Fedora directory users - Apr 2006 - Re: Re: SubjectAltName how does it work?

Hi,
today, I''m trying to solve ssl issue to comunicate from DS Fedora to
both
client and another DS server for replication..after many test, with your
help I catched up this point:

I''m always in alias directory.

Create my CA database:


# ../shared/bin/certutil -N -d .

Make my self CA:

# ../shared/bin/certutil -S -d . -n ''CA Certificate'' -s
''cn=CAcert'' -x
-t CTu,CTu,CTu -g 1024 -m 1 -v 120 -2 -1 -5

Create server key and certificate for server1:

# ../shared/bin/certutil -R -d . -s
"cn=nodo1,dc=domain,dc=example,dc=com" -o tmpcertreq
-g 1024
# ../shares/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o
tmpcert.der -m 3 -v 12
-1 -5 -8 domain.example.com
# ../shared/bin/certutil -A -d . -n nodo1.domain.example.com -t u,u,u
-i tmpcert.der
#rm -f tmpcert.der tmpcertreq

Create server key and certificate for server2:

# ../shared/bin/certutil -R -d . -s
"cn=nodo2,dc=domain,dc=example,dc=com" -o tmpcertreq
-g 1024
# ../shares/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o
tmpcert.der -m 4 -v 12
-1 -5 -8 domain.example.com
# ../shared/bin/certutil -A -d . -n Alt-Cert -t u,u,u -i tmpcert.der
#rm -f tmpcert.der tmpcertreq

After that I copy database on server 2 and rename it to match with
correct server...finally I enable ssl encrypt on both servers
and I try to establish Multi Master Replication via mmr.pl script...so:

./mmr.pl --host1 nodo1.domain.example.com --host2
nodo2.domain.example.com --host1_id 1 --host2_id 2 --bindpw secret
--repmanpw secret --create --with-ssl

unfortunately consulting logs I find:

NSMMReplicationPlugin - agmt="cn="Replication
to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP
sdk
error 91 (Can''t connect to the LDAP server), Netscape Portable Runtime
error
-5961 (TCP connection reset by peer.)

It''s incredible that when I find solution for something, at the same
time I
find problem in another point :-)

Thanks in advance for support

Alex

Alessandro Binarelli wrote:
> Hi,
> today, I''m trying to solve ssl issue to comunicate from DS Fedora
to
> both client and another DS server for replication..after many test, 
> with your help I catched up this point:
>
> I''m always in alias directory.
>
> Create my CA database:
> # ../shared/bin/certutil -N -d .
>
> Make my self CA:
>
> # ../shared/bin/certutil -S -d . -n ''CA Certificate'' -s
''cn=CAcert'' -x
> -t CTu,CTu,CTu -g 1024 -m 1 -v 120 -2 -1 -5
>
>
> Create server key and certificate for server1:
>
> # ../shared/bin/certutil -R -d . -s
"cn=nodo1,dc=domain,dc=example,dc=com" -o tmpcertreq
> -g 1024
> # ../shares/bin/certutil -C -d . -c "CA Certificate" -i
tmpcertreq -o
> tmpcert.der -m 3 -v 12 
> -1 -5 -8 domain.example.com <http://domain.example.com>
> # ../shared/bin/certutil -A -d . -n nodo1.domain.example.com
<http://nodo1.domain.example.com> -t u,u,u -i
> tmpcert.der
> #rm -f tmpcert.der tmpcertreq
>
> Create server key and certificate for server2:
>
> # ../shared/bin/certutil -R -d . -s
"cn=nodo2,dc=domain,dc=example,dc=com" -o tmpcertreq
>
> -g 1024
> # ../shares/bin/certutil -C -d . -c "CA Certificate" -i
tmpcertreq -o tmpcert.der -m 4 -v 12
> -1 -5 -8 domain.example.com <http://domain.example.com>
>
> # ../shared/bin/certutil -A -d . -n Alt-Cert -t u,u,u -i tmpcert.der
> #rm -f tmpcert.der tmpcertreq
>  
> After that I copy database on server 2 and rename it to match with correct
server...finally I enable ssl encrypt on both servers
>   
On server2 - did you change Alt-Cert to Server-Cert in the cert 
database, or did you change the attribute
nsSSLPersonalitySSL in entry cn=RSA,cn=encryption,cn=config to be 
Alt-Cert instead of Server-Cert?
> and I try to establish Multi Master Replication via mmr.pl script...so:
>
> ./mmr.pl --host1 nodo1.domain.example.com
<http://nodo1.domain.example.com> --host2
> nodo2.domain.example.com <http://nodo2.domain.example.com> --host1_id
1 --host2_id 2 --bindpw secret
> --repmanpw secret --create --with-ssl
>
> unfortunately consulting logs I find:
>   
In which log is this?
> NSMMReplicationPlugin - agmt="cn="Replication
>
> to nodo2.domain.example.com
<http://nodo2.domain.example.com>"" (nodo2:636): Simple bind
failed, LDAP sdk
> error 91 (Can''t connect to the LDAP server), Netscape Portable
Runtime error
> -5961 (TCP connection reset by peer.)
>
>
>   
> It''s incredible that when I find solution for something, at the
same
> time I find problem in another point :-)
>
> Thanks in advance for support
>
> Alex
>
>
>  
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

