please help
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
Thanks
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>   
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>   
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>   
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> -- 
>>>>>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>   
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> Fedora-directory-users mailing
list
>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>   
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>   
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>
------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>   
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>   
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
------------------------------------------------------------------------
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 
> ------------------------------------------------------------------------
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>>> I''m not sure I understand what''s going on
either, but the message
>>>> "Peer does not recognize and trust the CA that issued your
>>>> certificate." means that ldapsearch did not verify your
LDAP server
>>>> certificate (Server-Cert).  This is usually due to one or both
of the
>>>> following:
>>>> 1) The value of the cn attribute in the leftmost RDN of the
subjectDN
>>>> in the LDAP server cert is not the fqdn of the LDAP server
host, or
>>>> the client cannot resolve it.
>>>> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert
of
>>>> the CA that issued the LDAP server certificate (Server-Cert)
>>>>
>>>> I''m not sure which one it is.  You might try dumping
out the server
>>>> certificate (../shared/bin/certutil -L -P slapd-server- -d . -n
>>>> "Server-Cert" -a > fdscert.pem) and using openssl
to verify the cert
>>>> e.g.
>>>> openssl verify -CAfile /etc/openldap/cacerts/cacert.asc
fdscert.pem
>>>>
>>>> If you get an error, this means that the CA whose cert is
>>>> /etc/openldap/cacerts/cacert.asc did not issue the fedora ds
server
>>>> certificate.
>>>
>>> I get fdscert.pem: OK
>> I dunno - perhaps the CA doesn''t have the appropriate trust
flags?  This
>> is what I get:
>> ../shared/bin/certutil -d . -P slapd-localhost- -L
>> CA certificate                                               CTu,u,u
>> Server-Cert                                                  u,u,u
>>
>
> Another thing you can try is verifying the server certificate:
>
> % ../shared/bin/certutil certutil -V -u V -n Server-Cert -d . -P
> slapd-localhost-
> certutil: certificate is valid
../shared/bin/certutil certutil -V -u V -n Server-Cert -d . -P  slapd-server-
certutil-bin: certificate is valid
>
> Can you try the FDS ldapsearch (shared/bin/ldapsearch)? It will
> eliminate the OpenSSL certificate so we can help see where the problem
> is. You can have it use the same cert database as the server and that
> should help confirm that the CA and Server certificates are ok. If that
> works then it''s likely something with your OpenSSL config that is
the
> problem.
>
> rob
>
I''m not sure if I did this right:

../shared/bin/ldapsearch -Z -P slapd-server- -b "" -s base
"(objectclass=*)" -v
ldapsearch: started Fri Jun  2 22:23:18 2006

ldap_init( localhost, 389 )
ldaptool_getcertpath -- slapd-server-
ldaptool_getkeypath -- slapd-server-
ldaptool_getmodpath -- (null)
SSL initialization failed: error -8174 (security library: bad database.)

also...

../shared/bin/ldapsearch -P slapd-server- -b "" -s base
"(objectclass=*)" -v
ldapsearch: started Fri Jun  2 22:23:41 2006

