Victor Hugo dos Santos
2007-Oct-03 15:20 UTC
[Fedora-directory-users] problem with SSL and load balance
Hello List, I have the same problem that Alex Aka in Apr 2006 http://www.redhat.com/archives/fedora-directory-users/2006-April/msg00022.html I have two FDS (fds1 and fds2) in MMR in the DNS I create this machines fds1 IN A 10.0.0.11 fds2 IN A 10.0.0.12 fds IN A 10.0.0.11 fds IN A 10.0.0.12 in the clients, I configure the ldap.conf with this parameters: BASE dc=mydomain,dc=com URI ldap://fds.mydomain.com this configuration work very,very fine !!!! exist replication between servers and fault tolerance in the clients.. but i enable SSL in server and in the clients (ldap.conf) BASE dc=mydomain,dc=com URI ldaps://fds.mydomain.com TLS_CACERT /etc/ssl/certs/cacert.org.pem TLS_REQCERT allow and "no" work !!! :-( i receive this error: ldap_bind: Can''t contact LDAP server (-1) additional info: TLS: hostname does not match CN in peer certificate this problem, is derivate that i configured the servers with one certificate and distinct CN for independent serves (fds1 and fds2)... if I config one same certificate with same CN (fds) for both nodes (fds1 and fds2).. work fine in the clients, but the replication dont work !!! :-( obs.: my certificates is sign in http://cacert.org any idea or suggestion ??? thanks -- -- Victor Hugo dos Santos Linux Counter #224399
Ivan Ferreira
2007-Oct-03 15:27 UTC
Re: [Fedora-directory-users] problem with SSL and load balance
You must have one certificate for each server, the problem here is the DNS RR. I don''t like DNS load balancing because it cannot detect service failures, for example, you have in your client configuration files: URI ldap://fds.mydomain.com This works fine if both servers are up, but if one server goes down, some clients won''t be able to contact the LDAP server ramdomly. It would be better to configure both ldap servers in the client configuration files, and place in different order, or configure a LVS. Cheers. Para "General discussion list for the Fedora Directory server "Victor Hugo dos Santos" project." <listas.vhs@gmail.com> <fedora-directory-users@redhat.c Enviado por: om> fedora-directory-users-b cc ounces@redhat.com Asunto 03/10/2007 11:20 a.m. [Fedora-directory-users] problem with SSL and load balance Clasificación Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." <fedora-directory-users@ redhat.com> Hello List, I have the same problem that Alex Aka in Apr 2006 http://www.redhat.com/archives/fedora-directory-users/2006-April/msg00022.html I have two FDS (fds1 and fds2) in MMR in the DNS I create this machines fds1 IN A 10.0.0.11 fds2 IN A 10.0.0.12 fds IN A 10.0.0.11 fds IN A 10.0.0.12 in the clients, I configure the ldap.conf with this parameters: BASE dc=mydomain,dc=com URI ldap://fds.mydomain.com this configuration work very,very fine !!!! exist replication between servers and fault tolerance in the clients.. but i enable SSL in server and in the clients (ldap.conf) BASE dc=mydomain,dc=com URI ldaps://fds.mydomain.com TLS_CACERT /etc/ssl/certs/cacert.org.pem TLS_REQCERT allow and "no" work !!! :-( i receive this error: ldap_bind: Can''t contact LDAP server (-1) additional info: TLS: hostname does not match CN in peer certificate this problem, is derivate that i configured the servers with one certificate and distinct CN for independent serves (fds1 and fds2)... if I config one same certificate with same CN (fds) for both nodes (fds1 and fds2).. work fine in the clients, but the replication dont work !!! :-( obs.: my certificates is sign in http://cacert.org any idea or suggestion ??? thanks -- -- Victor Hugo dos Santos Linux Counter #224399 -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users =======================================================================================AVISO LEGAL: Esta información es privada y confidencial y está dirigida únicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha información por favor elimine el mensaje. La distribución o copia de este mensaje está estrictamente prohibida. Esta comunicación es sólo para propósitos de información y no debe ser considerada como propuesta, aceptación ni como una declaración de voluntad oficial de NUCLEO S.A. La transmisión de e-mails no garantiza que el correo electrónico sea seguro o libre de error. Por consiguiente, no manifestamos que esta información sea completa o precisa. Toda información está sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.
