Fedora directory users - Mar 2006 - SSL problem on replication!

hi,
I used Replication HOWTO to make a replica with 2 server; after that I
saw  that replication was  without encryption, so I maked my own CA
Authority and I maked two certificate for both server...I maked request
from Fedora Console and then I installed it from same console.

Testing on second server, I tried to restart slapd, but when I tried the
server ask correctly PIN for Internal Software Token, but then it says:

22/Mar/2006:11:20:39 +0100] - SSL alert: CERT_VerifyCertificateNow:
verify certificate failed for cert nodo2-cert of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 -
Peer''s Certificate issuer is not recognized.)
[22/Mar/2006:11:20:39 +0100] - SSL failure: None of the cipher are valid



...what does it mean?...maybe that I have maked some mistakes about ssl?
...how can I resolv this problem?
...is it possible to come back??


thanks in advance

Alex

Alex aka Magobin wrote:
> hi,
> I used Replication HOWTO to make a replica with 2 server; after that I
> saw  that replication was  without encryption, so I maked my own CA
> Authority and I maked two certificate for both server...I maked request
> from Fedora Console and then I installed it from same console.
>
> Testing on second server, I tried to restart slapd, but when I tried the
> server ask correctly PIN for Internal Software Token, but then it says:
>
> 22/Mar/2006:11:20:39 +0100] - SSL alert: CERT_VerifyCertificateNow:
> verify certificate failed for cert nodo2-cert of family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 -
> Peer''s Certificate issuer is not recognized.)
> [22/Mar/2006:11:20:39 +0100] - SSL failure: None of the cipher are valid
>
>
>
> ...what does it mean?...maybe that I have maked some mistakes about ssl?
> ...how can I resolv this problem?
> ...is it possible to come back??
>   
I think you may need to add the CA cert to the cert db for
nodo2
>
> thanks in advance
>
> Alex
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

This is what I did to get ssl repl working:

1. generate a single CA certificate and use that to sign both the supplier and
consumer
certificates. Each server doesn''t need its own CA.

on the consumer:

[root@cnjldap01 alias]# ../shared/bin/certutil -L -d . -n "NJ CA
certificate" -a >
cnjldap01.cert.asc

#send to supplier:

scp cnjldap01.cert.asc root@cnyldap01:/opt/fedora-ds/alias/

#import it into the supplier''s cert db:

[root@cnyldap01 /]# ../shared/bin/certutil -A -d . -P slapd-cnyldap01- -n
"NJ CA certificate" -t
"CT,," -a -i cnjldap01.cert.asc 


That''s it.


--- Richard Megginson <rmeggins@redhat.com> wrote:
> Alex aka Magobin wrote:
> > hi,
> > I used Replication HOWTO to make a replica with 2 server; after that I
> > saw  that replication was  without encryption, so I maked my own CA
> > Authority and I maked two certificate for both server...I maked
request
> > from Fedora Console and then I installed it from same console.
> >
> > Testing on second server, I tried to restart slapd, but when I tried
the
> > server ask correctly PIN for Internal Software Token, but then it
says:
> >
> > 22/Mar/2006:11:20:39 +0100] - SSL alert: CERT_VerifyCertificateNow:
> > verify certificate failed for cert nodo2-cert of family
> > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179
-
> > Peer''s Certificate issuer is not recognized.)
> > [22/Mar/2006:11:20:39 +0100] - SSL failure: None of the cipher are
valid
> >
> >
> >
> > ...what does it mean?...maybe that I have maked some mistakes about
ssl?
> > ...how can I resolv this problem?
> > ...is it possible to come back??
> >   
> I think you may need to add the CA cert to the cert db for nodo2
> >
> > thanks in advance
> >
> > Alex
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >   
> > --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

On gio, 2006-03-23 at 08:43 -0800, Susan wrote:
> This is what I did to get ssl repl working:
> 
> 1. generate a single CA certificate and use that to sign both the supplier
and consumer
> certificates. Each server doesn''t need its own CA.
> 
> on the consumer:
> 


Thank you Susan for your reply...two question 4 you if possible:

1) This procedure..similar to (Chapter 8 in Administration Guide)...but
you have to create cert db before


2) To make secure replication...I have to enable ssl on DS...in this
case...is still possible to query LDAP on port 389 ??

Thanks in advance!!

Alex

>
> 2) To make secure replication...I have to enable ssl on DS...in this
> case...is still possible to query LDAP on port 389 ??
Absolutely, enabling SSL does not affect unencrypted connections on port 
389.



Alex aka Magobin wrote:
> On gio, 2006-03-23 at 08:43 -0800, Susan wrote:
>   
>> This is what I did to get ssl repl working:
>>
>> 1. generate a single CA certificate and use that to sign both the
supplier and consumer
>> certificates. Each server doesn''t need its own CA.
>>
>> on the consumer:
>>
>>     
>
>
>
> Thank you Susan for your reply...two question 4 you if possible:
>
> 1) This procedure..similar to (Chapter 8 in Administration Guide)...but
> you have to create cert db before
>
>
> 2) To make secure replication...I have to enable ssl on DS...in this
> case...is still possible to query LDAP on port 389 ??
>
> Thanks in advance!!
>
> Alex
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

--- Alex aka Magobin <magobin@gmail.com> wrote:
> On gio, 2006-03-23 at 08:43 -0800, Susan wrote:
> > This is what I did to get ssl repl working:
> > 
> > 1. generate a single CA certificate and use that to sign both the
supplier and consumer
> > certificates. Each server doesn''t need its own CA.
> > 
> > on the consumer:
> > 
> 
> 
> 
> Thank you Susan for your reply...two question 4 you if possible:
> 
> 1) This procedure..similar to (Chapter 8 in Administration Guide)...but
> you have to create cert db before
yes, cert db must exist, for a cert to be exported out of it :)

 
> 
> 2) To make secure replication...I have to enable ssl on DS...in this
> case...is still possible to query LDAP on port 389 ??
yes.  One way to disable it is to set the ldap port to 0, FDS will then say on
startup that non
secure access has been disabled, proceeding.  That will break the console
access, however.  I
haven''t been able to turn off non-ssl access AND still be able to use
the console.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Susan wrote:
>--- Alex aka Magobin <magobin@gmail.com> wrote:
>
>  
>
>>On gio, 2006-03-23 at 08:43 -0800, Susan wrote:
>>    
>>
>>>This is what I did to get ssl repl working:
>>>
>>>1. generate a single CA certificate and use that to sign both the
supplier and consumer
>>>certificates. Each server doesn''t need its own CA.
>>>
>>>on the consumer:
>>>
>>>      
>>>
>>
>>Thank you Susan for your reply...two question 4 you if possible:
>>
>>1) This procedure..similar to (Chapter 8 in Administration Guide)...but
>>you have to create cert db before
>>    
>>
>
>yes, cert db must exist, for a cert to be exported out of it :)
>
> 
>  
>
>>2) To make secure replication...I have to enable ssl on DS...in this
>>case...is still possible to query LDAP on port 389 ??
>>    
>>
>
>yes.  One way to disable it is to set the ldap port to 0, FDS will then say
on startup that non
>secure access has been disabled, proceeding.  That will break the console
access, however.  I
>haven''t been able to turn off non-ssl access AND still be able to
use the console.
>  
>
You can configure Console to talk LDAPS.  I was just able to disable the 
standard LDAP port on my FDS 1.0.2 install and still use Console.  You 
need to check the "Use SSL in Fedora Console" checkbox  in the 
"Configuration" tab of the Directory Server Console.

-NGK
>__________________________________________________
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around 
>http://mail.yahoo.com 
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

I still have problem with ssl replication...in order to resolv this
problem I post my steps to configure it..thanks in advance if someone
could help me..:

1)in alias directory I make pwdfile.txt and noise .txt

2) Make a .db file:

../shared/bin/certutil -N -d . -f pwdfile.txt

3) Make an encrypted key:

../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt

4) Make an mysel certificate:

../shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert"
-x -t
"CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt

5) make a CA server

../shared/bin/certutil -S -n "Server-Cert" -s
"cn=domain.example.com" -c
"CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt
-f
pwdfile.txt

6) Rename db and relink:

mv cert8.db slapd-server-cert8.db
mv key3.db slapd-server-key3.db
ln -s slapd-server-cert8.db cert8.db
ln -s slapd-server-key3.db key3.db

chown nobody *.db

7) Esporting certificate:

../shared/bin/certutil -L -d . -n "CA Certificate" -a >
nodo1.cert.asc

8) Send to nodo2

scp nodo1.cert.asc root@nodo2:/opt/fedora-ds/alias/

9)Importing in db:

../shared/bin/certutil -A -d . -P slapd-nodo2- -n "CA Certificate" -t
"CT,," -a -i nodo1.cert.asc

10) make a replication with mmr.pl script

./mmr.pl --host1 nodo1.domain.example.com --host2
nodo2.domain.example.com --host_id 1 --host_id 2 --bindpw secretpwd
--repmanpw secret --create --with-ssl

11) After that....should be a replication...but if in slapd log I find:

NSMMReplicationPlugin - agmt=cn"Replication to
nodo2.domain.example.com"" (nodo2:636): SSL Not Initialized,
Replication
over SSL FAILED

NSMMReplicationPlugin - agmt=cn"Replication to
nodo2.domain.example.com"" (nodo2:636):incremental update failed and
requires administrator action

Any help is greetly apreciated!
Alex

--- Nathan Kinder <nkinder@redhat.com> wrote:
> You can configure Console to talk LDAPS.  I was just able to disable the 
> standard LDAP port on my FDS 1.0.2 install and still use Console.  You 
> need to check the "Use SSL in Fedora Console" checkbox  in the 
> "Configuration" tab of the Directory Server Console.
yea, I did that.  I set the port to 0 & click on "use SSL for console
connections."

[root@cnyitlin02 /]# /opt/fedora-ds/slapd-cnyitlin02/restart-slapd 
[27/Mar/2006:09:40:20 -0500] - Information: Non-Secure Port Disabled, server
only contactable via
secure port

So far so good.  But when I restart the console, I get this:

"Cannot connect to directory server ldap://cnyitlin02:389.  Would you like
to restart?"

Now, obviously that port is no longer there.  Have you not had this problem? 
How do I tell the
console to go to 636 instead (I''m assuming that''s what the
problem is..)

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Some news on my situation...finally I solved the problem about initialized
ssl failed   as explained in my previous post....I maked exactly the same
thing but in a fresh install and now the certificate are present.