ldap_init( localhost, 389 )
ldaptool_getcertpath -- slapd-server-
ldaptool_getkeypath -- slapd-server-
ldaptool_getmodpath -- (null)
SSL initialization failed: error -8174 (security library: bad database.)
>>>>>
>>>>>>>
>>>>>>>>>
>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67
slot=67 connection
>>>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0
EXT
>>>>>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0
RESULT err=0 tag=120
>>>>>>>>> nentries=0 etime=0
>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1
fd=67 closed - Peer
>>>>>>>>> does not recognize and trust the CA that
issued your certificate.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> This is all that the errors
log says
>>>>>>>>>>>> How about the access log?
>>>>>>>>>>>>>
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - No symmetric key found for
>>>>>>>>>>>>> cipher AES in backend
userRoot, attempting to create one...
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Key for cipher AES
>>>>>>>>>>>>> successfully generated and
stored
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - No symmetric key found for
>>>>>>>>>>>>> cipher 3DES in backend
userRoot, attempting to create one...
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Key for cipher 3DES
>>>>>>>>>>>>> successfully generated and
stored
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - No symmetric key found for
>>>>>>>>>>>>> cipher AES in backend
NetscapeRoot, attempting to create
>>>>>>>>>>>>> one...
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Key for cipher AES
>>>>>>>>>>>>> successfully generated and
stored
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - No symmetric key found for
>>>>>>>>>>>>> cipher 3DES in backend
NetscapeRoot, attempting to create
>>>>>>>>>>>>> one...
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Key for cipher 3DES
>>>>>>>>>>>>> successfully generated and
stored
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - slapd started.  Listening on
>>>>>>>>>>>>> All Interfaces port 389 for
LDAP requests
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Listening on All Interfaces
>>>>>>>>>>>>> port 636 for LDAPS requests
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks for your help
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>> Lawrence Berkeley National
Laboratory
>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>> OK, now I have a
different error.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I ran
../shared/bin/certutil -A -n cert-name -t "C,C,C" -i
>>>>>>>>>>>>>>>
/etc/certs/ca-cert.pem -P slapd-server- -d .
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ln -s ca-cert.pem
`openssl x509 -noout -hash -in
>>>>>>>>>>>>>>> ca-cert.pem`.0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Now, I get this
error:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> TLS: can''t
connect.
>>>>>>>>>>>>>>> ldap_perror
>>>>>>>>>>>>>>> ldap_start_tls:
Connect error (-11)
>>>>>>>>>>>>>>>        additional
info: Start TLS request accepted.Server
>>>>>>>>>>>>>>> willing to
negotiate SSL.
>>>>>>>>>>>>>> What OS and version are
you running?  RHEL3
>>>>>>>>>>>>>> /etc/openldap/ldap.conf
does not like the TLS_CACERTDIR
>>>>>>>>>>>>>> directive - you must
use the TLS_CACERT directive with the
>>>>>>>>>>>>>> full path and filename
of the cacert.pem file (e.g.
>>>>>>>>>>>>>>
/etc/openldap/cacerts/cacert.pem).  What does it say in the
>>>>>>>>>>>>>> fedora ds access and
error log for this request?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> For a successful
startTLS request with ldapsearch, you
>>>>>>>>>>>>>> should see something
like the following in your fedora ds
>>>>>>>>>>>>>> access log:
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 fd=64 slot=64
>>>>>>>>>>>>>> connection from
127.0.0.1 to 127.0.0.1
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=0 EXT
>>>>>>>>>>>>>>
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=0 RESULT err=0
>>>>>>>>>>>>>> tag=120 nentries=0
etime=0
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 SSL 256-bit AES
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=1 BIND dn=""
>>>>>>>>>>>>>> method=128 version=3
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=1 RESULT err=0
>>>>>>>>>>>>>> tag=97 nentries=0
etime=0 dn=""
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=2 SRCH
>>>>>>>>>>>>>>
base="dc=example,dc=com" scope=0 filter="(objectClass=*)"
>>>>>>>>>>>>>> attrs=ALL
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=2 RESULT err=0
>>>>>>>>>>>>>> tag=101 nentries=1
etime=0
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=3 UNBIND
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=3 fd=64 closed - U1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>>> Center for X-Ray
Optics
>>>>>>>>>>>>>>> Lawrence Berkeley
National Laboratory
>>>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Richard Megginson
wrote:
>>>>>>>>>>>>>>>> Jeff Gamsby
wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>>>>> Center for
X-Ray Optics
>>>>>>>>>>>>>>>>> Lawrence
Berkeley National Laboratory
>>>>>>>>>>>>>>>>> (510)
486-7783
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Richard
Megginson wrote:
>>>>>>>>>>>>>>>>>> Jeff
Gamsby wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Jeff Gamsby
>>>>>>>>>>>>>>>>>>>
Center for X-Ray Optics
>>>>>>>>>>>>>>>>>>>
Lawrence Berkeley National Laboratory
>>>>>>>>>>>>>>>>>>>
(510) 486-7783
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Richard Megginson wrote:
>>>>>>>>>>>>>>>>>>>>
Jeff Gamsby wrote:
>>>>>>>>>>>>>>>>>>>>>
I am trying to get FDS 1.0.2 working in SSL mode. I
>>>>>>>>>>>>>>>>>>>>>
am using a OpenSSL CA, I have installed the Server
>>>>>>>>>>>>>>>>>>>>>
Cert and the CA Cert, can start FDS in SSL mode, but
>>>>>>>>>>>>>>>>>>>>>
when I run
>>>>>>>>>>>>>>>>>>>>>
ldapsearch -x -ZZ  I get TLS trace: SSL3 alert
>>>>>>>>>>>>>>>>>>>>>
write:fatal:unknown CA.
>>>>>>>>>>>>>>>>>>>>
Did you follow this -
>>>>>>>>>>>>>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>>>>>>>>>> I
did, but that didn''t work for me. The only thing
>>>>>>>>>>>>>>>>>>>
that I did this time was generate a request from the
>>>>>>>>>>>>>>>>>>>
"Manage Certificates", sign the request using my
>>>>>>>>>>>>>>>>>>>
OpenSSL CA, and install the Server and CA Certs. Then
>>>>>>>>>>>>>>>>>>> I
turned on SSL in the Admin console, and restarted
>>>>>>>>>>>>>>>>>>> the
server.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
When I followed the instructions from the link, I
>>>>>>>>>>>>>>>>>>>
couldn''t even get FDS to start in SSL mode.
>>>>>>>>>>>>>>>>>> One
problem may be that ldapsearch is trying to verify
>>>>>>>>>>>>>>>>>> the
hostname in your server cert, which is the value of
>>>>>>>>>>>>>>>>>> the cn
attribute in the leftmost RDN in your server
>>>>>>>>>>>>>>>>>>
cert''s subject DN.  What is the subject DN of your
>>>>>>>>>>>>>>>>>> server
cert?  You can use certutil -L -n Server-Cert as
>>>>>>>>>>>>>>>>>>
specified in the Howto:SSL to print your cert.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Sorry. I
missed the -P option.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> running
../shared/bin/certutil -L -d . -P slapd-server-
>>>>>>>>>>>>>>>>> -n
"server-cert" returns the Subject *CN* as FQDN of FDS
>>>>>>>>>>>>>>>>> and OpenSSL
CA host (ran on same machine)
>>>>>>>>>>>>>>>> Hmm - try
ldapsearch with the -v (or -d?) option to get
>>>>>>>>>>>>>>>> some debugging
info.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
In /etc/ldap.conf, I have put in
>>>>>>>>>>>>>>>>>>>>>
TLS_CACERT /path/to/cert
>>>>>>>>>>>>>>>>>>>>
Is this the same /path/to/cacert.pem as below?
>>>>>>>>>>>>>>>>>>> Yes
>>>>>>>>>>>>>>>>>>>>>
TLSREQCERT allow
>>>>>>>>>>>>>>>>>>>>>
ssl on
>>>>>>>>>>>>>>>>>>>>>
ssl start_tls
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
If I run
>>>>>>>>>>>>>>>>>>>>>
openssl s_client -connect localhost:636 -showcerts
>>>>>>>>>>>>>>>>>>>>>
-state -CAfile /path/to/cacert.pem
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
It looks OK
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Please help
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Thanks
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
--
>>>>>>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>
Fedora-directory-users mailing list
>>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Fedora-directory-users mailing
list
>>>>>>>>>>>>
Fedora-directory-users@redhat.com
>>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>
------------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users@redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
------------------------------------------------------------------------
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

