Re: ldap_start_tls: Connect error - self signed certificate in certificate chain

2020-09-30 Thread paul . jc 
One more update:   I edited /etc/openldap/ldap.conf to test TLS_CACERT 
/etc/openldap/certs/ca.crt and it works with that config.   I also re-read the 
documentation and clarified for myself that if either of these (TLS_CACERT or 
TLS_CACERTDIR) are NOT set in ldap.conf, that is when the system certs are 
used, so I believe I definitely want this set in ldap.conf.  I suppose the 
question now is why didn't this work for me with TLS_CACERTDIR but does with 
TLS_CACERT?

Re: ldap_start_tls: Connect error - self signed certificate in certificate chain

2020-09-30 Thread paul . jc 
Update:  
Commenting out this line in /etc/openldap/ldap.conf seems to fix. 

#TLS_CACERTDIR  /etc/openldap/certs

I see now I missed the ldap.conf.rpmnew file after upgrade which by default has 
TLS_CACERT commented out. 
I still am having trouble understanding why this worked before but not after 
upgrade (assuming related to moznss but not certain).  Can someone help explain 
the use of TLS_CACERTDIR or TLS_CACERT in the ldap.conf file vs being applied 
via ldif (as I have done and is noted above)?   Does setting the parameter in 
ldap.conf mean the shared system certs are used?  The documentation is 
confusing me.  Thanks.

ldap_start_tls: Connect error - self signed certificate in certificate chain

2020-09-30 Thread paul . jc 
Hello, 

I have recently upgraded from openldap 2.4.45 to 2.5.53. 
I are running into one issue when running ldapsearch wth StartTLS locally on 
the openldap servers. I get the following error whereas I did not prior to 
upgrade. 
Any input/suggestions welcome.

$ ldapsearch -ZZ -LLL -H ldap:// -x -D "cn=admin, dc=:636  
(same result with openssl s_client -connect :389 -starttls ldap):
This shows return code of 0 (ok): 
--
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2

Verify return code: 0 (ok)
--

-Ran openssl s_client -verify 3 -connect localhost:636 (and with hostname as 
well) and openssl s_client -showcerts -connect localhost:636. Both return code 
0 (ok): 
Verify return code: 0 (ok)

-Checked the certs: 
openssl verify -verbose -x509_strict -CAfile ca.crt slapd.crt
slapd.crt: OK

-Here is our cert config: 
olcTLSCACertificateFile: /etc/openldap/certs/ca.crt
olcTLSCertificateFile: /etc/openldap/certs/slapd.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/slapd.key

For reference, here is the debug output when running the same ldapsearch 
command locally on the server on our previous version (2.4.45 with moznss) and 
the same cert is validated.  

--
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' 
certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate [CN=*,OU=Domain Control Validated] is valid
TLS certificate verification: subject: CN=*,OU=Domain Control 
Validated, issuer: CN=Go Daddy Secure Certificate Authority - 
G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, 
Inc.",L=Scottsdale,ST=Arizona,C=US, cipher: AES-256-GCM, security level: high, 
secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 0, 
cache not reusable: 0
ldap_sasl_bind
--


Any suggestions are appreciated. 
Thanks.  
Paul

Re: ldap_start_tls: Connect error - self signed certificate in certificate chain

2020-09-30 Thread Quanah Gibson-Mount 




--On Wednesday, September 30, 2020 11:47 PM + paul...@yahoo.com wrote:


One more update:   I edited /etc/openldap/ldap.conf to test TLS_CACERT
/etc/openldap/certs/ca.crt and it works with that config.   I also
re-read the documentation and clarified for myself that if either of
these (TLS_CACERT or TLS_CACERTDIR) are NOT set in ldap.conf, that is
when the system certs are used, so I believe I definitely want this set
in ldap.conf.  I suppose the question now is why didn't this work for me
with TLS_CACERTDIR but does with TLS_CACERT?