Now the problem is:

[27/Mar/2006:14:13:48 +0000] - Fedora-Directory/1.0.2 B2006.060.1928
starting up
[27/Mar/2006:14:13:50 +0000] - slapd started.  Listening on All Interfaces
port 389 for LDAP requests
[27/Mar/2006:14:13:50 +0000] - Listening on All Interfaces port 636 for
LDAPS requests
[27/Mar/2006:14:14:06 +0000] NSMMReplicationPlugin -
agmt="cn="Replication
to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP
sdk
error 91 (Can''t connect to the LDAP server), Netscape Portable Runtime
error
-5961 (TCP connection reset by peer.)
[27/Mar/2006:14:14:07 +0000] NSMMReplicationPlugin -
agmt="cn="Replication
to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP
sdk
error 91 (Can''t connect to the LDAP server), Netscape Portable Runtime
error
-5961 (TCP connection reset by peer.)


According with that suggested from Susan...I configured in a cluster in both
nodes Fedora DS in the same manner; both are named ldap.domain.example.com;
this is for working with ip take over; in fact I configured an Ip that point
to ldap.domain.example.com.

Without ssl everything works, but with ssl enable the mmr.pl script reports
the error above when try to make a replication

How can I solve it?...Is there some other doc to study??

Thanks in advance!

Alex

Alex wrote:
>  
> Some news on my situation...finally I solved the problem about initialized
> ssl failed   as explained in my previous post....I maked exactly the same
> thing but in a fresh install and now the certificate are present.
> 
The mmr.pl script does not configure an SSL enabled LDAP service, it 
configures replication.

You must first have an SSL LDAP service working before you attempt to 
configure SSL replication, with mmr.pl or the admin console.


BR,
--
mike

Alex wrote:
> 
> The problem is that DS doesn''t report any error now after
configuring
> SSL...I have correctly  installed certificate according with
> documentation...plus today I spent 3 hours on understand why I
didn''t able
> to configure ssl following step by step the documentation and howto...the
> problem was maybe a DS corruption after a lot of tests...because after
> unistalled it and reinstall..when i configured SSl on fresh install
> everything worked.
If you are not able to connect to every one of your servers with SSL, 
then you are not able to configure SSL replication between them.

Get the SSL LDAP service working before trying to do anything else with it.

--
mike

--- Alex <magobin@gmail.com> wrote:
> [27/Mar/2006:14:14:07 +0000] NSMMReplicationPlugin -
agmt="cn="Replication
> to nodo2.domain.example.com"" (nodo2:636): Simple bind failed,
LDAP sdk
> error 91 (Can''t connect to the LDAP server), Netscape Portable
Runtime error
> -5961 (TCP connection reset by peer.)
it doesn''t look like nodo2 is listening on 636..  can you run

telnet nodo2 636

does that return anything?

 
> According with that suggested from Susan...I configured in a cluster in
both
> nodes Fedora DS in the same manner; both are named ldap.domain.example.com;
> this is for working with ip take over; in fact I configured an Ip that
point
> to ldap.domain.example.com.
wait, so both servers have the same name?  meaning, if you run hostname on
either server, hostname
returns the same thing?
 
also, if you think mmr.pl is the problem, comment out these two lines:

# add replication agreements
#add_rep_agreement($host1, $host2, $repmanpw);
#add_rep_agreement($host2, $host1, $repmanpw);

that''ll make mmr.pl do all the heavy work of setting up the configs and
then you can add the rep
agreements from the UI, step by step, according to the manual.

run the modified mmr.pl, just regular run and then load the console and start
step by step.  tail
-f the logs while you''re doing it, you''ll see the replication
kick in in real time.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

> wait, so both servers have the same name?  meaning, if you 
> run hostname on either server, hostname returns the same thing?
>  
No, nodo1 is 10.23.5.252 and nodo2 is 10.23.5.253, but in cluster suite I
configured a Ip-service (10.23.5.250); with this ip I configured DS...in DNS
I cofigured 10.23.5.250 that point to ldap.domain.example.com; then I
configured during DS setup that both DS point to ldap.domain.example.com..so
the configurations are exactly the same!...in clear works but with ssl....
> also, if you think mmr.pl is the problem, comment out these two lines:
> 
> # add replication agreements
> #add_rep_agreement($host1, $host2, $repmanpw); 
> #add_rep_agreement($host2, $host1, $repmanpw);
> 
I don''t know if this is the problem...I can try...otherwise...the only
solution that I thought is to configure DS on their real hostname (nodo1 and
nodo2) and then in DNS via round robin configure a ldap entry that point
both nodo1 and nodo2...but in this way I don''t solve ip issue!


Thanks in advance!

Alex

> The mmr.pl script does not configure an SSL enabled LDAP 
> service, it configures replication.
> 
> You must first have an SSL LDAP service working before you 
> attempt to configure SSL replication, with mmr.pl or the 
> admin console.
> 
> 
The problem is that DS doesn''t report any error now after configuring
SSL...I have correctly  installed certificate according with
documentation...plus today I spent 3 hours on understand why I didn''t
able
to configure ssl following step by step the documentation and howto...the
problem was maybe a DS corruption after a lot of tests...because after
unistalled it and reinstall..when i configured SSl on fresh install
everything worked.
So...at this time 4 me the problem is not ssl but somehing about resolution
in my particular configuration about DS on cluster system

Regards

Alex

--- Alex <magobin@gmail.com> wrote:
>  
> > wait, so both servers have the same name?  meaning, if you 
> > run hostname on either server, hostname returns the same thing?
> >  
> 
> No, nodo1 is 10.23.5.252 and nodo2 is 10.23.5.253, but in cluster suite I
> configured a Ip-service (10.23.5.250); with this ip I configured DS...in
DNS
> I cofigured 10.23.5.250 that point to ldap.domain.example.com; then I
> configured during DS setup that both DS point to
ldap.domain.example.com..so
> the configurations are exactly the same!...in clear works but with ssl....
well, can you successfully query BOTH DSs with ldapsearch -ZZ, with their real
IPs?  If you cannot
do that, then like Mike J said, no replication will ever happen.