I don''t see the CA cert installed in the "Managing
Certificates" --> CA
certs.

Shouldn''t it be there?

ldapsearch -x -D "cn=Directory Manager" -Hldaps://localhost

TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject: /CN=CAcert,
issuer: /CN=CAcert
TLS certificate verification: Error, self signed certificate in
certificate chain
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can''t connect.
ldap_perror
ldap_bind: Can''t contact LDAP server (-1)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


>> Richard Megginson wrote:
>>> Jeff Gamsby wrote:
>>>>> I''m not sure I understand what''s going on
either, but the message
>>>>> "Peer does not recognize and trust the CA that issued
your
>>>>> certificate." means that ldapsearch did not verify
your LDAP server
>>>>> certificate (Server-Cert).  This is usually due to one or
both of the
>>>>> following:
>>>>> 1) The value of the cn attribute in the leftmost RDN of the
subjectDN
>>>>> in the LDAP server cert is not the fqdn of the LDAP server
host, or
>>>>> the client cannot resolve it.
>>>>> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the
cert of
>>>>> the CA that issued the LDAP server certificate
(Server-Cert)
>>>>>
>>>>> I''m not sure which one it is.  You might try
dumping out the server
>>>>> certificate (../shared/bin/certutil -L -P slapd-server- -d
. -n
>>>>> "Server-Cert" -a > fdscert.pem) and using
openssl to verify the cert
>>>>> e.g.
>>>>> openssl verify -CAfile /etc/openldap/cacerts/cacert.asc
fdscert.pem
>>>>>
>>>>> If you get an error, this means that the CA whose cert is
>>>>> /etc/openldap/cacerts/cacert.asc did not issue the fedora
ds server
>>>>> certificate.
>>>>
>>>> I get fdscert.pem: OK
>>> I dunno - perhaps the CA doesn''t have the appropriate
trust flags?
>>> This
>>> is what I get:
>>> ../shared/bin/certutil -d . -P slapd-localhost- -L
>>> CA certificate                                              
CTu,u,u
>>> Server-Cert                                                  u,u,u
>>>
>>
>> Another thing you can try is verifying the server certificate:
>>
>> % ../shared/bin/certutil certutil -V -u V -n Server-Cert -d . -P
>> slapd-localhost-
>> certutil: certificate is valid
>
> ../shared/bin/certutil certutil -V -u V -n Server-Cert -d . -P
> slapd-server-
> certutil-bin: certificate is valid
>
>>
>> Can you try the FDS ldapsearch (shared/bin/ldapsearch)? It will
>> eliminate the OpenSSL certificate so we can help see where the problem
>> is. You can have it use the same cert database as the server and that
>> should help confirm that the CA and Server certificates are ok. If that
>> works then it''s likely something with your OpenSSL config that
is the
>> problem.
>>
>> rob
>>
>
> I''m not sure if I did this right:
>
> ../shared/bin/ldapsearch -Z -P slapd-server- -b "" -s base
> "(objectclass=*)" -v
> ldapsearch: started Fri Jun  2 22:23:18 2006
>
> ldap_init( localhost, 389 )
> ldaptool_getcertpath -- slapd-server-
> ldaptool_getkeypath -- slapd-server-
> ldaptool_getmodpath -- (null)
> SSL initialization failed: error -8174 (security library: bad database.)
>
> also...
>
> ../shared/bin/ldapsearch -P slapd-server- -b "" -s base
"(objectclass=*)"
> -v
> ldapsearch: started Fri Jun  2 22:23:41 2006
>
> ldap_init( localhost, 389 )
> ldaptool_getcertpath -- slapd-server-
> ldaptool_getkeypath -- slapd-server-
> ldaptool_getmodpath -- (null)
> SSL initialization failed: error -8174 (security library: bad database.)
>
>>>>>>
>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10
fd=67 slot=67 connection
>>>>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10
op=0 EXT
>>>>>>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10
op=0 RESULT err=0 tag=120
>>>>>>>>>> nentries=0 etime=0
>>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10
op=-1 fd=67 closed - Peer
>>>>>>>>>> does not recognize and trust the CA
that issued your
>>>>>>>>>> certificate.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> This is all that the
errors log says
>>>>>>>>>>>>> How about the access log?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - No symmetric key found for
>>>>>>>>>>>>>> cipher AES in backend
userRoot, attempting to create one...
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Key for cipher AES
>>>>>>>>>>>>>> successfully generated
and stored
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - No symmetric key found for
>>>>>>>>>>>>>> cipher 3DES in backend
userRoot, attempting to create one...
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Key for cipher 3DES
>>>>>>>>>>>>>> successfully generated
and stored
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - No symmetric key found for
>>>>>>>>>>>>>> cipher AES in backend
NetscapeRoot, attempting to create
>>>>>>>>>>>>>> one...
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Key for cipher AES
>>>>>>>>>>>>>> successfully generated
and stored
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - No symmetric key found for
>>>>>>>>>>>>>> cipher 3DES in backend
NetscapeRoot, attempting to create
>>>>>>>>>>>>>> one...
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Key for cipher 3DES
>>>>>>>>>>>>>> successfully generated
and stored
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - slapd started.  Listening on
>>>>>>>>>>>>>> All Interfaces port 389
for LDAP requests
>>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Listening on All Interfaces