With OpenSSL, the CA Cert directory needs to contain relevant hashes for 
each CA cert if you want to use the TLS_CACERTDIR setting.  I don't know 
whether or not your CA directory contains those.


I would note that (at least for RHEL7), RedHat kept a moznss "bridge" patch 
so that the certificate code would continue to work as it did with moznss. 



Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

TLS issue with self-signed certificate

2012-11-09 Thread Luc MAIGNAN 

Hi,

I want to setup a LDAPS connection with a self signed certificate.

Unfortunaly, I have the following error :

Peer's certificate issuer has been marked as not trusted by the user

I tried to trust is by a : certutil -d ... -A -n 'CA' -t CT,,, -a -i ca.crt

But it doen't change anything.

Has someone an idea for me ?

Best regards

Re: TLS issue with self-signed certificate

2012-11-09 Thread Rich Megginson 

On 11/09/2012 06:08 AM, Luc MAIGNAN wrote:

Hi,

I want to setup a LDAPS connection with a self signed certificate.

Unfortunaly, I have the following error :

Peer's certificate issuer has been marked as not trusted by the user

I tried to trust is by a : certutil -d ... -A -n 'CA' -t CT,,, -a -i 
ca.crt


But it doen't change anything.

Has someone an idea for me ?


What is your platform?  What is your openldap version?  Are you using 
openldap for client, server, or both?




Best regards

Re: TLS issue with self-signed certificate

2012-11-09 Thread Luc MAIGNAN 

Le 09/11/2012 15:29, Rich Megginson a écrit :

On 11/09/2012 06:08 AM, Luc MAIGNAN wrote:

Hi,

I want to setup a LDAPS connection with a self signed certificate.

Unfortunaly, I have the following error :

Peer's certificate issuer has been marked as not trusted by the user

I tried to trust is by a : certutil -d ... -A -n 'CA' -t CT,,, -a -i 
ca.crt


But it doen't change anything.

Has someone an idea for me ?


What is your platform?  What is your openldap version?  Are you using 
openldap for client, server, or both?




Best regards




I use openLDAP for both client and server.
My system is a Fedora 17, openldap 2.4.33

I think that the top propblem is this one : TLS: cannot open certdb 
'/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error

Idea ?

BR

Re: TLS issue with self-signed certificate

2012-11-09 Thread Rich Megginson 

On 11/09/2012 07:37 AM, Luc MAIGNAN wrote:

Le 09/11/2012 15:29, Rich Megginson a écrit :

On 11/09/2012 06:08 AM, Luc MAIGNAN wrote:

Hi,

I want to setup a LDAPS connection with a self signed certificate.

Unfortunaly, I have the following error :

Peer's certificate issuer has been marked as not trusted by the user

I tried to trust is by a : certutil -d ... -A -n 'CA' -t CT,,, -a -i 
ca.crt


But it doen't change anything.

Has someone an idea for me ?


What is your platform?  What is your openldap version?  Are you using 
openldap for client, server, or both?




Best regards




I use openLDAP for both client and server.
My system is a Fedora 17, openldap 2.4.33

I think that the top propblem is this one : TLS: cannot open certdb 
'/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error

Idea ?


Is that error from the client or server?
check for permissions - ls -al /etc/openldap/cacerts
certutil -d /etc/openldap/cacerts -L



BR

Re: TLS issue with self-signed certificate

2012-11-09 Thread Luc MAIGNAN 

Le 09/11/2012 15:51, Rich Megginson a écrit :

On 11/09/2012 07:37 AM, Luc MAIGNAN wrote:

Le 09/11/2012 15:29, Rich Megginson a écrit :

On 11/09/2012 06:08 AM, Luc MAIGNAN wrote:

Hi,

I want to setup a LDAPS connection with a self signed certificate.

Unfortunaly, I have the following error :

Peer's certificate issuer has been marked as not trusted by the user

I tried to trust is by a : certutil -d ... -A -n 'CA' -t CT,,, -a 
-i ca.crt


But it doen't change anything.