In fact, because the floating IP will only reside on 1 server at a time but you
configured both
FDSs to listen on that IP, which will not exist on one of the servers,
it''s a problem.  Plus, you
don''t have to do that.  Make FDS listen on its OWN REAL IP and keep
your floating cluster setup
the same way.  That way, any clients will talk to the floating IP but the FDS is
really listening
on any interface:

tcp        0      0 *:ldaps                     *:*                        
LISTEN

which means that even if a packet arrives to a floating IP and FDS is listening
on a real IP,
it''ll pick it up anyway.  This way, replication will always happen to
real IPs and there is no
dependency on the cluster IP for replication (it''s not needed,
obviously)


> I don''t know if this is the problem...I can try...otherwise...the
only
> solution that I thought is to configure DS on their real hostname (nodo1
and
> nodo2) and then in DNS via round robin configure a ldap entry that point
> both nodo1 and nodo2...but in this way I don''t solve ip issue!
not needed!  No DNS round robin, that''s lame.  although if
you''re using dns RR, then there is no
IP issue -- you''re not talking to an IP.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

As suggested, I checked if ssl worked....to test it I did a fresh
install and I corrected the problem about node, now each node use its
real address and name (I moved in future cluster configuration)...About
SSL I exactly follow documentation and your tips...according with SSL
howto in fedora wiki directory, I follow it until "Importing the CA cert
into another Fedora DS"...after that:

- in console I activated ssl for my directory.
- I restarted directory server
- In log I can see that now slapd listening on all interfaces on port
389 and port 636 for LDAPS requests.

unfortunatly, when I try :

ldapsearch -ZZ -h nodo1.domain.example.com -b
"dc=domain,dc=example,dc=com" -s sub "objectclass=*"

the answer is:

SSL initialization failed: error -8174 (security library:bad database)

..but in log...nothing

I tried also to erase db  andfollowing the link below to make it

http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158

--- Alex aka Magobin <magobin@gmail.com> wrote:
> As suggested, I checked if ssl worked....to test it I did a fresh
> install and I corrected the problem about node, now each node use its
> real address and name (I moved in future cluster configuration)...
Do a fresh install.  Shut the server down and tarball the /opt/fedora-ds
directory, stash
somewhere safe.  It helped me a lot because whenever I would screw something up,
I would just rm
-fr /opt/fedora-ds; tar xvf fedora.bkup.tar and I''d have a fresh good
install ready to test again.
 That way you don''t have to go thru the whole rpm -e, rpm -Uvh, setup
business.

Then run this (make sure you have noise.txt and pwdfile.txt):

run it from /opt/fedora-ds/alias :

#!/bin/sh
../shared/bin/certutil -N -d . -f pwdfile.txt
../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt
../shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert"
-x -t "CT,," -m 1000 -v 120 -d . -z
noise.txt -f pwdfile.txt
../shared/bin/certutil -S -n "Server-Cert" -s
"cn=server-cert" -c "CA certificate" -t "u,u,u" -m
1001 -v 120 -d . -z noise.txt -f pwdfile.txt
echo moving key..

mv key3.db slapd-node1-key3.db
mv cert8.db slapd-node1-cert8.db
ln -s slapd-node1-key3.db key3.db
ln -s slapd-node1-cert8.db cert8.db
echo pk..
../shared/bin/pk12util -d . -P slapd-node1- -o servercert.pfx -n Server-Cert

(replace node1 with your hostname)

Then when you enable SSL, the certificate should appear in the window.  Choose
your server cert
and then it''ll all work.  I had to script the above because like you,
it took me about 5 tries to
get it going correctly.

btw, I had to use different noise/password files for each server''s
cert.  Not sure why, perhaps
something else I was doing wrong...

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Alex aka Magobin wrote:
> As suggested, I checked if ssl worked....to test it I did a fresh
> install and I corrected the problem about node, now each node use its
> real address and name (I moved in future cluster configuration)...About
> SSL I exactly follow documentation and your tips...according with SSL
> howto in fedora wiki directory, I follow it until "Importing the CA
cert
> into another Fedora DS"...after that:
>
> - in console I activated ssl for my directory.
> - I restarted directory server
> - In log I can see that now slapd listening on all interfaces on port
> 389 and port 636 for LDAPS requests.
>
> unfortunatly, when I try :
>
> ldapsearch -ZZ -h nodo1.domain.example.com -b
> "dc=domain,dc=example,dc=com" -s sub "objectclass=*"
>
> the answer is:
>
> SSL initialization failed: error -8174 (security library:bad database)
>   
The instructions at 
http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients 
refer to /usr/bin/ldapsearch and other openldap clients (e.g. pam_ldap, 
nss_ldap, other system LDAP usage).  We do not have instructions for 
using /opt/fedora-ds/shared/bin/ldapsearch with SSL (but we should).  I 
suggest following the instructions at the link specified above and use 
/usr/bin/ldapsearch to test SSL.
> ..but in log...nothing
>
> I tried also to erase db  andfollowing the link below to make it
>
> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158
>   
If you want to just start over from scratch, I suggest using the 
setup_ssl.sh script found here - 
http://directory.fedora.redhat.com/wiki/Howto:SSL#Script
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