>>>>>>>>>>>>>> port 636 for LDAPS
requests
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks for your help
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>>> Lawrence Berkeley
National Laboratory
>>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Richard Megginson
wrote:
>>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>> OK, now I have
a different error.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I ran
../shared/bin/certutil -A -n cert-name -t "C,C,C" -i
>>>>>>>>>>>>>>>>
/etc/certs/ca-cert.pem -P slapd-server- -d .
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ln -s
ca-cert.pem `openssl x509 -noout -hash -in
>>>>>>>>>>>>>>>> ca-cert.pem`.0
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Now, I get this
error:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> TLS:
can''t connect.
>>>>>>>>>>>>>>>> ldap_perror
>>>>>>>>>>>>>>>> ldap_start_tls:
Connect error (-11)
>>>>>>>>>>>>>>>>       
additional info: Start TLS request accepted.Server
>>>>>>>>>>>>>>>> willing to
negotiate SSL.
>>>>>>>>>>>>>>> What OS and version
are you running?  RHEL3
>>>>>>>>>>>>>>>
/etc/openldap/ldap.conf does not like the TLS_CACERTDIR
>>>>>>>>>>>>>>> directive - you
must use the TLS_CACERT directive with the
>>>>>>>>>>>>>>> full path and
filename of the cacert.pem file (e.g.
>>>>>>>>>>>>>>>
/etc/openldap/cacerts/cacert.pem).  What does it say in the
>>>>>>>>>>>>>>> fedora ds access
and error log for this request?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> For a successful
startTLS request with ldapsearch, you
>>>>>>>>>>>>>>> should see
something like the following in your fedora ds
>>>>>>>>>>>>>>> access log:
>>>>>>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64
>>>>>>>>>>>>>>> connection from
127.0.0.1 to 127.0.0.1
>>>>>>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT
>>>>>>>>>>>>>>>
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>>>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0
>>>>>>>>>>>>>>> tag=120 nentries=0
etime=0
>>>>>>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
>>>>>>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn=""
>>>>>>>>>>>>>>> method=128
version=3
>>>>>>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0
>>>>>>>>>>>>>>> tag=97 nentries=0
etime=0 dn=""
>>>>>>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH
>>>>>>>>>>>>>>>
base="dc=example,dc=com" scope=0 filter="(objectClass=*)"
>>>>>>>>>>>>>>> attrs=ALL
>>>>>>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0
>>>>>>>>>>>>>>> tag=101 nentries=1
etime=0
>>>>>>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>>>>>>>>>>>>>>>
[02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
Richard Megginson wrote:
>>>>>>>>>>>>>>>>>>>>>
Jeff Gamsby wrote:
>>>>>>>>>>>>>>>>>>>>>>
I am trying to get FDS 1.0.2 working in SSL mode. I
>>>>>>>>>>>>>>>>>>>>>>
am using a OpenSSL CA, I have installed the Server
>>>>>>>>>>>>>>>>>>>>>>
Cert and the CA Cert, can start FDS in SSL mode, but
>>>>>>>>>>>>>>>>>>>>>>
when I run
>>>>>>>>>>>>>>>>>>>>>>
ldapsearch -x -ZZ  I get TLS trace: SSL3 alert
>>>>>>>>>>>>>>>>>>>>>>
write:fatal:unknown CA.
>>>>>>>>>>>>>>>>>>>>>
Did you follow this -
>>>>>>>>>>>>>>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>>>>>>>>>>>
I did, but that didn''t work for me. The only thing
>>>>>>>>>>>>>>>>>>>>
that I did this time was generate a request from the
>>>>>>>>>>>>>>>>>>>>
"Manage Certificates", sign the request using my
>>>>>>>>>>>>>>>>>>>>
OpenSSL CA, and install the Server and CA Certs. Then
>>>>>>>>>>>>>>>>>>>>
I turned on SSL in the Admin console, and restarted
>>>>>>>>>>>>>>>>>>>>
the server.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
When I followed the instructions from the link, I
>>>>>>>>>>>>>>>>>>>>
couldn''t even get FDS to start in SSL mode.
>>>>>>>>>>>>>>>>>>> One
problem may be that ldapsearch is trying to verify
>>>>>>>>>>>>>>>>>>> the
hostname in your server cert, which is the value of
>>>>>>>>>>>>>>>>>>> the
cn attribute in the leftmost RDN in your server
>>>>>>>>>>>>>>>>>>>
cert''s subject DN.  What is the subject DN of your
>>>>>>>>>>>>>>>>>>>
server cert?  You can use certutil -L -n Server-Cert as
>>>>>>>>>>>>>>>>>>>
specified in the Howto:SSL to print your cert.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Sorry.
I missed the -P option.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> running
../shared/bin/certutil -L -d . -P slapd-server-
>>>>>>>>>>>>>>>>>> -n
"server-cert" returns the Subject *CN* as FQDN of FDS
>>>>>>>>>>>>>>>>>> and
OpenSSL CA host (ran on same machine)
>>>>>>>>>>>>>>>>> Hmm - try
ldapsearch with the -v (or -d?) option to get
>>>>>>>>>>>>>>>>> some
debugging info.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
In /etc/ldap.conf, I have put in
>>>>>>>>>>>>>>>>>>>>>>
TLS_CACERT /path/to/cert
>>>>>>>>>>>>>>>>>>>>>
Is this the same /path/to/cacert.pem as below?
>>>>>>>>>>>>>>>>>>>>
Yes
>>>>>>>>>>>>>>>>>>>>>>
TLSREQCERT allow
>>>>>>>>>>>>>>>>>>>>>>
ssl on
>>>>>>>>>>>>>>>>>>>>>>
ssl start_tls
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
If I run
>>>>>>>>>>>>>>>>>>>>>>
openssl s_client -connect localhost:636 -showcerts
>>>>>>>>>>>>>>>>>>>>>>
-state -CAfile /path/to/cacert.pem
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
It looks OK
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
Please help
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
Thanks
>>>>>>>>>>>>>>>>>>>>>>

> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>>> I''m not sure I understand what''s going on
either, but the message
>>>> "Peer does not recognize and trust the CA that issued your
>>>> certificate." means that ldapsearch did not verify your
LDAP server
>>>> certificate (Server-Cert).  This is usually due to one or both
of the
>>>> following:
>>>> 1) The value of the cn attribute in the leftmost RDN of the
subjectDN
>>>> in the LDAP server cert is not the fqdn of the LDAP server
host, or
>>>> the client cannot resolve it.
>>>> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert
of
>>>> the CA that issued the LDAP server certificate (Server-Cert)
>>>>
>>>> I''m not sure which one it is.  You might try dumping
out the server
>>>> certificate (../shared/bin/certutil -L -P slapd-server- -d . -n
>>>> "Server-Cert" -a > fdscert.pem) and using openssl
to verify the cert
>>>> e.g.
>>>> openssl verify -CAfile /etc/openldap/cacerts/cacert.asc
fdscert.pem
>>>>
>>>> If you get an error, this means that the CA whose cert is
>>>> /etc/openldap/cacerts/cacert.asc did not issue the fedora ds
server
>>>> certificate.
>>>
>>> I get fdscert.pem: OK
>> I dunno - perhaps the CA doesn''t have the appropriate trust
flags?  This
>> is what I get:
>> ../shared/bin/certutil -d . -P slapd-localhost- -L
>> CA certificate                                               CTu,u,u
>> Server-Cert                                                  u,u,u
>>
>
> Another thing you can try is verifying the server certificate:
>
> % ../shared/bin/certutil certutil -V -u V -n Server-Cert -d . -P
> slapd-localhost-
> certutil: certificate is valid
>
> Can you try the FDS ldapsearch (shared/bin/ldapsearch)? It will
> eliminate the OpenSSL certificate so we can help see where the problem
> is. You can have it use the same cert database as the server and that
> should help confirm that the CA and Server certificates are ok. If that
> works then it''s likely something with your OpenSSL config that is
the
> problem.
>
> rob
>
Rob,