> On server2 - did you change Alt-Cert to Server-Cert in the 
> cert database, or did you change the attribute 
> nsSSLPersonalitySSL in entry cn=RSA,cn=encryption,cn=config 
> to be Alt-Cert instead of Server-Cert?

I did exactly that I wrote..so, after maked a certificates, I exported db on
server2 and in console I enabled encryption ssl using....on the first
server(nodo1) nodo1.domain.example.com and on second server(nodo2) Alt-Cert
> > ./mmr.pl --host1 nodo1.domain.example.com 
> <http://nodo1.domain.example.com> --host2 
> > nodo2.domain.example.com <http://nodo2.domain.example.com> 
> --host1_id 1 --host2_id 2 --bindpw secret
> > --repmanpw secret --create --with-ssl
Trying to run replacing nodo1.domain.example.com with
http://nodo1.domain.example.com and nodo2.domain.example.com with
http://nodo2.domain.example.com the script says:

Died at ./mmr.pl line 418, <DATA> line 339


Today I remade certificate and I used Alt-Cert nick for server1 and nodo2
for server2...now running script it says:

[10/Apr/2006:12:24:11 +0000] NSMMReplicationPlugin -
agmt="cn="Replication
to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP
sdk
error 81 (Can''t contact LDAP server), Netscape Portable Runtime error
-12276
(Unable to communicate securely with peer: requested domain name does not
match the server''s certificate.)

Thanks
Alex

> Alessandro Binarelli wrote:
> > Hi,
> > today, I''m trying to solve ssl issue to comunicate from DS
Fedora to
> > both client and another DS server for replication..after many test, 
> > with your help I catched up this point:
what happens when you run certutil -L -d . on both servers?  in alias directory?

try keeping the cert names consistent, that''ll help in troubleshooting.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

> what happens when you run certutil -L -d . on both servers?  in alias
> directory?
>
> try keeping the cert names consistent, that''ll help in
troubleshooting.
>
>
ok...I try it in about one hour...more or less...but the command above could
be list certificates and, if I remember it was

Ca Certificate
Alt-Cert
nodo2.domain.example.com

..I '''' be more accurate later...when I came back

Thanks in advance
Alex

> what happens when you run certutil -L -d . on both servers?  
> in alias directory?
> 
> try keeping the cert names consistent, that''ll help in 
> troubleshooting.
> 

Ok...after these commands:

******CA*********

# ../shared/bin/certutil -N -d .

# ../shared/bin/certutil -S -d . -n ''CA Certificate'' -s
''cn=CAcert'' -x
-t CTu,CTu,CTu -g 1024 -m 1 -v 120 -2 -1 -5


********Server 1********

 # ../shared/bin/certutil -R -d . -s
"cn=nodo1,dc=domain,dc=example,dc=com"
-o tmpcertreq -g 1024
 # ../shares/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o
tmpcert.der -m 3 -v 120 -1 -5 -8 domain.example.com 
 # ../shared/bin/certutil -A -d . -n nodo1.domain.example.com -t u,u,u -i
tmpcert.der