Enrico M. V. Fasanelli
2007-Oct-03 17:49 UTC
Re: [Fedora-directory-users] problem with SSL and load balance
Hi Victor, have you tried with a certificate that contains the alternate name of the server? Something like X509v3 Subject Alternative Name: DNS:fds.mydomain.com, DNS:fds1.mydomain.com Ciao, Enrico Victor Hugo dos Santos wrote:> Hello List, > > I have the same problem that Alex Aka in Apr 2006 > http://www.redhat.com/archives/fedora-directory-users/2006-April/msg00022.html > > I have two FDS (fds1 and fds2) in MMR > > in the DNS I create this machines > > fds1 IN A 10.0.0.11 > fds2 IN A 10.0.0.12 > fds IN A 10.0.0.11 > fds IN A 10.0.0.12 > > in the clients, I configure the ldap.conf with this parameters: > > BASE dc=mydomain,dc=com > URI ldap://fds.mydomain.com > > this configuration work very,very fine !!!! exist replication between > servers and fault tolerance in the clients.. but i enable SSL in > server and in the clients (ldap.conf) > > > BASE dc=mydomain,dc=com > URI ldaps://fds.mydomain.com > TLS_CACERT /etc/ssl/certs/cacert.org.pem > TLS_REQCERT allow > > and "no" work !!! :-( i receive this error: > > ldap_bind: Can''t contact LDAP server (-1) > > additional info: TLS: hostname does not match CN in peer certificate > > this problem, is derivate that i configured the servers with one > certificate and distinct CN for independent serves (fds1 and fds2)... > > if I config one same certificate with same CN (fds) for both nodes > (fds1 and fds2).. work fine in the clients, but the replication dont > work !!! :-( > > obs.: my certificates is sign in http://cacert.org > > any idea or suggestion ??? > > thanks > >-- Pochi conoscono cio'' che ha veramente scoperto Einstein: quando mangiamo spaghetti, in effetti stiamo masticando un concentrato di Spazio-Tempo. (Antonino Zichichi)
Richard Hesse
2007-Oct-03 19:17 UTC
RE: [Fedora-directory-users] problem with SSL and load balance
Do wildcard certs work with Fedora Directory Server? If they do, that will easily solve your problem. That or setting checkpeer to off. -richard -----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Victor Hugo dos Santos Sent: Wednesday, October 03, 2007 8:20 AM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] problem with SSL and load balance Hello List, I have the same problem that Alex Aka in Apr 2006 http://www.redhat.com/archives/fedora-directory-users/2006-April/msg00022.html I have two FDS (fds1 and fds2) in MMR in the DNS I create this machines fds1 IN A 10.0.0.11 fds2 IN A 10.0.0.12 fds IN A 10.0.0.11 fds IN A 10.0.0.12 in the clients, I configure the ldap.conf with this parameters: BASE dc=mydomain,dc=com URI ldap://fds.mydomain.com this configuration work very,very fine !!!! exist replication between servers and fault tolerance in the clients.. but i enable SSL in server and in the clients (ldap.conf) BASE dc=mydomain,dc=com URI ldaps://fds.mydomain.com TLS_CACERT /etc/ssl/certs/cacert.org.pem TLS_REQCERT allow and "no" work !!! :-( i receive this error: ldap_bind: Can''t contact LDAP server (-1) additional info: TLS: hostname does not match CN in peer certificate this problem, is derivate that i configured the servers with one certificate and distinct CN for independent serves (fds1 and fds2)... if I config one same certificate with same CN (fds) for both nodes (fds1 and fds2).. work fine in the clients, but the replication dont work !!! :-( obs.: my certificates is sign in http://cacert.org any idea or suggestion ??? thanks -- -- Victor Hugo dos Santos Linux Counter #224399 -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Jazcek Braden
2007-Oct-03 19:31 UTC
Re: [Fedora-directory-users] problem with SSL and load balance
