Fedora directory users - Jun 2009 - [389-users] Trouble using self signed certificates.

I''ve managed to get past the the strangely obscure method of installing
an SSL certificate, and from the server side everything appears to be OK.
Actually its a "CACert" certificate, rather then self signed.  Using
Jxplorer, I can connect the the DS using SSL, accept the certificate, and
I''m all set.

However, I am having a ton of trouble figuring out how to use an untrusted ca
for my linux user authentication.  I changed /etc/ldap.conf to use ldaps://, and
it attemtps to connect as expected.  I think this would work, if I could figure
out how to tell it to accept the certificate.   I get the following error
message in DS after running getent passwd.

[24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not recognize
and trust the CA that issued your certificate.
[24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not recognize
and trust the CA that issued your certificate.


Any thoughts?

On Wed, 2009-06-24 at 09:32 -0700, Dumbo Q wrote:
> I''ve managed to get past the the strangely obscure method of
> installing an SSL certificate, and from the server side everything
> appears to be OK. Actually its a "CACert" certificate, rather
then
> self signed.  Using Jxplorer, I can connect the the DS using SSL,
> accept the certificate, and I''m all set.
> 
> However, I am having a ton of trouble figuring out how to use an
> untrusted ca for my linux user authentication.  I
> changed /etc/ldap.conf to use ldaps://, and it attemtps to connect as
> expected.  I think this would work, if I could figure out how to tell
> it to accept the certificate.   I get the following error message in
> DS after running getent passwd.
> 
> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not
> recognize and trust the CA that issued your certificate.
> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not
> recognize and trust the CA that issued your certificate.
> 
> 
> Any thoughts?
<snip>
I believe you''ll find the way we did it in several of my recent posts.
You''ll need to configure the rest of the SSL portions of ldap.conf.  In
particular, you will need to tell it where to find the CA cert.  I
believe we stuck ours in /etc/pki/tls/certs/ and pointed the tlscertfile
(?) parameter to it.  Hope this helps - John
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

Dumbo Q a écrit :
> I''ve managed to get past the the strangely obscure method of 
> installing an SSL certificate, and from the server side everything 
> appears to be OK. Actually its a "CACert" certificate, rather
then
> self signed. Using Jxplorer, I can connect the the DS using SSL, 
> accept the certificate, and I''m all set.
>
> However, I am having a ton of trouble figuring out how to use an 
> untrusted ca for my linux user authentication. I changed 
> /etc/ldap.conf to use ldaps://, and it attemtps to connect as 
> expected. I think this would work, if I could figure out how to tell 
> it to accept the certificate. I get the following error message in DS 
> after running getent passwd.
>
> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not 
> recognize and trust the CA that issued your certificate.
> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not 
> recognize and trust the CA that issued your certificate.
>
>
> Any thoughts?
>
I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in 
/etc/ldap.conf
man ldap.conf :
TLS_CACERT <filename>
Specifies the file that contains certificates for all of
the Certificate Authorities the client will recognize.

TLS_CACERTDIR <path>
Specifies the path of a directory that contains Certifi‐
cate Authority certificates in separate individual files.
The TLS_CACERT is always used before TLS_CACERTDIR. This
parameter is ignored with GNUtls.
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jean-Noel Chardron wrote:
> Dumbo Q a écrit :
>> I''ve managed to get past the the strangely obscure method of 
>> installing an SSL certificate, and from the server side everything 
>> appears to be OK. Actually its a "CACert" certificate, rather
then
>> self signed. Using Jxplorer, I can connect the the DS using SSL, 
>> accept the certificate, and I''m all set.
>>
>> However, I am having a ton of trouble figuring out how to use an 
>> untrusted ca for my linux user authentication. I changed 
>> /etc/ldap.conf to use ldaps://, and it attemtps to connect as 
>> expected. I think this would work, if I could figure out how to tell 
>> it to accept the certificate. I get the following error message in DS 
>> after running getent passwd.
>>
>> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not 
>> recognize and trust the CA that issued your certificate.
>> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not 
>> recognize and trust the CA that issued your certificate.
>>
>>
>> Any thoughts?
>>
> I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in 
> /etc/ldap.conf
> man ldap.conf :
> TLS_CACERT <filename>
> Specifies the file that contains certificates for all of
> the Certificate Authorities the client will recognize.
> 
> TLS_CACERTDIR <path>
> Specifies the path of a directory that contains Certifi‐
> cate Authority certificates in separate individual files.
> The TLS_CACERT is always used before TLS_CACERTDIR. This
> parameter is ignored with GNUtls.
> 
>>
------------------------------------------------------------------------
>>
>> --
>> 389 users mailing list
>> 389-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
> 
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
I was having a similar issue yesterday, everything worked until I
appended more then one CA to the file in /etc/openldap/cacerts, then it
kept failing until I limited it to one CA.  Are you
 using a single CA?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkpCW6YACgkQ5B+8XEnAvquidwCcDcnsJTuyGaVGkfc/NEXYDzdD
3WIAnAx7FBt+G8VQYd9Zf1Vzbo7ebs/2
=lFVu
-----END PGP SIGNATURE-----

