MAS Jean-Louis
2020-Aug-04 13:18 UTC
[Samba] Problem with intermediate certificate (tls cafile)
I have several samba servers on Debian 10 all using : samba 2:4.9.5+dfsg-5+deb10u1 amd64 I use tls cafile, tls certfile and tls keyfile with certificates from Sectigo (https://cert-manager.com) And when checking my connexion from the samba server, or from outside, I've got "unable to verify the first certificate" even if tls_cafile is provided in smb.conf. What is wrong ? # checking my connexion openssl s_client -showcerts -connect localhost:636 CONNECTED(00000003) Can't use SSL_get_servername depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU XXX, CN = ad-rep2.example.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU XXX, CN = ad-rep2.example.com verify error:num=21:unable to verify the first certificate verify return:1 ... Server certificate subject=C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX, CN = ad-rep2.example.com issuer=C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 --- Acceptable client certificate CA names C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services Requested Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3041 bytes and written 393 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) # checking my connexion with intermediate certificate openssl s_client -showcerts -connect localhost:636 -CAfile /etc/ssl/certs/ad-rep2.example.com-2020-intermediate.pem CONNECTED(00000003) Can't use SSL_get_servername depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services verify return:1 depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 verify return:1 depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX, CN = ad-rep2.example.com verify return:1 --- Certificate chain 0 s:C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX, CN = ad-rep2.example.com i:C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 --- Server certificate subject=C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX, CN = ad-rep2.example.com issuer=C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 --- Acceptable client certificate CA names C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services Requested Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3041 bytes and written 393 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- closed # My smb.conf [global] allow dns updates = nonsecure and secure disable spoolss = Yes dns forwarder = w.x.y.z a.b.c.d load printers = No log file = /var/log/samba/samba-ad.log netbios name = AD-REP2 passdb backend = samba_dsdb printcap cache time = 0 printcap name = /dev/null realm = EXAMPLE.COM server role = active directory domain controller server string = Samba Server Version %v template homedir = /home/%ACCOUNTNAME% template shell = /bin/bash tls cafile = tls/ad-rep2.example.com-2020-intermediate.pem tls certfile = tls/ad-rep2.example.com-2020-certonly.pem tls keyfile = tls/ad-rep2.example.com-2020.key tls verify peer = ca_and_name workgroup = EXAMPLE winbindd:use external pipes = true smbd:backgroundqueue = no rpc_daemon:spoolssd = embedded rpc_server:tcpip = no rpc_server:spoolss = embedded rpc_server:winreg = embedded rpc_server:ntsvcs = embedded rpc_server:eventlog = embedded rpc_server:srvsvc = embedded rpc_server:svcctl = embedded rpc_server:default = external idmap_ldb:use rfc2307 = yes idmap config * : backend = tdb lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j map archive = No print command = lpr -r -P'%p' %s printing = bsd Intermediate certificates (tls/ad-rep2.example.com-2020-intermediate.pem) are ordered as mentioned in sectigo's documentation : "SSLCertificateChainFile: Intermediate(s)/Root only, PEM encoded (it contains the certificates from the leaf, without the certificate itself, to the root)" Thanks -- Jean Louis Mas
MAS Jean-Louis
2020-Aug-06 15:36 UTC
[Samba] Problem with intermediate certificate (tls cafile)
Nobody has any clues about the tls cafile ? Regards Le 04/08/2020 ? 15:18, MAS Jean-Louis via samba a ?crit?:> I have several samba servers on Debian 10 all using : > > samba 2:4.9.5+dfsg-5+deb10u1 amd64 > > I use tls cafile, tls certfile and tls keyfile with certificates from > Sectigo (https://cert-manager.com) > > And when checking my connexion from the samba server, or from outside, > I've got "unable to verify the first certificate" even if tls_cafile is > provided in smb.conf. > > What is wrong ? > > # checking my connexion > > openssl s_client -showcerts -connect localhost:636 > > CONNECTED(00000003) > Can't use SSL_get_servername > depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU > XXX, CN = ad-rep2.example.com > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU > XXX, CN = ad-rep2.example.com > verify error:num=21:unable to verify the first certificate > verify return:1 > ... > Server certificate > subject=C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX, > CN = ad-rep2.example.com > > issuer=C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 > > --- > Acceptable client certificate CA names > C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 > C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN > = USERTrust RSA Certification Authority > C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN > = AAA Certificate Services > Requested Signature Algorithms: > RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 > Shared Requested Signature Algorithms: > RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512 > Peer signing digest: SHA256 > Peer signature type: RSA-PSS > Server Temp Key: X25519, 253 bits > --- > SSL handshake has read 3041 bytes and written 393 bytes > Verification error: unable to verify the first certificate > --- > New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 > Server public key is 2048 bit > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 21 (unable to verify the first certificate) > > # checking my connexion with intermediate certificate > > openssl s_client -showcerts -connect localhost:636 -CAfile > /etc/ssl/certs/ad-rep2.example.com-2020-intermediate.pem > > CONNECTED(00000003) > Can't use SSL_get_servername > depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA > Limited, CN = AAA Certificate Services > verify return:1 > depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST > Network, CN = USERTrust RSA Certification Authority > verify return:1 > depth=1 C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 > verify return:1 > depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX, > CN = ad-rep2.example.com > verify return:1 > --- > Certificate chain > 0 s:C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX, CN > = ad-rep2.example.com > i:C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 > --- > Server certificate > subject=C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX, > CN = ad-rep2.example.com > > issuer=C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 > > --- > Acceptable client certificate CA names > C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 > C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN > = USERTrust RSA Certification Authority > C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN > = AAA Certificate Services > Requested Signature Algorithms: > RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 > Shared Requested Signature Algorithms: > RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512 > Peer signing digest: SHA256 > Peer signature type: RSA-PSS > Server Temp Key: X25519, 253 bits > --- > SSL handshake has read 3041 bytes and written 393 bytes > Verification: OK > --- > New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 > Server public key is 2048 bit > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 0 (ok) > --- > closed > > # My smb.conf > > [global] > allow dns updates = nonsecure and secure > disable spoolss = Yes > dns forwarder = w.x.y.z a.b.c.d > load printers = No > log file = /var/log/samba/samba-ad.log > netbios name = AD-REP2 > passdb backend = samba_dsdb > printcap cache time = 0 > printcap name = /dev/null > realm = EXAMPLE.COM > server role = active directory domain controller > server string = Samba Server Version %v > template homedir = /home/%ACCOUNTNAME% > template shell = /bin/bash > tls cafile = tls/ad-rep2.example.com-2020-intermediate.pem > tls certfile = tls/ad-rep2.example.com-2020-certonly.pem > tls keyfile = tls/ad-rep2.example.com-2020.key > tls verify peer = ca_and_name > workgroup = EXAMPLE > winbindd:use external pipes = true > smbd:backgroundqueue = no > rpc_daemon:spoolssd = embedded > rpc_server:tcpip = no > rpc_server:spoolss = embedded > rpc_server:winreg = embedded > rpc_server:ntsvcs = embedded > rpc_server:eventlog = embedded > rpc_server:srvsvc = embedded > rpc_server:svcctl = embedded > rpc_server:default = external > idmap_ldb:use rfc2307 = yes > idmap config * : backend = tdb > lpq command = lpq -P'%p' > lprm command = lprm -P'%p' %j > map archive = No > print command = lpr -r -P'%p' %s > printing = bsd > > Intermediate certificates > (tls/ad-rep2.example.com-2020-intermediate.pem) are ordered as mentioned > in sectigo's documentation : > > "SSLCertificateChainFile: Intermediate(s)/Root only, PEM encoded (it > contains the certificates from the leaf, without the certificate itself, > to the root)" > > Thanks >-- Jean Louis Mas ?quipe MI LIG Tel: 04 57 421 425 chat : https://tchat.univ-grenoble-alpes.fr/direct/masjea
Nick Howitt
2020-Aug-06 15:43 UTC
[Samba] Problem with intermediate certificate (tls cafile)
If I were guessing, based on some experience with certificate usage in other apps, concatenate your certificate and intermediate certificates into a single file which is then your "tls certfile" then point "tls cafile" to your issuers proper CA or just to your distro's CA bundle, e.g /etc/pki/tls/certs/ca-bundle.crt. Nick On 06/08/2020 16:36, MAS Jean-Louis via samba wrote:> Nobody has any clues about the tls cafile ? > > Regards > > Le 04/08/2020 ? 