Has someone an idea for me ?


What is your platform?  What is your openldap version?  Are you 
using openldap for client, server, or both?




Best regards




I use openLDAP for both client and server.
My system is a Fedora 17, openldap 2.4.33

I think that the top propblem is this one : TLS: cannot open certdb 
'/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error

Idea ?


Is that error from the client or server?
check for permissions - ls -al /etc/openldap/cacerts
certutil -d /etc/openldap/cacerts -L



BR



all in /etc/openldap is owned by ldap

 certutil -d /etc/openldap/cacerts -L gives

Certificate Nickname Trust 
Attributes

SSL,S/MIME,JAR/XPI

CA   CT,,

Re: TLS issue with self-signed certificate

2012-11-09 Thread Rich Megginson 

On 11/09/2012 08:09 AM, Luc MAIGNAN wrote:

Le 09/11/2012 15:51, Rich Megginson a écrit :

On 11/09/2012 07:37 AM, Luc MAIGNAN wrote:

Le 09/11/2012 15:29, Rich Megginson a écrit :

On 11/09/2012 06:08 AM, Luc MAIGNAN wrote:

Hi,

I want to setup a LDAPS connection with a self signed certificate.

Unfortunaly, I have the following error :

Peer's certificate issuer has been marked as not trusted by the user

I tried to trust is by a : certutil -d ... -A -n 'CA' -t CT,,, -a 
-i ca.crt


But it doen't change anything.

Has someone an idea for me ?


What is your platform?  What is your openldap version?  Are you 
using openldap for client, server, or both?




Best regards




I use openLDAP for both client and server.
My system is a Fedora 17, openldap 2.4.33

I think that the top propblem is this one : TLS: cannot open certdb 
'/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error

Idea ?


Is that error from the client or server?
check for permissions - ls -al /etc/openldap/cacerts
certutil -d /etc/openldap/cacerts -L



BR



all in /etc/openldap is owned by ldap

 certutil -d /etc/openldap/cacerts -L gives

Certificate Nickname Trust 
Attributes
 
SSL,S/MIME,JAR/XPI


CA   CT,,


Can you provide the output of
LDAPTLS_CACERTDIR=/etc/openldap/cacerts ldapsearch -d 1 -xLLL -s base -b 
showing the attempt to open the key/cert db in /etc/openldap/cacerts?

Re: self signed certificate

2010-11-22 Thread Márcio Luciano Donada 
Em 21/11/2010 22:36, Howard Chu escreveu:
 No, the software will accept whatever you tell it to use, if you
 configure it appropriately.
 

which is the way to own a set? What documentation should I follow?

-- 
Márcio Luciano Donada mdonada -at- auroraalimentos -dot- com -dot- br
Aurora Alimentos - Cooperativa Central Oeste Catarinense
Departamento de T.I.

Re: self signed certificate

2010-11-22 Thread c0re 
2010/11/22 Márcio Luciano Donada mdon...@auroraalimentos.com.br:
 Em 21/11/2010 22:36, Howard Chu escreveu:
 No, the software will accept whatever you tell it to use, if you
 configure it appropriately.


 which is the way to own a set? What documentation should I follow?

 --
 Márcio Luciano Donada mdonada -at- auroraalimentos -dot- com -dot- br
 Aurora Alimentos - Cooperativa Central Oeste Catarinense
 Departamento de T.I.

http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
http://www.openldap.org/faq/data/cache/185.html

Re: self signed certificate

2010-11-22 Thread Mauricio Tavares 

On 11/21/2010 07:36 PM, Howard Chu wrote:

Dieter Klünter wrote:

Fri, Nov 19, 2010 at 02:58:30PM -0200, Márcio Luciano Donada wrote:

Hi list,
When using TLS, I have information that I'm using a self-signed
certificate, as shown below:

# ldapsearch -x -d5 -b 'ou=Usuarios,dc=xx,dc=com,dc=br' -H
ldaps://121.1.1.97/ '(objectclass=*)'
ldap_url_parse_ext(ldaps://121.1.1.97/)
ldap_create
ldap_url_parse_ext(ldaps://121.1.1.97:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 121.1.1.97:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 121.1.1.97:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject:
/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br,
issuer:
-State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
signed certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


OpenLDAP is quite picky about correct certificate chains.


