[Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA

Richard Megginson rmeggins at redhat.com
Fri Jun 2 22:45:57 UTC 2006 

Jeff Gamsby wrote:
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>>
>>>>> Jeff Gamsby
>>>>> Center for X-Ray Optics
>>>>> Lawrence Berkeley National Laboratory
>>>>> (510) 486-7783
>>>>>
>>>>>
>>>>>
>>>>> Richard Megginson wrote:
>>>>>> Jeff Gamsby wrote:
>>>>>>> I blew away the server and installed a new one, then I used the 
>>>>>>> setupssl.sh script to setup SSL. The script completed 
>>>>>>> successfully, and the server is listening on port 636, but I'm 
>>>>>>> back to a familiar error:
>>>>>>>
>>>>>>> ldapsearch -x -ZZ -d -1
>>>>>>>
>>>>>>> TLS trace: SSL_connect:SSLv3 read server hello A
>>>>>>> TLS certificate verification: depth: 1, err: 19, subject: 
>>>>>>> /CN=CAcert, issuer: /CN=CAcert
>>>>>>> TLS certificate verification: Error, self signed certificate in 
>>>>>>> certificate chain
>>>>>>> tls_write: want=7, written=7
>>>>>>>  0000:  15 03 01 00 02 02 30                               
>>>>>>> ......0          TLS trace: SSL3 alert write:fatal:unknown CA
>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>>>>>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>>>>>>> TLS: can't connect.
>>>>>>> ldap_perror
>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>        additional info: error:14090086:SSL 
>>>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>>>>>
>>>>>>> Shouldn't CN=CAcert be cn=fqdn?
>>>>>> No, no hostname validation is done on the CA cert, only on the 
>>>>>> LDAP server cert.
>>>>>>
>>>>>> Did you configure openldap to use the new CA cert?  
>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients 
>>>>>>
>>>>>
>>>>> Yes.
>>>>>
>>>>> This is what the access log says
>>>>>
>>>>> [02/Jun/2006:14:58:41 -0700] conn=2 op=462 RESULT err=0 tag=101 
>>>>> nentries=0 etime=0
>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 fd=68 slot=68 connection 
>>>>> from 127.0.0.1 to 127.0.0.1
>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 EXT 
>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=0 RESULT err=0 tag=120 
>>>>> nentries=0 etime=0
>>>>> [02/Jun/2006:14:58:47 -0700] conn=124 op=-1 fd=68 closed - Peer 
>>>>> does not recognize and trust the CA that issued your certificate.
>>>>
>>>> This means that the CA cert that /etc/openldap/ldap.conf is using 
>>>> is not the cert of the CA that issued the Fedora DS server cert.
>>> OK.  I had the old cert in there.
>>>
>>> I followed the instructions and did a
>>>
>>> cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in 
>>> cacert.asc`.0
>>>
>>> and set TLS_CACERT to /etc/openldap/cacerts/cacert.asc. I still get 
>>> the same error
>> But does the file /etc/openldap/cacerts/cacert.asc exist?  If not, 
>> you need to copy that file in there.  I guess the docs are not 
>> explicit enough - if you use TLS_CACERTDIR, you must have the file 
>> <hash>.0 in the cacerts directory.  If you use TLS_CACERT, you must 
>> have the file /etc/openldap/cacerts/cacert.asc.
>
> It does exist, and I'm using TLS_CACERT /etc/openldap/cacerts/cacert.asc
>
> Same error.
> [02/Jun/2006:15:34:53 -0700] conn=30 fd=68 slot=68 connection from 
> 127.0.0.1 to 127.0.0.1
> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 EXT 
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [02/Jun/2006:15:34:53 -0700] conn=30 op=0 RESULT err=0 tag=120 
> nentries=0 etime=0
> [02/Jun/2006:15:34:53 -0700] conn=30 op=-1 fd=68 closed - Peer does 
> not recognize and trust the CA that issued your certificate.
>
> I also put the same info in /etc/ldap.conf
That file is only used by pam_ldap and nss_ldap, so it shouldn't matter.
>
> Also, here are the certs
>
> ../shared/bin/certutil -L -P slapd-server- -d .
> CA certificate                                               CTu,u,u
> server-cert                                                  u,u,u
> Server-Cert                                                  u,u,u
>
> Does that look right?
Try this:
../shared/bin/certutil -L -P slapd-server- -d . -n "CA certificate" -a > 
mycacert.asc