> If you want to just start over from scratch, I suggest using 
> the setup_ssl.sh script found here - 
> http://directory.fedora.redhat.com/wiki/Howto:SSL#Script
> >

Today I did it too...no one error...I did it in nodo1 and according with it,
it generates a cacert.asc that I can export to node2...in node2 I run(under
alias)

../shared/bin/certutil -L -d . -P slapd-nodo1- -n "CA certificate" -a
>
cacert.asc


...after that it imports certificate...but if I go in console and manage
certificates...I see this certificate in CA cert and not in Server
Certs...so I can''t enable ssl on nodo2...

Is it the correct way?

Alex

> run it from /opt/fedora-ds/alias :
> 
> #!/bin/sh
> ../shared/bin/certutil -N -d . -f pwdfile.txt 
> ../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt 
> ../shared/bin/certutil -S -n "CA certificate" -s
"cn=CAcert"
> -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt 
> ../shared/bin/certutil -S -n "Server-Cert" -s 
> "cn=server-cert" -c "CA certificate" -t
"u,u,u" -m
> 1001 -v 120 -d . -z noise.txt -f pwdfile.txt echo moving key..
> 
> mv key3.db slapd-node1-key3.db
> mv cert8.db slapd-node1-cert8.db
> ln -s slapd-node1-key3.db key3.db
> ln -s slapd-node1-cert8.db cert8.db
> echo pk..
> ../shared/bin/pk12util -d . -P slapd-node1- -o servercert.pfx 
> -n Server-Cert
> 
> (replace node1 with your hostname)

Ciao Susan....I did 3(!!!) fresh installation and the script above is
exactly what I did today...only I replace  "cn=Server-Cert" with my
fqdn,
according with documentation...after that I export .asc to second server
(nodo2) as doc says...so, in this way in nodo1, where I run the script above
I can see certificate in Server CA under console/manage Certificate; in
nodo2, after :


../shared/bin/certutil -A -d . -P slapd-nodo2- -n "CA certificate" -t
"CT,,"
-a -i cacert.asc

I can see in console/manage certificate...only in CA certs and not in Server
certs..so in nodo2 I''m not able to use certificate for use ssl
encryption.

> btw, I had to use different noise/password files for each server''s
cert.
Not sure why, perhaps something else I was doing wrong...


Uhm...what does it mean?....you run script in each server?


Regards
Alex

Alex wrote:
>  
>   
>> If you want to just start over from scratch, I suggest using 
>> the setup_ssl.sh script found here - 
>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Script
>>     
>
>
> Today I did it too...no one error...I did it in nodo1 and according with
it,
> it generates a cacert.asc that I can export to node2...in node2 I run(under
> alias)
>
> ../shared/bin/certutil -L -d . -P slapd-nodo1- -n "CA
certificate" -a >
> cacert.asc
>
>
> ...after that it imports certificate...but if I go in console and manage
> certificates...I see this certificate in CA cert and not in Server
> Certs...so I can''t enable ssl on nodo2...
>   
Because cacert.asc is a CA certificate, not a Server
Certificate.
> Is it the correct way?
>
> Alex
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

--- Alex <magobin@gmail.com> wrote:
> Uhm...what does it mean?....you run script in each server?
of course!

each server will have its own certificate.  OK, you have servers A & B.  

1. Fresh install, run the scripts on both servers.
1a. verify that ssl works against BOTH servers with ldapsearch -ZZ -h A & -h
B
2. export B''s cert to a file
3. send it to A
4. import B''s cert into A''s database
5. enable replication

voila.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

> Because cacert.asc is a CA certificate, not a Server Certificate.
MA porc(/(&$"£%/$"(£&%£)....you are in right...now I
''m at home, but I have
a VMWARE version of my test here and I want to try.....

Only one thing: SSL HOWTO in the fedora wiki says:


"Exporting the CA cert for use with other apps 
Now that you have your server cert, client applications will need to be able
to verify that cert when connecting to the server. In order to do that, the
SSL client must have the CA cert to verify that the cert presented by the
SSL server is valid. This includes server to server communication such as
replication. In this case, the replication supplier is the SSL client, and
the consumer is the SSL server. "


Thanks...

Alex

--- Alex <magobin@gmail.com> wrote:

> ...after that it imports certificate...but if I go in console and manage
> certificates...I see this certificate in CA cert and not in Server
> Certs...so I can''t enable ssl on nodo2...
> 
> Is it the correct way?
well, no. The reason why you don''t see ssl server cert on nodo2 is
because you never created it!

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

> well, no. The reason why you don''t see ssl server cert on 
> nodo2 is because you never created it!
> 
At this point i want to be sure that I understand correctly...I did 5
minutes ago exactly what you say in your previous post...now i have in
window of nodo1 Server-Cert and Ca certificate...so in "Encryption
tab" I
checked "enable ssl for this server" and in certificate I used
Server-Cert....at this point, to enable ssl on nodo2 what exactly have I to
do?

-Export Server-Cert on nodo2
-Run the script in nodo2

...I ''m apologize but this is the first time that I use both Fedora DS
and
configuring SSL..and IMHO documentation is not very clear about this point!