 This is what I did.

FC4

installed fds 1.0.2

system has real hostname and name resolves

ran this script

$serverroot/shared/bin/certutil -N -d . -f pwdfile.txt
$serverroot/shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt
$serverroot/shared/bin/certutil -S -n "CA certificate" -s
"cn=CAcert" -x
-t "CT,," -m 1000 -v 120  -d . -z noise.txt -f pwdfile.txt
$serverroot/shared/bin/certutil -S -n "Server-Cert" -s
"cn=server.xxx.xxx"
-c "CA certificate" -t "u,u,u" -m 1001 -v 120  -d . -z
noise.txt -f
pwdfile.txt
mv key3.db slapd-server-key3.db
mv cert8.db slapd-server-cert8.db
ln -s slapd-server-key3.db key3.db
ln -s slapd-server-cert8.db cert8.db
chown nobody.nobody /opt/fedora-ds/alias/slapd-msas*
$serverroot/shared/bin/certutil -L -d . -n "CA certificate" -r >
cacert.der
openssl x509 -inform DER -in cacert.der -outform PEM -out cacert.pem
cp cacert.pem /etc/openldap/cacerts/

restarted FDS
turned on ssl mode in admin console in "Configuration ->
Encryption" Used
Server-Cert  certificate

restarted FDS

ran

# ../shared/bin/ldapsearch -Z -p 636 -b "" -s base
"(objectclass=*)" -v
ldapsearch: started Sun Jun  4 12:48:46 2006

ldap_init( localhost, 636 )
ldaptool_getcertpath -- .
ldaptool_getkeypath -- .
ldaptool_getmodpath -- (null)
ldaptool_getdonglefilename -- (null)
filter pattern: (objectclass=*)
returning: ALL
filter is: (objectclass=*)
version: 1
dn:
objectClass: top
namingContexts: dc=server,dc=xxx,dc=xxx
namingContexts: o=NetscapeRoot
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.9
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 2.16.840.1.113730.3.4.20
supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.13
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: Fedora Project
vendorVersion: Fedora-Directory/1.0.2 B2006.060.1951
dataversion: 020060604194005020060604194005
netscapemdsuffix: cn=ldap://dc=server,dc=xxx,dc=xxx,dc=xxx:389
1 matches

Access log says:

[04/Jun/2006:12:50:35 -0700] conn=42 fd=69 slot=69 SSL connection from
127.0.0.1 to 127.0.0.1
[04/Jun/2006:12:50:35 -0700] conn=42 SSL 128-bit RC4
[04/Jun/2006:12:50:35 -0700] conn=42 op=0 SRCH base="" scope=0
filter="(objectClass=*)" attrs=ALL
[04/Jun/2006:12:50:35 -0700] conn=42 op=0 RESULT err=0 tag=101 nentries=1
etime=0
[04/Jun/2006:12:50:35 -0700] conn=42 op=1 UNBIND
[04/Jun/2006:12:50:35 -0700] conn=42 op=1 fd=69 closed - U1

OK right?