*****Server 2*******


# ../shared/bin/certutil -R -d . -s
"cn=nodo2,dc=domain,dc=example,dc=com"
-o tmpcertreq -g 1024
# ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o
tmpcert.der -m 9 -v 120 -1 -5 -8 domain.example.com
# ../shared/bin/certutil -A -d . -n Alt-Cert -t u,u,u -i tmpcert.der

# certutil -L -d .
CA Certificate			Ctu,Ctu,CTu
Nodo1.domain.example.com	u,u,u
Alt-Cert				u,u,u


*****MULTI MASTER REPLICATION*****

..after enabling ssl encrypt on both server...running mmr.pl script:

./mmr.pl --host1 nodo1.domain.example.com --host2 nodo2.domain.example.com
--host1_id 1 --host2_id 2 --bindpw secret --repmanpw secret --create
--with-ssl


******LOGS*****

..in nodo1 in logs:

[11/Apr/2006:17:56:58 +0000] NSMMReplicationPlugin -
agmt="cn="Replication
to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP
sdk
error 81 (Can''t contact LDAP server), Netscape Portable Runtime error
-12276
(Unable to communicate securely with peer: requested domain name does not
match the server''s certificate.)
[11/Apr/2006:17:56:58 +0000] NSMMReplicationPlugin -
agmt="cn="Replication
to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP
sdk
error 81 (Can''t contact LDAP server), Netscape Portable Runtime error
-12276
(Unable to communicate securely with peer: requested domain name does not
match the server''s certificate.)
[11/Apr/2006:17:57:01 +0000] NSMMReplicationPlugin -
agmt="cn="Replication
to nodo2"" (nodo2:636): Simple bind failed, LDAP sdk error 81
(Can''t contact
LDAP server), Netscape Portable Runtime error -12276 (Unable to communicate
securely with peer: requested domain name does not match the server''s
certificate.)

************CONSIDERATIONS****************

Modifing as suggested from Richard:

../shares/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o
tmpcert.der -m 3 -v 120  -1 -5 -8 domain.example.com
<http://domain.example.com>

It says:

Bash: syntax error near unexpected token ''newline''


....I understood that the problem is how I wrote http , but I don''t
know how
to change it

Thanks in advance for your support

ALex

--- Alex <magobin@gmail.com> wrote:
> [11/Apr/2006:17:56:58 +0000] NSMMReplicationPlugin -
agmt="cn="Replication
> to nodo2.domain.example.com"" (nodo2:636): Simple bind failed,
LDAP sdk
> error 81 (Can''t contact LDAP server), Netscape Portable Runtime
error -12276
Like Richard said, what is nsSSLPersonalitySSL set to in dse.ldif on the nodes?

you should keep the names consistent.  I mean, how do you know whether
alt-server refers to nodo1
or nodo2??  You know now but what about 5 months from now??

also, can you do ldapsearch -ZZ against both nodo1/2 without problems?

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

> Like Richard said, what is nsSSLPersonalitySSL set to in 
> dse.ldif on the nodes?
> 
> you should keep the names consistent.  I mean, how do you 
> know whether alt-server refers to nodo1 or nodo2??  You know 
> now but what about 5 months from now??
> 
> also, can you do ldapsearch -ZZ against both nodo1/2 without problems?
> 
I''m apologize but I''don''t understand what you want to
say...and no....at
this point I can''t do ldapsearch -zz

I only follow your instructions to enable encryption on both server and
trying to make a query from a client on both server using a floating ip with
ssl enable....I understood that the solution was SubjectAltName and I asked
in which way was possible to implement it...following Rob tips seems
doesn''t
working and last post is the last step on my configuration for testing it.