Thank''s in advance

Alex

Alex wrote:
>  
>   
>> well, no. The reason why you don''t see ssl server cert on 
>> nodo2 is because you never created it!
>>
>>     
>
> At this point i want to be sure that I understand correctly...I did 5
> minutes ago exactly what you say in your previous post...now i have in
> window of nodo1 Server-Cert and Ca certificate...so in "Encryption
tab" I
> checked "enable ssl for this server" and in certificate I used
> Server-Cert....at this point, to enable ssl on nodo2 what exactly have I to
> do?
>
> -Export Server-Cert on nodo2
> -Run the script in nodo2
>
> ...I ''m apologize but this is the first time that I use both
Fedora DS and
> configuring SSL..and IMHO documentation is not very clear about this point!
>   
I''m not sure, but I think what you need to do is to create another 
key/cert pair to have another Server Cert for your nodo2 directory 
server.  And you are correct, this is not explicit in the documentation. 

Note: You should perform these steps using your original key/cert 
database because you are going to use your original CA key/cert to 
create a new server key/cert for nodo2.
Step 1: This is the same as step 7 in the SSL HowTo - 
http://directory.fedora.redhat.com/wiki/Howto:SSL#Basic_Steps (with the 
caveat to use the FQDN in the cn of the server cert subject DN - in this 
case, use the FQDN of nodo2)  You must use a different name (e.g. 
Server-Cert-nodo2 or something like that) when creating the cert
Step 2: The DS on nodo2 needs both the key and cert that you have 
created, so you will need to export that information as a p12 file e.g.

./shared/bin/pk12util -d . -P slapd-serverID- -o servercertnodo2.pfx -n
Server-Cert-nodo2

Step 3: You need to import this servercertnodo2.pfx file into the 
key/cert db on nodo2.  After copying the file to the 
/opt/fedora-ds/alias directory on that machine:

../shared/bin/pk12util -d . -P slapd-nodo2- -i servercertnodo2.pfx -n
Server-Cert

You must specify the name as Server-Cert here in order to use the 
default SSL configuration.

Step 4: Import your CA cert into slapd-nodo2 - you may need to copy 
cacert.asc to nodo2.  Then

../shared/bin/certutil -A -d . -P slapd-nodo2- -n "CA certificate" -t
"CT,," -a -i cacert.asc

> Thank''s in advance
>
> Alex
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

--- Alex <magobin@gmail.com> wrote:
>  
> > well, no. The reason why you don''t see ssl server cert on 
> > nodo2 is because you never created it!
> > 
> 
> At this point i want to be sure that I understand correctly...I did 5
> minutes ago exactly what you say in your previous post...now i have in
> window of nodo1 Server-Cert and Ca certificate...so in "Encryption
tab" I
> checked "enable ssl for this server" and in certificate I used
> Server-Cert....at this point, to enable ssl on nodo2 what exactly have I to
> do?
> 
> -Export Server-Cert on nodo2
no, export is only for MM replication.
> -Run the script in nodo2
yes, do this only to enable SSL.

THEN export.

you must run the script on BOTH servers.  SSL must work correctly on BOTH
servers, before any
replication is possible.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

> of course!
> 
> each server will have its own certificate.  OK, you have 
> servers A & B.  
> 
Answer to richard too...

Ok, i tried..on my virtual....I run all command as you know..both in nodo1
and nodo2...
Now..both have ssl enabled....but if I try to import CA certificate from
nodo1 to nodo2 :

../shared/bin/certutil -A -d . -P slapd-nodo2- -n "CA certificate" -t
"CT,,"
-a -i cacert.asc

It says:

Certutil-bin: could not obtain certificate from file: You are attempting to
import a cert with the same issuer/serial as an existing cert, but that is
not the same cert

Plus...as suggested from Susan I ran /usr/bin/ldapsearch -ZZ -h nodo1....
Ant it reports:

Ldap_start_tls: Connect error (-11)
		additional info: Start TLS request accepted.Server willing
to negotiate SSL.

Alex

Alex wrote:
>   
>   
>> of course!
>>
>> each server will have its own certificate.  OK, you have 
>> servers A & B.  
>>
>>     
>
> Answer to richard too...
>
> Ok, i tried..on my virtual....I run all command as you know..both in nodo1
> and nodo2...
> Now..both have ssl enabled....but if I try to import CA certificate from
> nodo1 to nodo2 :
>
> ../shared/bin/certutil -A -d . -P slapd-nodo2- -n "CA
certificate" -t "CT,,"
> -a -i cacert.asc
>
> It says:
>
> Certutil-bin: could not obtain certificate from file: You are attempting to
> import a cert with the same issuer/serial as an existing cert, but that is
> not the same cert
>   
The problem with using the script is that, if you run it from a 
completely clean install, it will create a brand new CA cert.  I think 
the script may be able to detect if you already have a CA
cert.
> Plus...as suggested from Susan I ran /usr/bin/ldapsearch -ZZ -h nodo1....
> Ant it reports:
>
> Ldap_start_tls: Connect error (-11)
> 		additional info: Start TLS request accepted.Server willing
> to negotiate SSL.
>
> Alex
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