15:18, MAS Jean-Louis via samba a ?crit?: >> I have several samba servers on Debian 10 all using : >> >> samba 2:4.9.5+dfsg-5+deb10u1 amd64 >> >> I use tls cafile, tls certfile and tls keyfile with certificates from >> Sectigo (https://cert-manager.com) >> >> And when checking my connexion from the samba server, or from outside, >> I've got "unable to verify the first certificate" even if tls_cafile is >> provided in smb.conf. >> >> What is wrong ? >> >> # checking my connexion >> >> openssl s_client -showcerts -connect localhost:636 >> >> CONNECTED(00000003) >> Can't use SSL_get_servername >> depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU >> XXX, CN = ad-rep2.example.com >> verify error:num=20:unable to get local issuer certificate >> verify return:1 >> depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU >> XXX, CN = ad-rep2.example.com >> verify error:num=21:unable to verify the first certificate >> verify return:1 >> ... >> Server certificate >> subject=C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX, >> CN = ad-rep2.example.com >> >> issuer=C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 >> >> --- >> Acceptable client certificate CA names >> C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 >> C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN >> = USERTrust RSA Certification Authority >> C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN >> = AAA Certificate Services >> Requested Signature Algorithms: >> RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 >> Shared Requested Signature Algorithms: >> RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512 >> Peer signing digest: SHA256 >> Peer signature type: RSA-PSS >> Server Temp Key: X25519, 253 bits >> --- >> SSL handshake has read 3041 bytes and written 393 bytes >> Verification error: unable to verify the first certificate >> --- >> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 >> Server public key is 2048 bit >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> No ALPN negotiated >> Early data was not sent >> Verify return code: 21 (unable to verify the first certificate) >> >> # checking my connexion with intermediate certificate >> >> openssl s_client -showcerts -connect localhost:636 -CAfile >> /etc/ssl/certs/ad-rep2.example.com-2020-intermediate.pem >> >> CONNECTED(00000003) >> Can't use SSL_get_servername >> depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA >> Limited, CN = AAA Certificate Services >> verify return:1 >> depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST >> Network, CN = USERTrust RSA Certification Authority >> verify return:1 >> depth=1 C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 >> verify return:1 >> depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX, >> CN = ad-rep2.example.com >> verify return:1 >> --- >> Certificate chain >> 0 s:C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX, CN >> = ad-rep2.example.com >> i:C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 >> --- >> Server certificate >> subject=C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX, >> CN = ad-rep2.example.com >> >> issuer=C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 >> >> --- >> Acceptable client certificate CA names >> C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4 >> C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN >> = USERTrust RSA Certification Authority >> C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN >> = AAA Certificate Services >> Requested Signature Algorithms: >> RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 >> Shared Requested Signature Algorithms: >> RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512 >> Peer signing digest: SHA256 >> Peer signature type: RSA-PSS >> Server Temp Key: X25519, 253 bits >> --- >> SSL handshake has read 3041 bytes and written 393 bytes >> Verification: OK >> --- >> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 >> Server public key is 2048 bit >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> No ALPN negotiated >> Early data was not sent >> Verify return code: 0 (ok) >> --- >> closed >> >> # My smb.conf >> >> [global] >> allow dns updates = nonsecure and secure >> disable spoolss = Yes >> dns forwarder = w.x.y.z a.b.c.d >> load printers = No >> log file = /var/log/samba/samba-ad.log >> netbios name = AD-REP2 >> passdb backend = samba_dsdb >> printcap cache time = 0 >> printcap name = /dev/null >> realm = EXAMPLE.COM >> server role = active directory domain controller >> server string = Samba Server Version %v >> template homedir = /home/%ACCOUNTNAME% >> template shell = /bin/bash >> tls cafile = tls/ad-rep2.example.com-2020-intermediate.pem >> tls certfile = tls/ad-rep2.example.com-2020-certonly.pem >> tls keyfile = tls/ad-rep2.example.com-2020.key >> tls verify peer = ca_and_name >> workgroup = EXAMPLE >> winbindd:use external pipes = true >> smbd:backgroundqueue = no >> rpc_daemon:spoolssd = embedded >> rpc_server:tcpip = no >> rpc_server:spoolss = embedded >> rpc_server:winreg = embedded >> rpc_server:ntsvcs = embedded >> rpc_server:eventlog = embedded >> rpc_server:srvsvc = embedded >> rpc_server:svcctl = embedded >> rpc_server:default = external >> idmap_ldb:use rfc2307 = yes >> idmap config * : backend = tdb >> lpq command = lpq -P'%p' >> lprm command = lprm -P'%p' %j >> map archive = No >> print command = lpr -r -P'%p' %s >> printing = bsd >> >> Intermediate certificates >> (tls/ad-rep2.example.com-2020-intermediate.pem) are ordered as mentioned >> in sectigo's documentation : >> >> "SSLCertificateChainFile: Intermediate(s)/Root only, PEM encoded (it >> contains the certificates from the leaf, without the certificate itself, >> to the root)" >> >> Thanks >> >