Regards
Alex

Alex wrote:
>  
> 
>>Like Richard said, what is nsSSLPersonalitySSL set to in 
>>dse.ldif on the nodes?
>>
>>you should keep the names consistent.  I mean, how do you 
>>know whether alt-server refers to nodo1 or nodo2??  You know 
>>now but what about 5 months from now??
>>
>>also, can you do ldapsearch -ZZ against both nodo1/2 without problems?
>>
> 
> 
> I''m apologize but I''don''t understand what you
want to say...and no....at
> this point I can''t do ldapsearch -zz
> 
> I only follow your instructions to enable encryption on both server and
> trying to make a query from a client on both server using a floating ip
with
> ssl enable....I understood that the solution was SubjectAltName and I asked
> in which way was possible to implement it...following Rob tips seems
doesn''t
> working and last post is the last step on my configuration for testing it.
> 
You are doing a couple of odd things:

1. Why does nodo1 get it''s own nickname but nodo2 is named Alt-Cert? As
I''ve said before, the nicknames aren''t important, but you
should have
some sort of naming policy.
2. You may need to fully qualify the cn in the certificates: 
nodo1.domain.example.com. This alone could explain the -12276 error. I 
don''t know if NSS will reconstitute the domain from it''s dc
components.

Does ldapsearch work against each fully-qualified host? Get ldapsearch 
working for the CN and for the alt subject first before trying to do MMR.

rob

> Alex wrote:
> > I''m apologize but I''don''t understand what
you want to say...and no....at
> > this point I can''t do ldapsearch -zz
then obviously mmr over ssl will not work.

seriously, why do you keep doing this floating IP setup?  it''s not
buying you anything.  It

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

> You are doing a couple of odd things:
> 
> 1. Why does nodo1 get it''s own nickname but nodo2 is named 
> Alt-Cert? As I''ve said before, the nicknames aren''t 
> important, but you should have some sort of naming policy.
> 2. You may need to fully qualify the cn in the certificates: 
> nodo1.domain.example.com. This alone could explain the -12276 
> error. I don''t know if NSS will reconstitute the domain from 
> it''s dc components.
> 
> Does ldapsearch work against each fully-qualified host? Get 
> ldapsearch working for the CN and for the alt subject first 
> before trying to do MMR.
> 
> rob
> 
Alt-Cert is only for tips from you
...tomorrow I''ll try to make a certificate for nodo2 as
nodo2.domain.example.com
Sincerely I still don''t understand where is the problem; At this point
I
think that I explained in bad way what is my goal. I follow your tip,
assuming that -n Alt-Cert was something more that only a nickname for cert.

Plus....in my last post I used fqdn for nodo1 and Alt-Cert for reason above,
do U think that all problems are from an error about -n statement?


Susan....I explained why floating ip...give me another solution that permit
to have 2 DS in Replication where clients can query/authenticate in encrypt
mode on both server...even if a server is shutted or crashed...of
course...say me how to implement too ;-)

At this point I think that we are very (how do you say vicino??....closed??)
to the solution....when finally DS replicating and client can authenticate
with ssl on both server...other problem such as postfix integration and
samba integration is only a time issue! 

Thanks for your support
Alex

--- Alex <magobin@gmail.com> wrote:
> Susan....I explained why floating ip...give me another solution that permit
> to have 2 DS in Replication where clients can query/authenticate in encrypt
> mode on both server...even if a server is shutted or crashed...of
> course...say me how to implement too ;-)
I did give you another solution -- simply list all your FDS servers in the
client''s
/etc/openldap/ldap.conf.  That''s it.  None of this floating IP
business.  If the first one on the
list fails, it''ll go to the next one.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

> I did give you another solution -- simply list all your FDS 
> servers in the client''s /etc/openldap/ldap.conf.  That''s
it.
> None of this floating IP business.  If the first one on the 
> list fails, it''ll go to the next one.
> 
Ok..tomorrow I''ll try to solve in this way...thank you!

At this point "floating Ip" became too much complicated !


Regards (good night)
Alex