--- Alex <magobin@gmail.com> wrote:
>   
> > of course!
> > 
> > each server will have its own certificate.  OK, you have 
> > servers A & B.  
> > 
> 
> Answer to richard too...
> 
> Ok, i tried..on my virtual....I run all command as you know..both in nodo1
> and nodo2...
> Now..both have ssl enabled....but if I try to import CA certificate from
> nodo1 to nodo2 :
> 
> ../shared/bin/certutil -A -d . -P slapd-nodo2- -n "CA
certificate" -t "CT,,"
> -a -i cacert.asc
> 
> It says:
> 
> Certutil-bin: could not obtain certificate from file: You are attempting to
> import a cert with the same issuer/serial as an existing cert, but that is
> not the same cert

yea, that''s what I was saying earlier.  I think the problem is that
identical
scripts/noise/password files produce identical certs, I think.  I had to change
both noise &
password on the 2nd server to produce a 2nd server cert which I could then
import into the server
A DB.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

> yea, that''s what I was saying earlier.  I think the problem 
> is that identical scripts/noise/password files produce 
> identical certs, I think.  I had to change both noise & 
> password on the 2nd server to produce a 2nd server cert which 
> I could then import into the server A DB.
> 

Uff...it''s a soap-opera :-)...so:

For SUSAN:

I tried to make a certificate from nodo2 changing both pwdfile.txt and
noise.txt...importing CA certificate in nodo1 it return the same
error...(same issuer/serial)...have you change only that?

For RICHARD:

I tried also to make a certificate for nodo2 from nodo1, but when I try to
run Step 7 command, it return an error (same issuer/serial )
Plus..I want specify that when I said script before I intend the Susan
script....that is all commands in sequence....I tried to run howto script
today but with same outcome


Thanks
Alex

Alex wrote:
>  
>   
>> yea, that''s what I was saying earlier.  I think the problem 
>> is that identical scripts/noise/password files produce 
>> identical certs, I think.  I had to change both noise & 
>> password on the 2nd server to produce a 2nd server cert which 
>> I could then import into the server A DB.
>>
>>     
>
>
> Uff...it''s a soap-opera :-)...so:
>
> For SUSAN:
>
> I tried to make a certificate from nodo2 changing both pwdfile.txt and
> noise.txt...importing CA certificate in nodo1 it return the same
> error...(same issuer/serial)...have you change only that?
>
> For RICHARD:
>
> I tried also to make a certificate for nodo2 from nodo1, but when I try to
> run Step 7 command, it return an error (same issuer/serial )
>   
Ah yes - you must use a unique number for the -m
argument.
> Plus..I want specify that when I said script before I intend the Susan
> script....that is all commands in sequence....I tried to run howto script
> today but with same outcome
>
>
> Thanks
> Alex
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

--- Alex <magobin@gmail.com> wrote:
>  
> > yea, that''s what I was saying earlier.  I think the problem 
> > is that identical scripts/noise/password files produce 
> > identical certs, I think.  I had to change both noise & 
> > password on the 2nd server to produce a 2nd server cert which 
> > I could then import into the server A DB.
> > 
> 
> 
> Uff...it''s a soap-opera :-)...so:
> 
> For SUSAN:
> 
> I tried to make a certificate from nodo2 changing both pwdfile.txt and
> noise.txt...importing CA certificate in nodo1 it return the same
> error...(same issuer/serial)...have you change only that?
hmm.. well, I actually have two different CA certs but my understanding is that
I goofed there,
you don''t need to have 2 different CAs, only 1 will do.  2 server
certs, 1 CA cert.

at least, you''ve to change the cn= when you generate the server cert. 
THen sign both certs with
the same CA cert.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

> hmm.. well, I actually have two different CA certs but my 
> understanding is that I goofed there, you don''t need to have 
> 2 different CAs, only 1 will do.  2 server certs, 1 CA cert.
> 
> at least, you''ve to change the cn= when you generate the 
> server cert.  THen sign both certs with the same CA cert.
> 
Yes...I use m fqdn for that...and I tried to sign both with the same CA and
different CA

Alex

> Ah yes - you must use a unique number for the -m argument.
Ok...changing that I can make a Server CA, but when I try to import in nodo2
db....it return:

Pk12util-bin: PKCS12 decode import bags failed: error 0


Alex

Richard Megginson wrote:
> Alex wrote:
> 
>>  
>>  
>>
>>> yea, that''s what I was saying earlier.  I think the
problem is that
>>> identical scripts/noise/password files produce identical certs, I 
>>> think.  I had to change both noise & password on the 2nd server
to
>>> produce a 2nd server cert which I could then import into the server
A
>>> DB.
>>>
>>>     
>>
>>
>>
>> Uff...it''s a soap-opera :-)...so:
>>
>> For SUSAN:
>>
>> I tried to make a certificate from nodo2 changing both pwdfile.txt and
>> noise.txt...importing CA certificate in nodo1 it return the same
>> error...(same issuer/serial)...have you change only that?
>>
>> For RICHARD:
>>
>> I tried also to make a certificate for nodo2 from nodo1, but when I 
>> try to
>> run Step 7 command, it return an error (same issuer/serial )
>>   
> 
> Ah yes - you must use a unique number for the -m argument.
> 
Ok, a few things. I don''t know a lot about the script(s) being used to 
generate the certificates, but the noise file affects only the quality 
of the key generated, not the certificate itself. The idea of using 
noise is to seed the random number generator within NSS so you get a 
good key. The password file also is just a nice thing to have. You can 
have the same password anywhere you want, as long as your policy allows 
it. It also ultimately allows for unattended startup.

If I understand it, you want to issue 2 server certs using the same CA. 
Here is what you need to do. You can do this all one one machine if you 
want, then move the database.