Wildcard certs definitely work, that is the way that I have my load balanced installation setup. However if you are trying to use self-signed certificates I think you have to make sure to setup the trust chain, but I am not sure. -- Jazcek Braden Richard Hesse wrote:> Do wildcard certs work with Fedora Directory Server? If they do, that will easily solve your problem. That or setting checkpeer to off. > > -richard > > -----Original Message----- > From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Victor Hugo dos Santos > Sent: Wednesday, October 03, 2007 8:20 AM > To: General discussion list for the Fedora Directory server project. > Subject: [Fedora-directory-users] problem with SSL and load balance > > Hello List, > > I have the same problem that Alex Aka in Apr 2006 > http://www.redhat.com/archives/fedora-directory-users/2006-April/msg00022.html > > I have two FDS (fds1 and fds2) in MMR > > in the DNS I create this machines > > fds1 IN A 10.0.0.11 > fds2 IN A 10.0.0.12 > fds IN A 10.0.0.11 > fds IN A 10.0.0.12 > > in the clients, I configure the ldap.conf with this parameters: > > BASE dc=mydomain,dc=com > URI ldap://fds.mydomain.com > > this configuration work very,very fine !!!! exist replication between > servers and fault tolerance in the clients.. but i enable SSL in > server and in the clients (ldap.conf) > > > BASE dc=mydomain,dc=com > URI ldaps://fds.mydomain.com > TLS_CACERT /etc/ssl/certs/cacert.org.pem > TLS_REQCERT allow > > and "no" work !!! :-( i receive this error: > > ldap_bind: Can''t contact LDAP server (-1) > > additional info: TLS: hostname does not match CN in peer certificate > > this problem, is derivate that i configured the servers with one > certificate and distinct CN for independent serves (fds1 and fds2)... > > if I config one same certificate with same CN (fds) for both nodes > (fds1 and fds2).. work fine in the clients, but the replication dont > work !!! :-( > > obs.: my certificates is sign in http://cacert.org > > any idea or suggestion ??? > > thanks > > > -- > -- > Victor Hugo dos Santos > Linux Counter #224399 > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Marc Sauton
2007-Oct-03 20:36 UTC
Re: [Fedora-directory-users] problem with SSL and load balance
Just for info, there was a good contribution in http://directory.fedoraproject.org/wiki/Howto:SSL#Using_Subject_Alt_Name M. Enrico M. V. Fasanelli wrote:> Hi Victor, > > have you tried with a certificate that contains the alternate name of > the server? > > Something like > X509v3 Subject Alternative Name: DNS:fds.mydomain.com, > DNS:fds1.mydomain.com > > > Ciao, > Enrico > > Victor Hugo dos Santos wrote: >> Hello List, >> >> I have the same problem that Alex Aka in Apr 2006 >> http://www.redhat.com/archives/fedora-directory-users/2006-April/msg00022.html >> >> >> I have two FDS (fds1 and fds2) in MMR >> >> in the DNS I create this machines >> >> fds1 IN A 10.0.0.11 >> fds2 IN A 10.0.0.12 >> fds IN A 10.0.0.11 >> fds IN A 10.0.0.12 >> >> in the clients, I configure the ldap.conf with this parameters: >> >> BASE dc=mydomain,dc=com >> URI ldap://fds.mydomain.com >> >> this configuration work very,very fine !!!! exist replication between >> servers and fault tolerance in the clients.. but i enable SSL in >> server and in the clients (ldap.conf) >> >> >> BASE dc=mydomain,dc=com >> URI ldaps://fds.mydomain.com >> TLS_CACERT /etc/ssl/certs/cacert.org.pem >> TLS_REQCERT allow >> >> and "no" work !!! :-( i receive this error: >> >> ldap_bind: Can''t contact LDAP server (-1) >> >> additional info: TLS: hostname does not match CN in peer certificate >> >> this problem, is derivate that i configured the servers with one >> certificate and distinct CN for independent serves (fds1 and fds2)... >> >> if I config one same certificate with same CN (fds) for both nodes >> (fds1 and fds2).. work fine in the clients, but the replication dont >> work !!! :-( >> >> obs.: my certificates is sign in http://cacert.org >> >> any idea or suggestion ??? >> >> thanks >> >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Marc Sauton
2007-Oct-03 20:37 UTC
Re: [Fedora-directory-users] problem with SSL and load balance