Now run

ldapsearch -x -Hldaps://localhost

# ldapsearch -x -Hldaps://localhost
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject: /CN=CAcert,
issuer: /CN=CAcert
TLS certificate verification: Error, self signed certificate in
certificate chain
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can''t connect.
ldap_perror
ldap_bind: Can''t contact LDAP server (-1)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


>>>>>
>>>>>>>
>>>>>>>>>
>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67
slot=67 connection
>>>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0
EXT
>>>>>>>>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0
RESULT err=0 tag=120
>>>>>>>>> nentries=0 etime=0
>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1
fd=67 closed - Peer
>>>>>>>>> does not recognize and trust the CA that
issued your certificate.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> This is all that the errors
log says
>>>>>>>>>>>> How about the access log?
>>>>>>>>>>>>>
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - No symmetric key found for
>>>>>>>>>>>>> cipher AES in backend
userRoot, attempting to create one...
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Key for cipher AES
>>>>>>>>>>>>> successfully generated and
stored
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - No symmetric key found for
>>>>>>>>>>>>> cipher 3DES in backend
userRoot, attempting to create one...
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Key for cipher 3DES
>>>>>>>>>>>>> successfully generated and
stored
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - No symmetric key found for
>>>>>>>>>>>>> cipher AES in backend
NetscapeRoot, attempting to create
>>>>>>>>>>>>> one...
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Key for cipher AES
>>>>>>>>>>>>> successfully generated and
stored
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - No symmetric key found for
>>>>>>>>>>>>> cipher 3DES in backend
NetscapeRoot, attempting to create
>>>>>>>>>>>>> one...
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Key for cipher 3DES
>>>>>>>>>>>>> successfully generated and
stored
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - slapd started.  Listening on
>>>>>>>>>>>>> All Interfaces port 389 for
LDAP requests
>>>>>>>>>>>>> [02/Jun/2006:14:21:01
-0700] - Listening on All Interfaces
>>>>>>>>>>>>> port 636 for LDAPS requests
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks for your help
>>>>>>>>>>>>>
>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>> OK, now I have a
different error.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I ran
../shared/bin/certutil -A -n cert-name -t "C,C,C" -i
>>>>>>>>>>>>>>>
/etc/certs/ca-cert.pem -P slapd-server- -d .
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ln -s ca-cert.pem
`openssl x509 -noout -hash -in
>>>>>>>>>>>>>>> ca-cert.pem`.0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Now, I get this
error:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> TLS: can''t
connect.
>>>>>>>>>>>>>>> ldap_perror
>>>>>>>>>>>>>>> ldap_start_tls:
Connect error (-11)
>>>>>>>>>>>>>>>        additional
info: Start TLS request accepted.Server
>>>>>>>>>>>>>>> willing to
negotiate SSL.
>>>>>>>>>>>>>> What OS and version are
you running?  RHEL3
>>>>>>>>>>>>>> /etc/openldap/ldap.conf
does not like the TLS_CACERTDIR
>>>>>>>>>>>>>> directive - you must
use the TLS_CACERT directive with the
>>>>>>>>>>>>>> full path and filename
of the cacert.pem file (e.g.
>>>>>>>>>>>>>>
/etc/openldap/cacerts/cacert.pem).  What does it say in the
>>>>>>>>>>>>>> fedora ds access and
error log for this request?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> For a successful
startTLS request with ldapsearch, you
>>>>>>>>>>>>>> should see something
like the following in your fedora ds
>>>>>>>>>>>>>> access log:
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 fd=64 slot=64
>>>>>>>>>>>>>> connection from
127.0.0.1 to 127.0.0.1
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=0 EXT
>>>>>>>>>>>>>>
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=0 RESULT err=0
>>>>>>>>>>>>>> tag=120 nentries=0
etime=0
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 SSL 256-bit AES
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=1 BIND dn=""
>>>>>>>>>>>>>> method=128 version=3
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=1 RESULT err=0
>>>>>>>>>>>>>> tag=97 nentries=0
etime=0 dn=""
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=2 SRCH
>>>>>>>>>>>>>>
base="dc=example,dc=com" scope=0 filter="(objectClass=*)"
>>>>>>>>>>>>>> attrs=ALL
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=2 RESULT err=0
>>>>>>>>>>>>>> tag=101 nentries=1
etime=0
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=3 UNBIND
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48
-0600] conn=11 op=3 fd=64 closed - U1
>>>>>>>>>>>>>>>>>>>
Richard Megginson wrote:
>>>>>>>>>>>>>>>>>>>>
Jeff Gamsby wrote:
>>>>>>>>>>>>>>>>>>>>>
I am trying to get FDS 1.0.2 working in SSL mode. I
>>>>>>>>>>>>>>>>>>>>>
am using a OpenSSL CA, I have installed the Server
>>>>>>>>>>>>>>>>>>>>>
Cert and the CA Cert, can start FDS in SSL mode, but
>>>>>>>>>>>>>>>>>>>>>
when I run
>>>>>>>>>>>>>>>>>>>>>
ldapsearch -x -ZZ  I get TLS trace: SSL3 alert
>>>>>>>>>>>>>>>>>>>>>
write:fatal:unknown CA.
>>>>>>>>>>>>>>>>>>>>
Did you follow this -
>>>>>>>>>>>>>>>>>>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>>>>>>>>>> I
did, but that didn''t work for me. The only thing
>>>>>>>>>>>>>>>>>>>
that I did this time was generate a request from the
>>>>>>>>>>>>>>>>>>>
"Manage Certificates", sign the request using my
>>>>>>>>>>>>>>>>>>>
OpenSSL CA, and install the Server and CA Certs. Then
>>>>>>>>>>>>>>>>>>> I
turned on SSL in the Admin console, and restarted
>>>>>>>>>>>>>>>>>>> the
server.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
When I followed the instructions from the link, I
>>>>>>>>>>>>>>>>>>>
couldn''t even get FDS to start in SSL mode.
>>>>>>>>>>>>>>>>>> One
problem may be that ldapsearch is trying to verify
>>>>>>>>>>>>>>>>>> the
hostname in your server cert, which is the value of
>>>>>>>>>>>>>>>>>> the cn
attribute in the leftmost RDN in your server
>>>>>>>>>>>>>>>>>>
cert''s subject DN.  What is the subject DN of your
>>>>>>>>>>>>>>>>>> server
cert?  You can use certutil -L -n Server-Cert as
>>>>>>>>>>>>>>>>>>
specified in the Howto:SSL to print your cert.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Sorry. I
missed the -P option.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> running
../shared/bin/certutil -L -d . -P slapd-server-
>>>>>>>>>>>>>>>>> -n
"server-cert" returns the Subject *CN* as FQDN of FDS
>>>>>>>>>>>>>>>>> and OpenSSL
CA host (ran on same machine)
>>>>>>>>>>>>>>>> Hmm - try
ldapsearch with the -v (or -d?) option to get
>>>>>>>>>>>>>>>> some debugging
info.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
In /etc/ldap.conf, I have put in
>>>>>>>>>>>>>>>>>>>>>
TLS_CACERT /path/to/cert
>>>>>>>>>>>>>>>>>>>>
Is this the same /path/to/cacert.pem as below?
>>>>>>>>>>>>>>>>>>> Yes
>>>>>>>>>>>>>>>>>>>>>
TLSREQCERT allow
>>>>>>>>>>>>>>>>>>>>>
ssl on
>>>>>>>>>>>>>>>>>>>>>
ssl start_tls
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
If I run
>>>>>>>>>>>>>>>>>>>>>
openssl s_client -connect localhost:636 -showcerts
>>>>>>>>>>>>>>>>>>>>>
-state -CAfile /path/to/cacert.pem
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
It looks OK
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Please help
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Thanks