I''m going to skip the -P argument for brevity, you can rename the 
database later.

I''m also skipping the password and noise files. The difference is that 
you''ll be prompted a few times for your PIN and to enter a bunch of 
keystrokes to seed the random number generator, no big deal.

Note that I tend to use a lot of certificate extensions, so this may 
differ from the setupssl script.

The serial number I''m using starts at 1. It doesn''t really
matter, as
long as they are all unique.

1. Create a certificate database.

# cd /opt/fedora-ds/alias
# ../shared/bin/certutil -N -d .

2. Generate your self-signed CA

# ../shared/bin/certutil -S -d . -n ''CA Certificate'' -s
''cn=CAcert'' -x
-t CTu,CTu,CTu -g 1024 -m 1 -v 120 -2 -1 -5

(type in a bunch of characters)

You will answer:

5 - Cert signing key
9 - finish
n - not a critical extension
y - yes CA cert
10 - path length
y - critical extension
5 - SSL CA
6 - SSL S/MIME CA
7 - Object Signing CA
9 - finish
n - not a critical extension

3. Generate server key and certificate for server #1

# ../shared/bin/certutil -R -d . -s ''CN=hostname.example.com,ou=Fedora 
Directory Server'' -o tmpcertreq -g 1024
# ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o 
tmpcert.der -m 3 -v 120 -1 -5

You will answer:

2 - Key encipherment
9 - finish
n - not a critical extension
1 - SSL server
9 - finish
n - not a critical extension

4. Import the server certificate

# ../shared/bin/certutil -A -d . -n "host.example.com" -t u,u,u -i 
tmpcert.der
# rm tmpcert.der
# rm tmpcertreq

5. Generate server key and certificate for server #2

# ../shared/bin/certutil -R -d . -s ''CN=hostname2.example.com,ou=Fedora
Directory Server'' -o tmpcertreq -g 1024
# ../shared/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o 
tmpcert.der -m 4 -v 120 -1 -5

You will answer:

2 - Key encipherment
9 - finish
n - not a critical extension
1 - SSL server
9 - finish
n - not a critical extension

6. Import the server certificate

# ../shared/bin/certutil -A -d . -n "host2.example.com" -t u,u,u -i 
tmpcert.der
# rm tmpcert.der
# rm tmpcertreq

7. List your certs:
# ../shared/bin/certutil -L -d .
CA certificate                                               CTu,Cu,Cu
host.example.com                                             u,u,u
host2.example.com                                            u,u,u

8. Verify your certificates just to be sure:

# ../shared/bin/certutil -V -u V -d . -n host.example.com
certutil-bin: certificate is valid
# ../shared/bin/certutil -V -u V -d . -n host2.example.com
certutil-bin: certificate is valid

Now you have one certificate database with a self-signed CA and 2 server 
certificates. Now just copy this database to server #2.

If you want you can remove the extra server cert from each of the 
database, so on server #1 you would do:

# ../shared/bin/certutil -D -d . -n "host2.example.com"

And on server #2 you would do:

# ../shared/bin/certutil -D -d . -n "host.example.com"

Now you can rename the database with your prefix and away you go.

Create a pin file if you want.

And finally, double check the file permissions! The database(s) need to 
be owned by the user that the server runs as and permissions should be 600.

Hope this helps.

rob

>Now you can rename the database with your prefix and away you go.
>
>Create a pin file if you want.
>
>And finally, double check the file permissions! The database(s) need to
>be owned by the user that the server runs as and permissions should be
>600.
>Hope this helps.
>
>rob


Thanks Rob...following your instruction now is possible to use ssl...
IMHO...your post must begin a Faq or an Howto to configure basically ssl

Thanks to Richard and Susan for patience and tips too :-)...I don''t
know why it doesn''t work with your method...(exactly the same way as in
doc)


LAST CURIOSITY:
Now works and I can make a replication with mmr.pl script...everything
works...but in "Replication Status"..in console..
I can see consumer and supplier.

This is from nodo1:

Consumer: nodo1.domain.example.com:636
Supplier: nodo2.domain.example.com:389

This is from nodo2:

Consumer: nodo2.domain.example.com:636
Supplier: nodo1.domain.example.com:389


..is it correct port 389 in Supplier?....repeat...everything works...but I want
to be sure that this replication is in encrypt mode!..in log no one error

Thanks to all 4 patience and helps

Alex

> This is from nodo1:
> 
> Consumer: nodo1.domain.example.com:636
> Supplier: nodo2.domain.example.com:389
> 
> This is from nodo2:
> 
> Consumer: nodo2.domain.example.com:636
> Supplier: nodo1.domain.example.com:389
I don''t think this is a problem.  As long as it arrives to a consumer
on an encrypted port, you''re
fine.

Still, I once had a case where everything looked right but once i sniffed the
traffic, I could see
people''s info in cleartext.  Turned out I made a mistake during early
config.  You must sniff the
traffic to make sure you can''t read anything.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

> Still, I once had a case where everything looked right but 
> once i sniffed the traffic, I could see people''s info in 
> cleartext.  Turned out I made a mistake during early config.  
> You must sniff the traffic to make sure you can''t read anything.
> 
This is my care....ok...I''ll try to sniff traffic between server and
client
(of course...as soon as I''ll configure at least one :-)


Thanks Susan for your support

...now I have to study how to configure postfix to have authentication
client from Fedora DS, but this is another story :-)

Alex