[Fedora-directory-users] TLS trace: SSL3 alert write:fatal:unknown CA

Jeff Gamsby JFGamsby at lbl.gov
Sun Jun 4 19:56:39 UTC 2006 

> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>>> I'm not sure I understand what's going on either, but the message
>>>> "Peer does not recognize and trust the CA that issued your
>>>> certificate." means that ldapsearch did not verify your LDAP server
>>>> certificate (Server-Cert).  This is usually due to one or both of the
>>>> following:
>>>> 1) The value of the cn attribute in the leftmost RDN of the subjectDN
>>>> in the LDAP server cert is not the fqdn of the LDAP server host, or
>>>> the client cannot resolve it.
>>>> 2) The /etc/openldap/cacerts/cacert.asc CA cert is not the cert of
>>>> the CA that issued the LDAP server certificate (Server-Cert)
>>>>
>>>> I'm not sure which one it is.  You might try dumping out the server
>>>> certificate (../shared/bin/certutil -L -P slapd-server- -d . -n
>>>> "Server-Cert" -a > fdscert.pem) and using openssl to verify the cert
>>>> e.g.
>>>> openssl verify -CAfile /etc/openldap/cacerts/cacert.asc fdscert.pem
>>>>
>>>> If you get an error, this means that the CA whose cert is
>>>> /etc/openldap/cacerts/cacert.asc did not issue the fedora ds server
>>>> certificate.
>>>
>>> I get fdscert.pem: OK
>> I dunno - perhaps the CA doesn't have the appropriate trust flags?  This
>> is what I get:
>> ../shared/bin/certutil -d . -P slapd-localhost- -L
>> CA certificate                                               CTu,u,u
>> Server-Cert                                                  u,u,u
>>
>
> Another thing you can try is verifying the server certificate:
>
> % ../shared/bin/certutil certutil -V -u V -n Server-Cert -d . -P
> slapd-localhost-
> certutil: certificate is valid
>
> Can you try the FDS ldapsearch (shared/bin/ldapsearch)? It will
> eliminate the OpenSSL certificate so we can help see where the problem
> is. You can have it use the same cert database as the server and that
> should help confirm that the CA and Server certificates are ok. If that
> works then it's likely something with your OpenSSL config that is the
> problem.
>
> rob
>

Rob,

 This is what I did.

FC4

installed fds 1.0.2

system has real hostname and name resolves

ran this script

$serverroot/shared/bin/certutil -N -d . -f pwdfile.txt
$serverroot/shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt
$serverroot/shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x
-t "CT,," -m 1000 -v 120  -d . -z noise.txt -f pwdfile.txt
$serverroot/shared/bin/certutil -S -n "Server-Cert" -s "cn=server.xxx.xxx"
-c "CA certificate" -t "u,u,u" -m 1001 -v 120  -d . -z noise.txt -f
pwdfile.txt
mv key3.db slapd-server-key3.db
mv cert8.db slapd-server-cert8.db
ln -s slapd-server-key3.db key3.db
ln -s slapd-server-cert8.db cert8.db
chown nobody.nobody /opt/fedora-ds/alias/slapd-msas*
$serverroot/shared/bin/certutil -L -d . -n "CA certificate" -r > cacert.der
openssl x509 -inform DER -in cacert.der -outform PEM -out cacert.pem
cp cacert.pem /etc/openldap/cacerts/

restarted FDS
turned on ssl mode in admin console in "Configuration -> Encryption" Used
Server-Cert  certificate

restarted FDS

ran

# ../shared/bin/ldapsearch -Z -p 636 -b "" -s base "(objectclass=*)" -v
ldapsearch: started Sun Jun  4 12:48:46 2006

ldap_init( localhost, 636 )
ldaptool_getcertpath -- .
ldaptool_getkeypath -- .
ldaptool_getmodpath -- (null)
ldaptool_getdonglefilename -- (null)
filter pattern: (objectclass=*)
returning: ALL
filter is: (objectclass=*)
version: 1
dn:
objectClass: top
namingContexts: dc=server,dc=xxx,dc=xxx
namingContexts: o=NetscapeRoot
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.9
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 2.16.840.1.113730.3.4.20
supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.13
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: Fedora Project
vendorVersion: Fedora-Directory/1.0.2 B2006.060.1951
dataversion: 020060604194005020060604194005
netscapemdsuffix: cn=ldap://dc=server,dc=xxx,dc=xxx,dc=xxx:389
1 matches

Access log says:

[04/Jun/2006:12:50:35 -0700] conn=42 fd=69 slot=69 SSL connection from
127.0.0.1 to 127.0.0.1
[04/Jun/2006:12:50:35 -0700] conn=42 SSL 128-bit RC4
[04/Jun/2006:12:50:35 -0700] conn=42 op=0 SRCH base="" scope=0
filter="(objectClass=*)" attrs=ALL
[04/Jun/2006:12:50:35 -0700] conn=42 op=0 RESULT err=0 tag=101 nentries=1
etime=0
[04/Jun/2006:12:50:35 -0700] conn=42 op=1 UNBIND
[04/Jun/2006:12:50:35 -0700] conn=42 op=1 fd=69 closed - U1

OK right?

Now run

ldapsearch -x -Hldaps://localhost

# ldapsearch -x -Hldaps://localhost
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject: /CN=CAcert,
issuer: /CN=CAcert
TLS certificate verification: Error, self signed certificate in
certificate chain
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed



>>>>>
>>>>>>>
>>>>>>>>>
>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 fd=67 slot=67 connection
>>>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 EXT
>>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=0 RESULT err=0 tag=120
>>>>>>>>> nentries=0 etime=0
>>>>>>>>> [02/Jun/2006:15:24:47 -0700] conn=10 op=-1 fd=67 closed - Peer
>>>>>>>>> does not recognize and trust the CA that issued your certificate.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> This is all that the errors log says
>>>>>>>>>>>> How about the access log?
>>>>>>>>>>>>>
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
>>>>>>>>>>>>> cipher AES in backend userRoot, attempting to create one...
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
>>>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
>>>>>>>>>>>>> cipher 3DES in backend userRoot, attempting to create one...
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
>>>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
>>>>>>>>>>>>> cipher AES in backend NetscapeRoot, attempting to create
>>>>>>>>>>>>> one...
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
>>>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - No symmetric key found for
>>>>>>>>>>>>> cipher 3DES in backend NetscapeRoot, attempting to create
>>>>>>>>>>>>> one...
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
>>>>>>>>>>>>> successfully generated and stored
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - slapd started.  Listening on
>>>>>>>>>>>>> All Interfaces port 389 for LDAP requests
>>>>>>>>>>>>> [02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces
>>>>>>>>>>>>> port 636 for LDAPS requests
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks for your help
>>>>>>>>>>>>>
>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>> OK, now I have a different error.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I ran ../shared/bin/certutil -A -n cert-name -t "C,C,C" -i
>>>>>>>>>>>>>>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ln -s ca-cert.pem `openssl x509 -noout -hash -in
>>>>>>>>>>>>>>> ca-cert.pem`.0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Now, I get this error:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> TLS: can't connect.
>>>>>>>>>>>>>>> ldap_perror
>>>>>>>>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>>>>>>>>        additional info: Start TLS request accepted.Server
>>>>>>>>>>>>>>> willing to negotiate SSL.
>>>>>>>>>>>>>> What OS and version are you running?  RHEL3
>>>>>>>>>>>>>> /etc/openldap/ldap.conf does not like the TLS_CACERTDIR
>>>>>>>>>>>>>> directive - you must use the TLS_CACERT directive with the
>>>>>>>>>>>>>> full path and filename of the cacert.pem file (e.g.
>>>>>>>>>>>>>> /etc/openldap/cacerts/cacert.pem).  What does it say in the
>>>>>>>>>>>>>> fedora ds access and error log for this request?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> For a successful startTLS request with ldapsearch, you
>>>>>>>>>>>>>> should see something like the following in your fedora ds
>>>>>>>>>>>>>> access log:
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64
>>>>>>>>>>>>>> connection from 127.0.0.1 to 127.0.0.1
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT
>>>>>>>>>>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0
>>>>>>>>>>>>>> tag=120 nentries=0 etime=0
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND dn=""
>>>>>>>>>>>>>> method=128 version=3
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0
>>>>>>>>>>>>>> tag=97 nentries=0 etime=0 dn=""
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH
>>>>>>>>>>>>>> base="dc=example,dc=com" scope=0 filter="(objectClass=*)"
>>>>>>>>>>>>>> attrs=ALL
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0
>>>>>>>>>>>>>> tag=101 nentries=1 etime=0
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>>>>>>>>>>>>>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1

>>>>>>>>>>>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>>>>>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>>>>>>>>>>>>>> I am trying to get FDS 1.0.2 working in SSL mode. I
>>>>>>>>>>>>>>>>>>>>> am using a OpenSSL CA, I have installed the Server
>>>>>>>>>>>>>>>>>>>>> Cert and the CA Cert, can start FDS in SSL mode, but
>>>>>>>>>>>>>>>>>>>>> when I run
>>>>>>>>>>>>>>>>>>>>> ldapsearch -x -ZZ  I get TLS trace: SSL3 alert
>>>>>>>>>>>>>>>>>>>>> write:fatal:unknown CA.
>>>>>>>>>>>>>>>>>>>> Did you follow this -
>>>>>>>>>>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>>>>>>>>>>>>>> I did, but that didn't work for me. The only thing
>>>>>>>>>>>>>>>>>>> that I did this time was generate a request from the
>>>>>>>>>>>>>>>>>>> "Manage Certificates", sign the request using my
>>>>>>>>>>>>>>>>>>> OpenSSL CA, and install the Server and CA Certs. Then
>>>>>>>>>>>>>>>>>>> I turned on SSL in the Admin console, and restarted
>>>>>>>>>>>>>>>>>>> the server.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> When I followed the instructions from the link, I
>>>>>>>>>>>>>>>>>>> couldn't even get FDS to start in SSL mode.
>>>>>>>>>>>>>>>>>> One problem may be that ldapsearch is trying to verify
>>>>>>>>>>>>>>>>>> the hostname in your server cert, which is the value of
>>>>>>>>>>>>>>>>>> the cn attribute in the leftmost RDN in your server
>>>>>>>>>>>>>>>>>> cert's subject DN.  What is the subject DN of your
>>>>>>>>>>>>>>>>>> server cert?  You can use certutil -L -n Server-Cert as
>>>>>>>>>>>>>>>>>> specified in the Howto:SSL to print your cert.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Sorry. I missed the -P option.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> running ../shared/bin/certutil -L -d . -P slapd-server-
>>>>>>>>>>>>>>>>> -n "server-cert" returns the Subject *CN* as FQDN of FDS
>>>>>>>>>>>>>>>>> and OpenSSL CA host (ran on same machine)
>>>>>>>>>>>>>>>> Hmm - try ldapsearch with the -v (or -d?) option to get
>>>>>>>>>>>>>>>> some debugging info.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> In /etc/ldap.conf, I have put in
>>>>>>>>>>>>>>>>>>>>> TLS_CACERT /path/to/cert
>>>>>>>>>>>>>>>>>>>> Is this the same /path/to/cacert.pem as below?
>>>>>>>>>>>>>>>>>>> Yes
>>>>>>>>>>>>>>>>>>>>> TLSREQCERT allow
>>>>>>>>>>>>>>>>>>>>> ssl on
>>>>>>>>>>>>>>>>>>>>> ssl start_tls
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> If I run
>>>>>>>>>>>>>>>>>>>>> openssl s_client -connect localhost:636 -showcerts
>>>>>>>>>>>>>>>>>>>>> -state -CAfile /path/to/cacert.pem
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> It looks OK
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Please help
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Thanks

More information about the Fedora-directory-users mailing list