Jean-Noel Chardron a écrit :
> Dumbo Q a écrit :
>> I''ve managed to get past the the strangely obscure method of 
>> installing an SSL certificate, and from the server side everything 
>> appears to be OK. Actually its a "CACert" certificate, rather
then
>> self signed. Using Jxplorer, I can connect the the DS using SSL, 
>> accept the certificate, and I''m all set.
>>
>> However, I am having a ton of trouble figuring out how to use an 
>> untrusted ca for my linux user authentication. I changed 
>> /etc/ldap.conf to use ldaps://, and it attemtps to connect as 
>> expected. I think this would work, if I could figure out how to tell 
>> it to accept the certificate. I get the following error message in DS 
>> after running getent passwd.
>>
>> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does 
>> not recognize and trust the CA that issued your certificate.
>> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does 
>> not recognize and trust the CA that issued your certificate.
>>
>>
>> Any thoughts?
>>
> I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in 
> /etc/ldap.conf
> man ldap.conf :
> TLS_CACERT <filename>
> Specifies the file that contains certificates for all of
> the Certificate Authorities the client will recognize.
>
> TLS_CACERTDIR <path>
> Specifies the path of a directory that contains Certifi‐
> cate Authority certificates in separate individual files.
> The TLS_CACERT is always used before TLS_CACERTDIR. This
> parameter is ignored with GNUtls.
>
or may be, to test the connection, you can skip the check of the 
certificate (as i discover in the man) with the option :
TLS_REQCERT  allow
>>
------------------------------------------------------------------------
>>
>> -- 
>> 389 users mailing list
>> 389-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> -- 
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

David Christensen a écrit :
>
> I was having a similar issue yesterday, everything worked until I
> appended more then one CA to the file in /etc/openldap/cacerts, then it
> kept failing until I limited it to one CA.  Are you
>  using a single CA?
>   
The client authenticates to a server with a single authority, so why try 
to install two or more. otherwise you must use a file by CA in the 
directory.
unless you speak CA chain.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jean-Noel Chardron wrote:
> David Christensen a écrit :
>> I was having a similar issue yesterday, everything worked until I
>> appended more then one CA to the file in /etc/openldap/cacerts, then it
>> kept failing until I limited it to one CA.  Are you
>>  using a single CA?
>>   
> The client authenticates to a server with a single authority, so why try 
> to install two or more. otherwise you must use a file by CA in the 
> directory.
> unless you speak CA chain.
> 
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
I have two directory servers in a multmaster config using round robin
DNS so I need clients to be able to authenticate to both servers since
it will be random.  It hasn''t worked for me yet, but that is where I am
trying to get.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkpCaN8ACgkQ5B+8XEnAvqsc0gCfbezu9knxX1HfNNNupTwdjCEe
IX4AoIRCASuVxTrB6ugLr7U0TWvnfUTb
=xSWx
-----END PGP SIGNATURE-----

On Wed, 2009-06-24 at 12:56 -0500, David Christensen
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Jean-Noel Chardron wrote:
> > David Christensen a écrit :
> >> I was having a similar issue yesterday, everything worked until I
> >> appended more then one CA to the file in /etc/openldap/cacerts,
then it
> >> kept failing until I limited it to one CA.  Are you
> >>  using a single CA?
> >>   
> > The client authenticates to a server with a single authority, so why
try
> > to install two or more. otherwise you must use a file by CA in the 
> > directory.
> > unless you speak CA chain.
> > 
> > --
> > 389 users mailing list
> > 389-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 
> I have two directory servers in a multmaster config using round robin
> DNS so I need clients to be able to authenticate to both servers since
> it will be random.  It hasn''t worked for me yet, but that is where
I am
> trying to get.
<snip>
That''s exactly how we''re set up (except we are not
multi-master) and it
is working fine.  However, one only needs the CA cert in the cacertfile
for it to work.  For example, I have two DNS entries for
ldap.mycompany.com which point to my two replicas.  Each replica has a
cert with ldap{1,2}.mycompany.com for the cn and that value as well as
ldap.mycompany.com as DNS entries in the subjAltName.  tls_cacertfile
points to a single CA cert file (although I thought it supported
concatenated certs) containing the cert for the CA which issued the ldap
replica certs and keys.  Hope this helps - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

