Hi people, i have a problem with trying ldaps i use autogenerated self-signed certificate, i write in smb this: tls enabled = yes tls keyfile = tls/key.pem tls certfile = tls/cert.pem without cafile when i try to verify with: openssl verify /usr/local/samba/private/tls/myCert.pem it said me unable to verify the first certificate and if add -CApath works! and finally when i try from another dc with openssl s_client -showcerts -connect dc1.samdom.example.com:636 it said me unable to verify the fisrt certificate. i need add cafile in smb? what is worng?
L.P.H. van Belle
2018-Jul-20 14:44 UTC
[Samba] autogenerated self-signed certificate problem
You missing or : Smb.conf tls cafile = tls/ca.pem And/or ( showing the Debian steps ), the CA is missing in ca-certifcates.crt In : /etc/ldap/ldap.conf TLS_CACERT /etc/ssl/certs/ca-certificates.crt Steps todo. mkdir /usr/local/share/ca-certificates/personal-cert Put the root in that folder. Run : update-ca-certificates You need to install ca-certificates first. apt install ca-certificates Or, add you CA manualy, or replace the line: TLS_CACERT /etc/ssl/certs/YourCA-File. Best is use the first or second option. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Carlos Bordon via samba > Verzonden: vrijdag 20 juli 2018 16:36 > Aan: samba at lists.samba.org > Onderwerp: [Samba] autogenerated self-signed certificate problem > > Hi people, > > i have a problem with trying ldaps > > i use autogenerated self-signed certificate, i write in smb this: > tls enabled = yes > tls keyfile = tls/key.pem > tls certfile = tls/cert.pem > > without cafile > > when i try to verify with: > > openssl verify /usr/local/samba/private/tls/myCert.pem > it said me unable to verify the first certificate > and if add -CApath works! > > and finally when i try from another dc with > openssl s_client -showcerts -connect dc1.samdom.example.com:636 > it said me unable to verify the fisrt certificate. > > i need add cafile in smb? > what is worng? > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Thanks! i do it, now, how i can see any change after run update ca? 2018-07-20 11:44 GMT-03:00 L.P.H. van Belle via samba <samba at lists.samba.org>:> You missing or : > > Smb.conf > tls cafile = tls/ca.pem > > And/or ( showing the Debian steps ), the CA is missing in > ca-certifcates.crt > In : /etc/ldap/ldap.conf > TLS_CACERT /etc/ssl/certs/ca-certificates.crt > > Steps todo. > mkdir /usr/local/share/ca-certificates/personal-cert > Put the root in that folder. > Run : update-ca-certificates > > You need to install ca-certificates first. > apt install ca-certificates > > > Or, add you CA manualy, or replace the line: > TLS_CACERT /etc/ssl/certs/YourCA-File. > > Best is use the first or second option. > > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Carlos Bordon via samba > > Verzonden: vrijdag 20 juli 2018 16:36 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] autogenerated self-signed certificate problem > > > > Hi people, > > > > i have a problem with trying ldaps > > > > i use autogenerated self-signed certificate, i write in smb this: > > tls enabled = yes > > tls keyfile = tls/key.pem > > tls certfile = tls/cert.pem > > > > without cafile > > > > when i try to verify with: > > > > openssl verify /usr/local/samba/private/tls/myCert.pem > > it said me unable to verify the first certificate > > and if add -CApath works! > > > > and finally when i try from another dc with > > openssl s_client -showcerts -connect dc1.samdom.example.com:636 > > it said me unable to verify the fisrt certificate. > > > > i need add cafile in smb? > > what is worng? > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
> > something i undertend wrong,when you said: Put the root in that folder. yout tell copy of cert.pem to this folder?
L.P.H. van Belle
2018-Jul-20 15:04 UTC
[Samba] autogenerated self-signed certificate problem
Yes, As pre example on this site. https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/ Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Carlos Bordon via samba > Verzonden: vrijdag 20 juli 2018 17:00 > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] autogenerated self-signed certificate problem > > > > > something i undertend wrong, > > > when you said: Put the root in that folder. > yout tell copy of cert.pem to this folder? > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >