|
List Info
Thread: TLS trace: SSL3 alert write:fatal:unknown CA
|
|
| TLS trace: SSL3 alert
write:fatal:unknown CA |
|
2006-06-02 15:43:45 |
Jeff Gamsby wrote:
> I am trying to get FDS 1.0.2 working in SSL mode. I am
using a OpenSSL
> CA, I have installed the Server Cert and the CA Cert,
can start FDS in
> SSL mode, but when I run
> ldapsearch -x -ZZ I get TLS trace: SSL3 alert
write:fatal:unknown CA.
Did you follow this - htt
p://directory.fedora.redhat.com/wiki/Howto:SSL
>
> In /etc/ldap.conf, I have put in
> TLS_CACERT /path/to/cert
Is this the same /path/to/cacert.pem as below?
> TLSREQCERT allow
> ssl on
> ssl start_tls
>
> If I run
> openssl s_client -connect localhost:636 -showcerts
-state -CAfile
> /path/to/cacert.pem
>
> It looks OK
>
> Please help
>
> Thanks
>
--
Fedora-directory-users mailing list
Fedora-directory-users redhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
|
|
| TLS trace: SSL3 alert
write:fatal:unknown CA |
|
2006-06-02 15:49:50 |
Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783
Richard Megginson wrote:
> Jeff Gamsby wrote:
>> I am trying to get FDS 1.0.2 working in SSL mode. I
am using a
>> OpenSSL CA, I have installed the Server Cert and
the CA Cert, can
>> start FDS in SSL mode, but when I run
>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert
write:fatal:unknown CA.
> Did you follow this - htt
p://directory.fedora.redhat.com/wiki/Howto:SSL
I did, but that didn't work for me. The only thing that I
did this time
was generate a request from the "Manage
Certificates", sign the request
using my OpenSSL CA, and install the Server and CA Certs.
Then I turned
on SSL in the Admin console, and restarted the server.
When I followed the instructions from the link, I couldn't
even get FDS
to start in SSL mode.
>>
>> In /etc/ldap.conf, I have put in
>> TLS_CACERT /path/to/cert
> Is this the same /path/to/cacert.pem as below?
Yes
>> TLSREQCERT allow
>> ssl on
>> ssl start_tls
>>
>> If I run
>> openssl s_client -connect localhost:636 -showcerts
-state -CAfile
>> /path/to/cacert.pem
>>
>> It looks OK
>>
>> Please help
>>
>> Thanks
>>
>
------------------------------------------------------------
------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>
--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
|
|
| TLS trace: SSL3 alert
write:fatal:unknown CA |
|
2006-06-02 16:07:25 |
Jeff Gamsby wrote:
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>> I am trying to get FDS 1.0.2 working in SSL
mode. I am using a
>>> OpenSSL CA, I have installed the Server Cert
and the CA Cert, can
>>> start FDS in SSL mode, but when I run
>>> ldapsearch -x -ZZ I get TLS trace: SSL3 alert
write:fatal:unknown CA.
>> Did you follow this - htt
p://directory.fedora.redhat.com/wiki/Howto:SSL
> I did, but that didn't work for me. The only thing
that I did this
> time was generate a request from the "Manage
Certificates", sign the
> request using my OpenSSL CA, and install the Server and
CA Certs. Then
> I turned on SSL in the Admin console, and restarted the
server.
>
> When I followed the instructions from the link, I
couldn't even get
> FDS to start in SSL mode.
One problem may be that ldapsearch is trying to verify the
hostname in
your server cert, which is the value of the cn attribute in
the leftmost
RDN in your server cert's subject DN. What is the subject
DN of your
server cert? You can use certutil -L -n Server-Cert as
specified in the
Howto:SSL to print your cert.
>>>
>>> In /etc/ldap.conf, I have put in
>>> TLS_CACERT /path/to/cert
>> Is this the same /path/to/cacert.pem as below?
> Yes
>>> TLSREQCERT allow
>>> ssl on
>>> ssl start_tls
>>>
>>> If I run
>>> openssl s_client -connect localhost:636
-showcerts -state -CAfile
>>> /path/to/cacert.pem
>>>
>>> It looks OK
>>>
>>> Please help
>>>
>>> Thanks
>>>
>>
------------------------------------------------------------
------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-usersredhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
|
|
| TLS trace: SSL3 alert
write:fatal:unknown CA |
|
2006-06-02 16:22:52 |
Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783
Richard Megginson wrote:
> Jeff Gamsby wrote:
>>
>> Jeff Gamsby
>> Center for X-Ray Optics
>> Lawrence Berkeley National Laboratory
>> (510) 486-7783
>>
>>
>>
>> Richard Megginson wrote:
>>> Jeff Gamsby wrote:
>>>> I am trying to get FDS 1.0.2 working in SSL
mode. I am using a
>>>> OpenSSL CA, I have installed the Server
Cert and the CA Cert, can
>>>> start FDS in SSL mode, but when I run
>>>> ldapsearch -x -ZZ I get TLS trace: SSL3
alert write:fatal:unknown CA.
>>> Did you follow this - htt
p://directory.fedora.redhat.com/wiki/Howto:SSL
>> I did, but that didn't work for me. The only thing
that I did this
>> time was generate a request from the "Manage
Certificates", sign the
>> request using my OpenSSL CA, and install the Server
and CA Certs.
>> Then I turned on SSL in the Admin console, and
restarted the server.
>>
>> When I followed the instructions from the link, I
couldn't even get
>> FDS to start in SSL mode.
> One problem may be that ldapsearch is trying to verify
the hostname in
> your server cert, which is the value of the cn
attribute in the
> leftmost RDN in your server cert's subject DN. What
is the subject DN
> of your server cert? You can use certutil -L -n
Server-Cert as
> specified in the Howto:SSL to print your cert.
Sorry. I missed the -P option.
running ../shared/bin/certutil -L -d . -P slapd-server- -n
"server-cert"
returns the Subject *CN* as FQDN of FDS and OpenSSL CA host
(ran on same
machine)
>>>>
>>>> In /etc/ldap.conf, I have put in
>>>> TLS_CACERT /path/to/cert
>>> Is this the same /path/to/cacert.pem as below?
>> Yes
>>>> TLSREQCERT allow
>>>> ssl on
>>>> ssl start_tls
>>>>
>>>> If I run
>>>> openssl s_client -connect localhost:636
-showcerts -state -CAfile
>>>> /path/to/cacert.pem
>>>>
>>>> It looks OK
>>>>
>>>> Please help
>>>>
>>>> Thanks
>>>>
>>>
------------------------------------------------------------
------------
>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-usersredhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-usersredhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>
------------------------------------------------------------
------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>
--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
|
|
| TLS trace: SSL3 alert
write:fatal:unknown CA |
|
2006-06-02 18:29:29 |
Jeff Gamsby wrote:
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>> I am trying to get FDS 1.0.2 working in
SSL mode. I am using a
>>>>> OpenSSL CA, I have installed the Server
Cert and the CA Cert, can
>>>>> start FDS in SSL mode, but when I run
>>>>> ldapsearch -x -ZZ I get TLS trace:
SSL3 alert write:fatal:unknown
>>>>> CA.
>>>> Did you follow this -
>>>> htt
p://directory.fedora.redhat.com/wiki/Howto:SSL
>>> I did, but that didn't work for me. The only
thing that I did this
>>> time was generate a request from the
"Manage Certificates", sign the
>>> request using my OpenSSL CA, and install the
Server and CA Certs.
>>> Then I turned on SSL in the Admin console, and
restarted the server.
>>>
>>> When I followed the instructions from the link,
I couldn't even get
>>> FDS to start in SSL mode.
>> One problem may be that ldapsearch is trying to
verify the hostname
>> in your server cert, which is the value of the cn
attribute in the
>> leftmost RDN in your server cert's subject DN.
What is the subject
>> DN of your server cert? You can use certutil -L -n
Server-Cert as
>> specified in the Howto:SSL to print your cert.
>
> Sorry. I missed the -P option.
>
> running ../shared/bin/certutil -L -d . -P slapd-server-
-n
> "server-cert" returns the Subject *CN* as
FQDN of FDS and OpenSSL CA
> host (ran on same machine)
Hmm - try ldapsearch with the -v (or -d?) option to get some
debugging info.
>
>>>>>
>>>>> In /etc/ldap.conf, I have put in
>>>>> TLS_CACERT /path/to/cert
>>>> Is this the same /path/to/cacert.pem as
below?
>>> Yes
>>>>> TLSREQCERT allow
>>>>> ssl on
>>>>> ssl start_tls
>>>>>
>>>>> If I run
>>>>> openssl s_client -connect localhost:636
-showcerts -state -CAfile
>>>>> /path/to/cacert.pem
>>>>>
>>>>> It looks OK
>>>>>
>>>>> Please help
>>>>>
>>>>> Thanks
>>>>>
>>>>
------------------------------------------------------------
------------
>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-usersredhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-usersredhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>
------------------------------------------------------------
------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-usersredhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
|
|
| TLS trace: SSL3 alert
write:fatal:unknown CA |
|
2006-06-02 20:42:10 |
OK, now I have a different error.
I ran ../shared/bin/certutil -A -n cert-name -t
"C,C,C" -i
/etc/certs/ca-cert.pem -P slapd-server- -d .
and
ln -s ca-cert.pem `openssl x509 -noout -hash -in
ca-cert.pem`.0
Now, I get this error:
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: Start TLS request accepted.Server
willing to
negotiate SSL.
Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783
Richard Megginson wrote:
> Jeff Gamsby wrote:
>>
>> Jeff Gamsby
>> Center for X-Ray Optics
>> Lawrence Berkeley National Laboratory
>> (510) 486-7783
>>
>>
>>
>> Richard Megginson wrote:
>>> Jeff Gamsby wrote:
>>>>
>>>> Jeff Gamsby
>>>> Center for X-Ray Optics
>>>> Lawrence Berkeley National Laboratory
>>>> (510) 486-7783
>>>>
>>>>
>>>>
>>>> Richard Megginson wrote:
>>>>> Jeff Gamsby wrote:
>>>>>> I am trying to get FDS 1.0.2
working in SSL mode. I am using a
>>>>>> OpenSSL CA, I have installed the
Server Cert and the CA Cert, can
>>>>>> start FDS in SSL mode, but when I
run
>>>>>> ldapsearch -x -ZZ I get TLS trace:
SSL3 alert
>>>>>> write:fatal:unknown CA.
>>>>> Did you follow this -
>>>>> htt
p://directory.fedora.redhat.com/wiki/Howto:SSL
>>>> I did, but that didn't work for me. The
only thing that I did this
>>>> time was generate a request from the
"Manage Certificates", sign
>>>> the request using my OpenSSL CA, and
install the Server and CA
>>>> Certs. Then I turned on SSL in the Admin
console, and restarted the
>>>> server.
>>>>
>>>> When I followed the instructions from the
link, I couldn't even get
>>>> FDS to start in SSL mode.
>>> One problem may be that ldapsearch is trying to
verify the hostname
>>> in your server cert, which is the value of the
cn attribute in the
>>> leftmost RDN in your server cert's subject DN.
What is the subject
>>> DN of your server cert? You can use certutil
-L -n Server-Cert as
>>> specified in the Howto:SSL to print your cert.
>>
>> Sorry. I missed the -P option.
>>
>> running ../shared/bin/certutil -L -d . -P
slapd-server- -n
>> "server-cert" returns the Subject *CN*
as FQDN of FDS and OpenSSL CA
>> host (ran on same machine)
> Hmm - try ldapsearch with the -v (or -d?) option to get
some debugging
> info.
>>
>>>>>>
>>>>>> In /etc/ldap.conf, I have put in
>>>>>> TLS_CACERT /path/to/cert
>>>>> Is this the same /path/to/cacert.pem as
below?
>>>> Yes
>>>>>> TLSREQCERT allow
>>>>>> ssl on
>>>>>> ssl start_tls
>>>>>>
>>>>>> If I run
>>>>>> openssl s_client -connect
localhost:636 -showcerts -state -CAfile
>>>>>> /path/to/cacert.pem
>>>>>>
>>>>>> It looks OK
>>>>>>
>>>>>> Please help
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>
------------------------------------------------------------
------------
>>>>>
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-usersredhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-usersredhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>
------------------------------------------------------------
------------
>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-usersredhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-usersredhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>
------------------------------------------------------------
------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>
--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
|
|
| TLS trace: SSL3 alert
write:fatal:unknown CA |
|
2006-06-02 21:35:09 |
Jeff Gamsby wrote:
> OK, now I have a different error.
>
> I ran ../shared/bin/certutil -A -n cert-name -t
"C,C,C" -i
> /etc/certs/ca-cert.pem -P slapd-server- -d .
>
> and
>
> ln -s ca-cert.pem `openssl x509 -noout -hash -in
ca-cert.pem`.0
>
> Now, I get this error:
>
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (-11)
> additional info: Start TLS request
accepted.Server willing to
> negotiate SSL.
What OS and version are you running? RHEL3
/etc/openldap/ldap.conf does
not like the TLS_CACERTDIR directive - you must use the
TLS_CACERT
directive with the full path and filename of the cacert.pem
file (e.g.
/etc/openldap/cacerts/cacert.pem). What does it say in the
fedora ds
access and error log for this request?
For a successful startTLS request with ldapsearch, you
should see
something like the following in your fedora ds access log:
[02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64
connection from
127.0.0.1 to 127.0.0.1
[02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT
oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
[02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0
tag=120
nentries=0 etime=0
[02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
[02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND
dn="" method=128 version=3
[02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0
tag=97 nentries=0
etime=0 dn=""
[02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH
base="dc=example,dc=com"
scope=0 filter="(objectClass=*)" attrs=ALL
[02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0
tag=101
nentries=1 etime=0
[02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
[02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed - U1
>
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>>
>>>>> Jeff Gamsby
>>>>> Center for X-Ray Optics
>>>>> Lawrence Berkeley National Laboratory
>>>>> (510) 486-7783
>>>>>
>>>>>
>>>>>
>>>>> Richard Megginson wrote:
>>>>>> Jeff Gamsby wrote:
>>>>>>> I am trying to get FDS 1.0.2
working in SSL mode. I am using a
>>>>>>> OpenSSL CA, I have installed
the Server Cert and the CA Cert,
>>>>>>> can start FDS in SSL mode, but
when I run
>>>>>>> ldapsearch -x -ZZ I get TLS
trace: SSL3 alert
>>>>>>> write:fatal:unknown CA.
>>>>>> Did you follow this -
>>>>>> htt
p://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>> I did, but that didn't work for me.
The only thing that I did this
>>>>> time was generate a request from the
"Manage Certificates", sign
>>>>> the request using my OpenSSL CA, and
install the Server and CA
>>>>> Certs. Then I turned on SSL in the
Admin console, and restarted
>>>>> the server.
>>>>>
>>>>> When I followed the instructions from
the link, I couldn't even
>>>>> get FDS to start in SSL mode.
>>>> One problem may be that ldapsearch is
trying to verify the hostname
>>>> in your server cert, which is the value of
the cn attribute in the
>>>> leftmost RDN in your server cert's subject
DN. What is the subject
>>>> DN of your server cert? You can use
certutil -L -n Server-Cert as
>>>> specified in the Howto:SSL to print your
cert.
>>>
>>> Sorry. I missed the -P option.
>>>
>>> running ../shared/bin/certutil -L -d . -P
slapd-server- -n
>>> "server-cert" returns the Subject
*CN* as FQDN of FDS and OpenSSL CA
>>> host (ran on same machine)
>> Hmm - try ldapsearch with the -v (or -d?) option to
get some
>> debugging info.
>>>
>>>>>>>
>>>>>>> In /etc/ldap.conf, I have put
in
>>>>>>> TLS_CACERT /path/to/cert
>>>>>> Is this the same
/path/to/cacert.pem as below?
>>>>> Yes
>>>>>>> TLSREQCERT allow
>>>>>>> ssl on
>>>>>>> ssl start_tls
>>>>>>>
>>>>>>> If I run
>>>>>>> openssl s_client -connect
localhost:636 -showcerts -state
>>>>>>> -CAfile /path/to/cacert.pem
>>>>>>>
>>>>>>> It looks OK
>>>>>>>
>>>>>>> Please help
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>
------------------------------------------------------------
------------
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-usersredhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>>>
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-usersredhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>
------------------------------------------------------------
------------
>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-usersredhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-usersredhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>
------------------------------------------------------------
------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-usersredhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
|
|
| TLS trace: SSL3 alert
write:fatal:unknown CA |
|
2006-06-02 21:44:03 |
I blew away the server and installed a new one, then I used
the
setupssl.sh script to setup SSL. The script completed
successfully, and
the server is listening on port 636, but I'm back to a
familiar error:
ldapsearch -x -ZZ -d -1
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject:
/CN=CAcert,
issuer: /CN=CAcert
TLS certificate verification: Error, self signed certificate
in
certificate chain
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30
......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server
certificate B
TLS trace: SSL_connect:error in SSLv3 read server
certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
Shouldn't CN=CAcert be cn=fqdn?
This is all that the errors log says
[02/Jun/2006:14:21:01 -0700] - No symmetric key found for
cipher AES in
backend userRoot, attempting to create one...
[02/Jun/2006:14:21:01 -0700] - Key for cipher AES
successfully generated
and stored
[02/Jun/2006:14:21:01 -0700] - No symmetric key found for
cipher 3DES in
backend userRoot, attempting to create one...
[02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
successfully
generated and stored
[02/Jun/2006:14:21:01 -0700] - No symmetric key found for
cipher AES in
backend NetscapeRoot, attempting to create one...
[02/Jun/2006:14:21:01 -0700] - Key for cipher AES
successfully generated
and stored
[02/Jun/2006:14:21:01 -0700] - No symmetric key found for
cipher 3DES in
backend NetscapeRoot, attempting to create one...
[02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
successfully
generated and stored
[02/Jun/2006:14:21:01 -0700] - slapd started. Listening on
All
Interfaces port 389 for LDAP requests
[02/Jun/2006:14:21:01 -0700] - Listening on All Interfaces
port 636 for
LDAPS requests
Thanks for your help
Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783
Richard Megginson wrote:
> Jeff Gamsby wrote:
>> OK, now I have a different error.
>>
>> I ran ../shared/bin/certutil -A -n cert-name -t
"C,C,C" -i
>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>
>> and
>>
>> ln -s ca-cert.pem `openssl x509 -noout -hash -in
ca-cert.pem`.0
>>
>> Now, I get this error:
>>
>> TLS: can't connect.
>> ldap_perror
>> ldap_start_tls: Connect error (-11)
>> additional info: Start TLS request
accepted.Server willing to
>> negotiate SSL.
> What OS and version are you running? RHEL3
/etc/openldap/ldap.conf
> does not like the TLS_CACERTDIR directive - you must
use the
> TLS_CACERT directive with the full path and filename of
the cacert.pem
> file (e.g. /etc/openldap/cacerts/cacert.pem). What
does it say in the
> fedora ds access and error log for this request?
>
> For a successful startTLS request with ldapsearch, you
should see
> something like the following in your fedora ds access
log:
> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64
connection from
> 127.0.0.1 to 127.0.0.1
> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT
> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT err=0
tag=120
> nentries=0 etime=0
> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit AES
> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND
dn="" method=128 version=3
> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT err=0
tag=97
> nentries=0 etime=0 dn=""
> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH
> base="dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL
> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT err=0
tag=101
> nentries=1 etime=0
> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64 closed
- U1
>
>>
>>
>> Jeff Gamsby
>> Center for X-Ray Optics
>> Lawrence Berkeley National Laboratory
>> (510) 486-7783
>>
>>
>>
>> Richard Megginson wrote:
>>> Jeff Gamsby wrote:
>>>>
>>>> Jeff Gamsby
>>>> Center for X-Ray Optics
>>>> Lawrence Berkeley National Laboratory
>>>> (510) 486-7783
>>>>
>>>>
>>>>
>>>> Richard Megginson wrote:
>>>>> Jeff Gamsby wrote:
>>>>>>
>>>>>> Jeff Gamsby
>>>>>> Center for X-Ray Optics
>>>>>> Lawrence Berkeley National
Laboratory
>>>>>> (510) 486-7783
>>>>>>
>>>>>>
>>>>>>
>>>>>> Richard Megginson wrote:
>>>>>>> Jeff Gamsby wrote:
>>>>>>>> I am trying to get FDS
1.0.2 working in SSL mode. I am using a
>>>>>>>> OpenSSL CA, I have
installed the Server Cert and the CA Cert,
>>>>>>>> can start FDS in SSL mode,
but when I run
>>>>>>>> ldapsearch -x -ZZ I get
TLS trace: SSL3 alert
>>>>>>>> write:fatal:unknown CA.
>>>>>>> Did you follow this -
>>>>>>> htt
p://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>> I did, but that didn't work for
me. The only thing that I did
>>>>>> this time was generate a request
from the "Manage Certificates",
>>>>>> sign the request using my OpenSSL
CA, and install the Server and
>>>>>> CA Certs. Then I turned on SSL in
the Admin console, and
>>>>>> restarted the server.
>>>>>>
>>>>>> When I followed the instructions
from the link, I couldn't even
>>>>>> get FDS to start in SSL mode.
>>>>> One problem may be that ldapsearch is
trying to verify the
>>>>> hostname in your server cert, which is
the value of the cn
>>>>> attribute in the leftmost RDN in your
server cert's subject DN.
>>>>> What is the subject DN of your server
cert? You can use certutil
>>>>> -L -n Server-Cert as specified in the
Howto:SSL to print your cert.
>>>>
>>>> Sorry. I missed the -P option.
>>>>
>>>> running ../shared/bin/certutil -L -d . -P
slapd-server- -n
>>>> "server-cert" returns the
Subject *CN* as FQDN of FDS and OpenSSL
>>>> CA host (ran on same machine)
>>> Hmm - try ldapsearch with the -v (or -d?)
option to get some
>>> debugging info.
>>>>
>>>>>>>>
>>>>>>>> In /etc/ldap.conf, I have
put in
>>>>>>>> TLS_CACERT /path/to/cert
>>>>>>> Is this the same
/path/to/cacert.pem as below?
>>>>>> Yes
>>>>>>>> TLSREQCERT allow
>>>>>>>> ssl on
>>>>>>>> ssl start_tls
>>>>>>>>
>>>>>>>> If I run
>>>>>>>> openssl s_client -connect
localhost:636 -showcerts -state
>>>>>>>> -CAfile /path/to/cacert.pem
>>>>>>>>
>>>>>>>> It looks OK
>>>>>>>>
>>>>>>>> Please help
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>
------------------------------------------------------------
------------
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Fedora-directory-users mailing
list
>>>>>>> Fedora-directory-usersredhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-usersredhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>>
------------------------------------------------------------
------------
>>>>>
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-usersredhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-usersredhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>
------------------------------------------------------------
------------
>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-usersredhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-usersredhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>
------------------------------------------------------------
------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>
--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
|
|
| TLS trace: SSL3 alert
write:fatal:unknown CA |
|
2006-06-02 21:54:50 |
Jeff Gamsby wrote:
> I blew away the server and installed a new one, then I
used the
> setupssl.sh script to setup SSL. The script completed
successfully,
> and the server is listening on port 636, but I'm back
to a familiar
> error:
>
> ldapsearch -x -ZZ -d -1
>
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 1, err: 19,
subject: /CN=CAcert,
> issuer: /CN=CAcert
> TLS certificate verification: Error, self signed
certificate in
> certificate chain
> tls_write: want=7, written=7
> 0000: 15 03 01 00 02 02 30
> ......0 TLS trace: SSL3 alert
write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server
certificate B
> TLS trace: SSL_connect:error in SSLv3 read server
certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (-11)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
>
> Shouldn't CN=CAcert be cn=fqdn?
No, no hostname validation is done on the CA cert, only on
the LDAP
server cert.
Did you configure openldap to use the new CA cert?
http://directory.fedora.redhat.com/wiki/
Howto:SSL#Configure_LDAP_clients
>
> This is all that the errors log says
How about the access log?
>
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found
for cipher AES
> in backend userRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
successfully
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found
for cipher 3DES
> in backend userRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
successfully
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found
for cipher AES
> in backend NetscapeRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
successfully
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found
for cipher 3DES
> in backend NetscapeRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
successfully
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - slapd started.
Listening on All
> Interfaces port 389 for LDAP requests
> [02/Jun/2006:14:21:01 -0700] - Listening on All
Interfaces port 636
> for LDAPS requests
>
> Thanks for your help
>
>
>
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>> OK, now I have a different error.
>>>
>>> I ran ../shared/bin/certutil -A -n cert-name -t
"C,C,C" -i
>>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>>
>>> and
>>>
>>> ln -s ca-cert.pem `openssl x509 -noout -hash
-in ca-cert.pem`.0
>>>
>>> Now, I get this error:
>>>
>>> TLS: can't connect.
>>> ldap_perror
>>> ldap_start_tls: Connect error (-11)
>>> additional info: Start TLS request
accepted.Server willing to
>>> negotiate SSL.
>> What OS and version are you running? RHEL3
/etc/openldap/ldap.conf
>> does not like the TLS_CACERTDIR directive - you
must use the
>> TLS_CACERT directive with the full path and
filename of the
>> cacert.pem file (e.g.
/etc/openldap/cacerts/cacert.pem). What does
>> it say in the fedora ds access and error log for
this request?
>>
>> For a successful startTLS request with ldapsearch,
you should see
>> something like the following in your fedora ds
access log:
>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64
connection from
>> 127.0.0.1 to 127.0.0.1
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT
>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT
err=0 tag=120
>> nentries=0 etime=0
>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit
AES
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND
dn="" method=128
>> version=3
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT
err=0 tag=97
>> nentries=0 etime=0 dn=""
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH
>> base="dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT
err=0 tag=101
>> nentries=1 etime=0
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64
closed - U1
>>
>>>
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>>
>>>>> Jeff Gamsby
>>>>> Center for X-Ray Optics
>>>>> Lawrence Berkeley National Laboratory
>>>>> (510) 486-7783
>>>>>
>>>>>
>>>>>
>>>>> Richard Megginson wrote:
>>>>>> Jeff Gamsby wrote:
>>>>>>>
>>>>>>> Jeff Gamsby
>>>>>>> Center for X-Ray Optics
>>>>>>> Lawrence Berkeley National
Laboratory
>>>>>>> (510) 486-7783
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Richard Megginson wrote:
>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>> I am trying to get FDS
1.0.2 working in SSL mode. I am using a
>>>>>>>>> OpenSSL CA, I have
installed the Server Cert and the CA Cert,
>>>>>>>>> can start FDS in SSL
mode, but when I run
>>>>>>>>> ldapsearch -x -ZZ I
get TLS trace: SSL3 alert
>>>>>>>>> write:fatal:unknown CA.
>>>>>>>> Did you follow this -
>>>>>>>> htt
p://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>> I did, but that didn't work
for me. The only thing that I did
>>>>>>> this time was generate a
request from the "Manage Certificates",
>>>>>>> sign the request using my
OpenSSL CA, and install the Server and
>>>>>>> CA Certs. Then I turned on SSL
in the Admin console, and
>>>>>>> restarted the server.
>>>>>>>
>>>>>>> When I followed the
instructions from the link, I couldn't even
>>>>>>> get FDS to start in SSL mode.
>>>>>> One problem may be that ldapsearch
is trying to verify the
>>>>>> hostname in your server cert, which
is the value of the cn
>>>>>> attribute in the leftmost RDN in
your server cert's subject DN.
>>>>>> What is the subject DN of your
server cert? You can use certutil
>>>>>> -L -n Server-Cert as specified in
the Howto:SSL to print your cert.
>>>>>
>>>>> Sorry. I missed the -P option.
>>>>>
>>>>> running ../shared/bin/certutil -L -d .
-P slapd-server- -n
>>>>> "server-cert" returns the
Subject *CN* as FQDN of FDS and OpenSSL
>>>>> CA host (ran on same machine)
>>>> Hmm - try ldapsearch with the -v (or -d?)
option to get some
>>>> debugging info.
>>>>>
>>>>>>>>>
>>>>>>>>> In /etc/ldap.conf, I
have put in
>>>>>>>>> TLS_CACERT
/path/to/cert
>>>>>>>> Is this the same
/path/to/cacert.pem as below?
>>>>>>> Yes
>>>>>>>>> TLSREQCERT allow
>>>>>>>>> ssl on
>>>>>>>>> ssl start_tls
>>>>>>>>>
>>>>>>>>> If I run
>>>>>>>>> openssl s_client
-connect localhost:636 -showcerts -state
>>>>>>>>> -CAfile
/path/to/cacert.pem
>>>>>>>>>
>>>>>>>>> It looks OK
>>>>>>>>>
>>>>>>>>> Please help
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>>
>>>>>>>>
------------------------------------------------------------
------------
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>> Fedora-directory-usersredhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Fedora-directory-users mailing
list
>>>>>>> Fedora-directory-usersredhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>>>
------------------------------------------------------------
------------
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-usersredhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>>>
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-usersredhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>
------------------------------------------------------------
------------
>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-usersredhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-usersredhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>
------------------------------------------------------------
------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-usersredhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
|
|
| TLS trace: SSL3 alert
write:fatal:unknown CA |
|
2006-06-02 21:49:09 |
I'm running FC4 and I made sure that
/etc/openldap/ldap.conf has TLS_CACERT.
I also have OpenLDAP built on this machine, but it's not
running.
I have another box running FC5, I'll try it on that machine
while I'm
trying to figure out what to do.
Jeff Gamsby
Center for X-Ray Optics
Lawrence Berkeley National Laboratory
(510) 486-7783
Jeff Gamsby wrote:
> I blew away the server and installed a new one, then I
used the
> setupssl.sh script to setup SSL. The script completed
successfully,
> and the server is listening on port 636, but I'm back
to a familiar
> error:
>
> ldapsearch -x -ZZ -d -1
>
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 1, err: 19,
subject: /CN=CAcert,
> issuer: /CN=CAcert
> TLS certificate verification: Error, self signed
certificate in
> certificate chain
> tls_write: want=7, written=7
> 0000: 15 03 01 00 02 02 30
> ......0 TLS trace: SSL3 alert
write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server
certificate B
> TLS trace: SSL_connect:error in SSLv3 read server
certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (-11)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
>
> Shouldn't CN=CAcert be cn=fqdn?
>
> This is all that the errors log says
>
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found
for cipher AES
> in backend userRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
successfully
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found
for cipher 3DES
> in backend userRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
successfully
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found
for cipher AES
> in backend NetscapeRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher AES
successfully
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - No symmetric key found
for cipher 3DES
> in backend NetscapeRoot, attempting to create one...
> [02/Jun/2006:14:21:01 -0700] - Key for cipher 3DES
successfully
> generated and stored
> [02/Jun/2006:14:21:01 -0700] - slapd started.
Listening on All
> Interfaces port 389 for LDAP requests
> [02/Jun/2006:14:21:01 -0700] - Listening on All
Interfaces port 636
> for LDAPS requests
>
> Thanks for your help
>
>
>
>
> Jeff Gamsby
> Center for X-Ray Optics
> Lawrence Berkeley National Laboratory
> (510) 486-7783
>
>
>
> Richard Megginson wrote:
>> Jeff Gamsby wrote:
>>> OK, now I have a different error.
>>>
>>> I ran ../shared/bin/certutil -A -n cert-name -t
"C,C,C" -i
>>> /etc/certs/ca-cert.pem -P slapd-server- -d .
>>>
>>> and
>>>
>>> ln -s ca-cert.pem `openssl x509 -noout -hash
-in ca-cert.pem`.0
>>>
>>> Now, I get this error:
>>>
>>> TLS: can't connect.
>>> ldap_perror
>>> ldap_start_tls: Connect error (-11)
>>> additional info: Start TLS request
accepted.Server willing to
>>> negotiate SSL.
>> What OS and version are you running? RHEL3
/etc/openldap/ldap.conf
>> does not like the TLS_CACERTDIR directive - you
must use the
>> TLS_CACERT directive with the full path and
filename of the
>> cacert.pem file (e.g.
/etc/openldap/cacerts/cacert.pem). What does
>> it say in the fedora ds access and error log for
this request?
>>
>> For a successful startTLS request with ldapsearch,
you should see
>> something like the following in your fedora ds
access log:
>> [02/Jun/2006:15:31:48 -0600] conn=11 fd=64 slot=64
connection from
>> 127.0.0.1 to 127.0.0.1
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 EXT
>> oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=0 RESULT
err=0 tag=120
>> nentries=0 etime=0
>> [02/Jun/2006:15:31:48 -0600] conn=11 SSL 256-bit
AES
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 BIND
dn="" method=128
>> version=3
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=1 RESULT
err=0 tag=97
>> nentries=0 etime=0 dn=""
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 SRCH
>> base="dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=2 RESULT
err=0 tag=101
>> nentries=1 etime=0
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 UNBIND
>> [02/Jun/2006:15:31:48 -0600] conn=11 op=3 fd=64
closed - U1
>>
>>>
>>>
>>> Jeff Gamsby
>>> Center for X-Ray Optics
>>> Lawrence Berkeley National Laboratory
>>> (510) 486-7783
>>>
>>>
>>>
>>> Richard Megginson wrote:
>>>> Jeff Gamsby wrote:
>>>>>
>>>>> Jeff Gamsby
>>>>> Center for X-Ray Optics
>>>>> Lawrence Berkeley National Laboratory
>>>>> (510) 486-7783
>>>>>
>>>>>
>>>>>
>>>>> Richard Megginson wrote:
>>>>>> Jeff Gamsby wrote:
>>>>>>>
>>>>>>> Jeff Gamsby
>>>>>>> Center for X-Ray Optics
>>>>>>> Lawrence Berkeley National
Laboratory
>>>>>>> (510) 486-7783
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Richard Megginson wrote:
>>>>>>>> Jeff Gamsby wrote:
>>>>>>>>> I am trying to get FDS
1.0.2 working in SSL mode. I am using a
>>>>>>>>> OpenSSL CA, I have
installed the Server Cert and the CA Cert,
>>>>>>>>> can start FDS in SSL
mode, but when I run
>>>>>>>>> ldapsearch -x -ZZ I
get TLS trace: SSL3 alert
>>>>>>>>> write:fatal:unknown CA.
>>>>>>>> Did you follow this -
>>>>>>>> htt
p://directory.fedora.redhat.com/wiki/Howto:SSL
>>>>>>> I did, but that didn't work
for me. The only thing that I did
>>>>>>> this time was generate a
request from the "Manage Certificates",
>>>>>>> sign the request using my
OpenSSL CA, and install the Server and
>>>>>>> CA Certs. Then I turned on SSL
in the Admin console, and
>>>>>>> restarted the server.
>>>>>>>
>>>>>>> When I followed the
instructions from the link, I couldn't even
>>>>>>> get FDS to start in SSL mode.
>>>>>> One problem may be that ldapsearch
is trying to verify the
>>>>>> hostname in your server cert, which
is the value of the cn
>>>>>> attribute in the leftmost RDN in
your server cert's subject DN.
>>>>>> What is the subject DN of your
server cert? You can use certutil
>>>>>> -L -n Server-Cert as specified in
the Howto:SSL to print your cert.
>>>>>
>>>>> Sorry. I missed the -P option.
>>>>>
>>>>> running ../shared/bin/certutil -L -d .
-P slapd-server- -n
>>>>> "server-cert" returns the
Subject *CN* as FQDN of FDS and OpenSSL
>>>>> CA host (ran on same machine)
>>>> Hmm - try ldapsearch with the -v (or -d?)
option to get some
>>>> debugging info.
>>>>>
>>>>>>>>>
>>>>>>>>> In /etc/ldap.conf, I
have put in
>>>>>>>>> TLS_CACERT
/path/to/cert
>>>>>>>> Is this the same
/path/to/cacert.pem as below?
>>>>>>> Yes
>>>>>>>>> TLSREQCERT allow
>>>>>>>>> ssl on
>>>>>>>>> ssl start_tls
>>>>>>>>>
>>>>>>>>> If I run
>>>>>>>>> openssl s_client
-connect localhost:636 -showcerts -state
>>>>>>>>> -CAfile
/path/to/cacert.pem
>>>>>>>>>
>>>>>>>>> It looks OK
>>>>>>>>>
>>>>>>>>> Please help
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>>
>>>>>>>>
------------------------------------------------------------
------------
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Fedora-directory-users
mailing list
>>>>>>>> Fedora-directory-usersredhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Fedora-directory-users mailing
list
>>>>>>> Fedora-directory-usersredhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>>>
------------------------------------------------------------
------------
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-usersredhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>>>
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-usersredhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>
------------------------------------------------------------
------------
>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-usersredhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-usersredhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>
------------------------------------------------------------
------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-usersredhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>
--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
|
|
|
|