On Wed, 2009-06-24 at 18:55 +0200, Jean-Noel Chardron
wrote:
> Dumbo Q a écrit :
> > I''ve managed to get past the the strangely obscure method of 
> > installing an SSL certificate, and from the server side everything 
> > appears to be OK. Actually its a "CACert" certificate,
rather then
> > self signed. Using Jxplorer, I can connect the the DS using SSL, 
> > accept the certificate, and I''m all set.
> >
> > However, I am having a ton of trouble figuring out how to use an 
> > untrusted ca for my linux user authentication. I changed 
> > /etc/ldap.conf to use ldaps://, and it attemtps to connect as 
> > expected. I think this would work, if I could figure out how to tell 
> > it to accept the certificate. I get the following error message in DS 
> > after running getent passwd.
> >
> > [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not
> > recognize and trust the CA that issued your certificate.
> > [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not
> > recognize and trust the CA that issued your certificate.
> >
> >
> > Any thoughts?
> >
> I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in 
> /etc/ldap.conf
> man ldap.conf :
> TLS_CACERT <filename>
> Specifies the file that contains certificates for all of
> the Certificate Authorities the client will recognize.
> 
> TLS_CACERTDIR <path>
> Specifies the path of a directory that contains Certifi‐
> cate Authority certificates in separate individual files.
> The TLS_CACERT is always used before TLS_CACERTDIR. This
> parameter is ignored with GNUtls.
> 
> ><snip>
I think these may be the wrong variables.  If I recall correctly, those
variables are for /etc/openldap/ldap.conf and control openldap (and
openldap related queries).  pam uses /etc/ldap.conf.  I believe the
variables are set like this:

ssl start_tls
tls_checkpeer yes
tls_cacertfile /usr/share/ca-certificates/CA.pem

or whatever the path happens to be.  Again, I''m not an expert - just
sharing what we did that worked - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

John A. Sullivan III wrote:
> On Wed, 2009-06-24 at 18:55 +0200, Jean-Noel Chardron wrote:
>   
>> Dumbo Q a écrit :
>>     
>>> I''ve managed to get past the the strangely obscure method
of
>>> installing an SSL certificate, and from the server side everything 
>>> appears to be OK. Actually its a "CACert" certificate,
rather then
>>> self signed. Using Jxplorer, I can connect the the DS using SSL, 
>>> accept the certificate, and I''m all set.
>>>
>>> However, I am having a ton of trouble figuring out how to use an 
>>> untrusted ca for my linux user authentication. I changed 
>>> /etc/ldap.conf to use ldaps://, and it attemtps to connect as 
>>> expected. I think this would work, if I could figure out how to
tell
>>> it to accept the certificate. I get the following error message in
DS
>>> after running getent passwd.
>>>
>>> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does
not
>>> recognize and trust the CA that issued your certificate.
>>> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does
not
>>> recognize and trust the CA that issued your certificate.
>>>
>>>
>>> Any thoughts?
>>>
>>>       
>> I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in 
>> /etc/ldap.conf
>> man ldap.conf :
>> TLS_CACERT <filename>
>> Specifies the file that contains certificates for all of
>> the Certificate Authorities the client will recognize.
>>
>> TLS_CACERTDIR <path>
>> Specifies the path of a directory that contains Certifi‐
>> cate Authority certificates in separate individual files.
>> The TLS_CACERT is always used before TLS_CACERTDIR. This
>> parameter is ignored with GNUtls.
>>
>>     
>>> <snip>
>>>       
> I think these may be the wrong variables.  If I recall correctly, those
> variables are for /etc/openldap/ldap.conf and control openldap (and
> openldap related queries).  pam uses /etc/ldap.conf.
do "man nss_ldap" to see the configuration variables for
/etc/ldap.conf
- they are similar enough to /etc/openldap/ldap.conf to cause
confusion.
> I believe the
> variables are set like this:
>
> ssl start_tls
> tls_checkpeer yes
> tls_cacertfile /usr/share/ca-certificates/CA.pem
>
> or whatever the path happens to be.  Again, I''m not an expert -
just
> sharing what we did that worked - John
>

I got it.  I got it working with SSL.  Good enough.   This is what is needed to
get it to work.

ssl on
tls_cacertfile /etc/pki/tls/certs/cacert.org-root.txt
uri ldaps://rhds.example.com:636/

I removed the cacert from the ca-bundle.crt file.