See http://directory.fedoraproject.org/wiki/Howto:SSL#Import_the_CA_cert_into_another_Fedora_DS M. Jazcek Braden wrote:> Wildcard certs definitely work, that is the way that I have my load > balanced installation setup. However if you are trying to use > self-signed certificates I think you have to make sure to setup the > trust chain, but I am not sure. >
Victor Hugo dos Santos
2007-Oct-05 16:56 UTC
Re: [Fedora-directory-users] problem with SSL and load balance
2007/10/3, Enrico M. V. Fasanelli <Enrico.M.V.Fasanelli@le.infn.it>:> Hi Victor, > > have you tried with a certificate that contains the alternate name of > the server? > > Something like > X509v3 Subject Alternative Name: DNS:fds.mydomain.com, > DNS:fds1.mydomain.comyes .... apparent that Subject Alternative Name (SubjectAltName) is the best solution for this problem !!!! but, i have one other problem !!! :-) my certificates (all) is signed for cacert.org .. and in the Certificate Wizard in the DS Console, I don''t look one field for SubjectAltName.. and in ShowDN option I write: CN="fds.multi.com",SubjectAltName=""DNS:fds.multi.com"",SubjectAltName=""DNS:fds2.multi.com"" /CN="fds.multi.com"/SubjectAltName=""DNS:fds.multi.com""/SubjectAltName=""DNS:fds2.multi.com""/ and others, but in the step 4/4 I receive this error: ------------------------------------------------------- Unable to convert DN to certificate name. -----BEGIN NEW CERTIFICATE REQUEST----- ------------------------------------------------------- in the internet i read various howtos, manual and others that show how usage the certuil for create certificates with SubjectAltName, but it alone work with/for self-signed certificates !!! http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091 http://directory.fedoraproject.org/wiki/Howto:SSL#Using_Subject_Alt_Name and I run this command: openssl genrsa -out slapd-fds2-key3.db 2048 openssl req -new -key slapd-fds2-key3.db -out vhs.csr -subj ''CN=fds.multi.com/subjectAltName=DNS:fds.multi.com/subjectAltName=DNS:fds2.multi.com'' and work fine... i get one certificate request with all fields and send for my CA (cacert.org) and I receive the certificate signed with all fields, but i dont how install it for CLI !!! for the wizard I receive one other error "this key not found - this certificate is generate in the server ???" any solution ??? -- -- Victor Hugo dos Santos Linux Counter #224399
Victor Hugo dos Santos
2007-Oct-05 19:58 UTC
Re: [Fedora-directory-users] problem with SSL and load balance
2007/10/5, Victor Hugo dos Santos <listas.vhs@gmail.com>:> 2007/10/3, Enrico M. V. Fasanelli <Enrico.M.V.Fasanelli@le.infn.it>: > > Hi Victor,[...]> openssl genrsa -out slapd-fds2-key3.db 2048 > openssl req -new -key slapd-fds2-key3.db -out vhs.csr -subj > ''CN=fds.multi.com/subjectAltName=DNS:fds.multi.com/subjectAltName=DNS:fds2.multi.com'' > > and work fine... i get one certificate request with all fields and > send for my CA (cacert.org) and I receive the certificate signed with > all fields, but i dont how install it for CLI !!! for the wizard I > receive one other error "this key not found - this certificate is > generate in the server ???" > > any solution ???ok.. ok.. two coffees and one minutes of relax... I re-read the manual of certutil http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html and run this commands: certutil -R -d . -P slapd-fds2- -s CN=fds2.multi.com -o cert.req -a -8 fds.multi.com,fds2.multi.com,ldap.multi.com I send the cert.req file for cacert.org and I receive the signed certificate signed and work fine !!!:-) my problem(s) is: - unknown the function of option "-p", where "slapd-fds2-" is the name of instance - the option "-8".. I think that the others names (fds.multi.com, fds2.multi.com, ldap.multi.com) they went in the subject (option -s).. but no !!! this parameters went for separate.. and is the principal problem (for my). bye -- -- Victor Hugo dos Santos Linux Counter #224399