diff mycacert.asc /etc/openldap/cacerts/cacert.asc

If they are the same, then CA certificate is not the cert of the CA that 
issued Server-Cert.
>
>>>
>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection from 
>>> 127.0.0.1 to 127.0.0.1
>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT 
>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120 
>>> nentries=0 etime=0
>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer does 
>>> not recognize and trust the CA that issued your certificate.
>>>
>>>
>>>
>>>
>>>>>>
>>>>>>>
>>>>>>> This is all that the errors log says
>>>>>> How about the access log?
>>>>>>>
>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 
>>>>>>> AES in backend userRoot, attempting to create one...
>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully 
>>>>>>> generated and stored
>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 
>>>>>>> 3DES in backend userRoot, attempting to create one...
>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully 
>>>>>>> generated and stored
>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 
>>>>>>> AES in backend NetscapeRoot, attempting to create one...
>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES successfully 
>>>>>>> generated and stored
>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for cipher 
>>>>>>> 3DES in backend NetscapeRoot, attempting to create one...
>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES successfully 
>>>>>>> generated and stored
>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started.  Listening on All 
>>>>>>> Interfaces port 389 for LDAP requests
>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces port 
>>>>>>> 636 for LDAPS requests
>>>>>>>
>>>>>>> Thanks for your help
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Jeff Gamsby
>>>>>>> Center for X-Ray Optics
>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>> (510) 486-7783
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Richard Megginson wrote:
>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>> OK, now I have a different error.
>>>>>>>>>
>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i 
>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>>>>>>>>
>>>>>>>>> and
>>>>>>>>>
>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in ca-cert.pem`.0
>>>>>>>>>
>>>>>>>>> Now, I get this error:
>>>>>>>>>
>>>>>>>>> TLS: can't connect.
>>>>>>>>> ldap_perror
>>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>>        additional info: Start TLS request accepted.Server 
>>>>>>>>> willing to negotiate SSL.
>>>>>>>> What OS and version are you running?  RHEL3 
>>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR 
>>>>>>>> directive - you must use the TLS_CACERT directive with the full 
>>>>>>>> path and filename of the cacert.pem file (e.g. 
>>>>>>>> /etc/openldap/cacerts/cacert.pem).  What does it say in the 
>>>>>>>> fedora ds access and error log for this request?
>>>>>>>>
>>>>>>>> For a successful startTLS request with ldapsearch, you should 
>>>>>>>> see something like the following in your fedora ds access log:
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64 connection 
>>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT 
>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0 tag=120 
>>>>>>>> nentries=0 etime=0
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn="" method=128 
>>>>>>>> version=3
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0 tag=97 
>>>>>>>> nentries=0 etime=0 dn=""
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH 
>>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)" 
>>>>>>>> attrs=ALL
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0 tag=101 
>>>>>>>> nentries=1 etime=0
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jeff Gamsby
>>>>>>>>> Center for X-Ray Optics
>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>> (510) 486-7783
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>
>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jeff Gamsby
>>>>>>>>>>>>> Center for X-Ray Optics
>>>>>>>>>>>>> Lawrence Berkeley National Laboratory
>>>>>>>>>>>>> (510) 486-7783
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I am 
>>>>>>>>>>>>>>> using a OpenSSL CA, I have installed the Server Cert and 
>>>>>>>>>>>>>>> the CA Cert, can start FDS in SSL mode, but when I run
>>>>>>>>>>>>>>> ldapsearch -x -ZZ  I get TLS trace: SSL3 alert 
>>>>>>>>>>>>>>> write:fatal:unknown CA.
>>>>>>>>>>>>>> Did you follow this - 
>>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>>>> I did, but that didn't work for me. The only thing that I 
>>>>>>>>>>>>> did this time was generate a request from the "Manage 
>>>>>>>>>>>>> Certificates", sign the request using my OpenSSL CA, and 
>>>>>>>>>>>>> install the Server and CA Certs. Then I turned on SSL in 
>>>>>>>>>>>>> the Admin console, and restarted the server.
>>>>>>>>>>>>>
>>>>>>>>>>>>> When I followed the instructions from the link, I couldn't 
>>>>>>>>>>>>> even get FDS to start in SSL mode.
>>>>>>>>>>>> One problem may be that ldapsearch is trying to verify the 
>>>>>>>>>>>> hostname in your server cert, which is the value of the cn 
>>>>>>>>>>>> attribute in the leftmost RDN in your server cert's subject 
>>>>>>>>>>>> DN.  What is the subject DN of your server cert?  You can 
>>>>>>>>>>>> use certutil -L -n Server-Cert as specified in the 
>>>>>>>>>>>> Howto:SSL to print your cert.
>>>>>>>>>>>
>>>>>>>>>>> Sorry. I missed the -P option.
>>>>>>>>>>>
>>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server- -n 
>>>>>>>>>>> "server-cert" returns the Subject *CN* as FQDN of FDS and 
>>>>>>>>>>> OpenSSL CA host (ran on same machine)
>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get some 
>>>>>>>>>> debugging info.
>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in
>>>>>>>>>>>>>>> TLS_CACERT /path/to/cert
>>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below?
>>>>>>>>>>>>> Yes
>>>>>>>>>>>>>>> TLSREQCERT allow
>>>>>>>>>>>>>>> ssl on
>>>>>>>>>>>>>>> ssl start_tls
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If I run
>>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts 
>>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> It looks OK
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Please help
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------------------------------------------------------------------------ 
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users 
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>   
>>>>>>>>>>>>>
>>>>>>>>>>>>> -- 
>>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users 
>>>>>>>>>>>>>
>>>>>>>>>>>> ------------------------------------------------------------------------ 
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>>>   
>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>> ------------------------------------------------------------------------ 
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>   
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>> ------------------------------------------------------------------------ 
>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>   
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>> ------------------------------------------------------------------------ 
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>   
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>> ------------------------------------------------------------------------ 
>>>>
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> ------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060602/9ea3c66c/attachment.bin>

More information about the Fedora-directory-users mailing list