________________________________
From: Rich Megginson <rmeggins@redhat.com>
To: General discussion list for the 389 Directory server project.
<fedora-directory-users@redhat.com>
Sent: Wednesday, June 24, 2009 2:48:43 PM
Subject: Re: [389-users] Trouble using self signed certificates.

John A. Sullivan III wrote:
> On Wed, 2009-06-24 at 18:55 +0200, Jean-Noel Chardron wrote:
>  
>> Dumbo Q a écrit :
>>    
>>> I''ve managed to get past the the strangely obscure method
of installing an SSL certificate, and from the server side everything appears to
be OK. Actually its a "CACert" certificate, rather then self signed.
Using Jxplorer, I can connect the the DS using SSL, accept the certificate, and
I''m all set.
>>> 
>>> However, I am having a ton of trouble figuring out how to use an
untrusted ca for my linux user authentication. I changed /etc/ldap.conf to use
ldaps://, and it attemtps to connect as expected. I think this would work, if I
could figure out how to tell it to accept the certificate. I get the following
error message in DS after running getent passwd.
>>> 
>>> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does
not recognize and trust the CA that issued your certificate.
>>> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does
not recognize and trust the CA that issued your certificate.
>>> 
>>> 
>>> Any thoughts?
>>> 
>>>      
>> I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in
/etc/ldap.conf
>> man ldap.conf :
>> TLS_CACERT <filename>
>> Specifies the file that contains certificates for all of
>> the Certificate Authorities the client will recognize.
>> 
>> TLS_CACERTDIR <path>
>> Specifies the path of a directory that contains Certifi‐
>> cate Authority certificates in separate individual files.
>> The TLS_CACERT is always used before TLS_CACERTDIR. This
>> parameter is ignored with GNUtls.
>> 
>>    
>>> <snip>
>>>      
> I think these may be the wrong variables.  If I recall correctly, those
> variables are for /etc/openldap/ldap.conf and control openldap (and
> openldap related queries).  pam uses /etc/ldap.conf.
do "man nss_ldap" to see the configuration variables for
/etc/ldap.conf - they are similar enough to /etc/openldap/ldap.conf to cause
confusion.
> I believe the
> variables are set like this:
> 
> ssl start_tls
> tls_checkpeer yes
> tls_cacertfile /usr/share/ca-certificates/CA.pem
> 
> or whatever the path happens to be.  Again, I''m not an expert -
just
> sharing what we did that worked - John
>

John A. Sullivan III a écrit :
> On Wed, 2009-06-24 at 18:55 +0200, Jean-Noel Chardron wrote:
>   
>> Dumbo Q a écrit :
>>     
>>> I''ve managed to get past the the strangely obscure method
of
>>> installing an SSL certificate, and from the server side everything 
>>> appears to be OK. Actually its a "CACert" certificate,
rather then
>>> self signed. Using Jxplorer, I can connect the the DS using SSL, 
>>> accept the certificate, and I''m all set.
>>>
>>> However, I am having a ton of trouble figuring out how to use an 
>>> untrusted ca for my linux user authentication. I changed 
>>> /etc/ldap.conf to use ldaps://, and it attemtps to connect as 
>>> expected. I think this would work, if I could figure out how to
tell
>>> it to accept the certificate. I get the following error message in
DS
>>> after running getent passwd.
>>>
>>> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does
not
>>> recognize and trust the CA that issued your certificate.
>>> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does
not
>>> recognize and trust the CA that issued your certificate.
>>>
>>>
>>> Any thoughts?
>>>
>>>       
>> I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in 
>> /etc/ldap.conf
>> man ldap.conf :
>> TLS_CACERT <filename>
>> Specifies the file that contains certificates for all of
>> the Certificate Authorities the client will recognize.
>>
>> TLS_CACERTDIR <path>
>> Specifies the path of a directory that contains Certifi‐
>> cate Authority certificates in separate individual files.
>> The TLS_CACERT is always used before TLS_CACERTDIR. This
>> parameter is ignored with GNUtls.
>>
>>     
>>> <snip>
>>>       
> I think these may be the wrong variables.  If I recall correctly, those
> variables are for /etc/openldap/ldap.conf and control openldap (and
> openldap related queries).  pam uses /etc/ldap.conf.  I believe the
> variables are set like this:
>
> ssl start_tls
> tls_checkpeer yes
> tls_cacertfile /usr/share/ca-certificates/CA.pem
>
> or whatever the path happens to be.  Again, I''m not an expert -
just
> sharing what we did that worked - John
>   
that''s correct
I apologize, I made a mistake

-- 
Jean-Noel Chardron