--- Jeff Gamsby <JFGamsby@lbl.gov> wrote:
> mv key3.db slapd-server-key3.db
> mv cert8.db slapd-server-cert8.db
> ln -s slapd-server-key3.db key3.db
> ln -s slapd-server-cert8.db cert8.db
> chown nobody.nobody /opt/fedora-ds/alias/slapd-msas*

is the server really called "server" or did you obscure it for privacy
purposes?

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

No, the server has a real hostname. My problem was that I had compiled 
OpenLDAP, and ldapsearch was /usr/local/bin/ldapsearch, therefore it 
used /usr/local/etc/openldap/ldap.conf not /etc/openldap/ldap.conf.

SSL now works fine, but I have a new problem with PassSync (Peer''s 
Certificate issuer is not recognized)

Thanks

Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783



Susan wrote:
> --- Jeff Gamsby <JFGamsby@lbl.gov> wrote:
>   
>> mv key3.db slapd-server-key3.db
>> mv cert8.db slapd-server-cert8.db
>> ln -s slapd-server-key3.db key3.db
>> ln -s slapd-server-cert8.db cert8.db
>> chown nobody.nobody /opt/fedora-ds/alias/slapd-msas*
>>     
>
>
> is the server really called "server" or did you obscure it for
privacy purposes?
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>