No, the software will accept whatever you tell it to use, if you
configure it appropriately.

	Agreed. I had to put together a test setup to convince myself first, 
but now it makes sense to me. =)



You really should create a full certificate chain, that is, a ca, a
server certificate and a server key.


But yes, the Project always recommends that you do the right thing.

	One thing I was wondering here is if his ldap is only accessible from 
within one location (i.e. no subnets physically separated that need to 
authenticate against this ldap server), self signed would not be a bad 
idea.


Otherwise, there is always cacert.org. That said, using the later could 
make it a bit simpler (at the expense of having to renew cert more 
often) as the ca is available and easy to deploy to other machines.

Re: self signed certificate

2010-11-21 Thread Howard Chu 

Dieter Klünter wrote:

  Fri, Nov 19, 2010 at 02:58:30PM -0200, Márcio Luciano Donada wrote:

Hi list,
When using TLS, I have information that I'm using a self-signed
certificate, as shown below:

# ldapsearch -x -d5 -b 'ou=Usuarios,dc=xx,dc=com,dc=br' -H
ldaps://121.1.1.97/ '(objectclass=*)'
ldap_url_parse_ext(ldaps://121.1.1.97/)
ldap_create
ldap_url_parse_ext(ldaps://121.1.1.97:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 121.1.1.97:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 121.1.1.97:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject:
/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br, issuer:
-State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
signed certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


OpenLDAP is quite picky about correct certificate chains.


No, the software will accept whatever you tell it to use, if you configure it 
appropriately.



You really should create a full certificate chain, that is, a ca, a server 
certificate and a server key.


But yes, the Project always recommends that you do the right thing.

--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: self signed certificate

2010-11-20 Thread Dieter Klünter 
 Fri, Nov 19, 2010 at 02:58:30PM -0200, Márcio Luciano Donada wrote:
 Hi list,
 When using TLS, I have information that I'm using a self-signed
 certificate, as shown below:
 
 # ldapsearch -x -d5 -b 'ou=Usuarios,dc=xx,dc=com,dc=br' -H
 ldaps://121.1.1.97/ '(objectclass=*)'
 ldap_url_parse_ext(ldaps://121.1.1.97/)
 ldap_create
 ldap_url_parse_ext(ldaps://121.1.1.97:636/??base)
 ldap_sasl_bind
 ldap_send_initial_request
 ldap_new_connection 1 1 0
 ldap_int_open_connection
 ldap_connect_to_host: TCP 121.1.1.97:636
 ldap_new_socket: 3
 ldap_prepare_socket: 3
 ldap_connect_to_host: Trying 121.1.1.97:636
 ldap_pvt_connect: fd: 3 tm: -1 async: 0
 TLS trace: SSL_connect:before/connect initialization
 TLS trace: SSL_connect:SSLv2/v3 write client hello A
 TLS trace: SSL_connect:SSLv3 read server hello A
 TLS certificate verification: depth: 0, err: 18, subject:
 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br, issuer:
 -State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br
 TLS certificate verification: Error, self signed certificate
 TLS trace: SSL3 alert write:fatal:unknown CA
 TLS trace: SSL_connect:error in SSLv3 read server certificate B
 TLS trace: SSL_connect:error in SSLv3 read server certificate B
 TLS: can't connect: error:14090086:SSL
 routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
 signed certificate).
 ldap_err2string
 ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

OpenLDAP is quite picky about correct certificate chains.
You really should create a full certificate chain, that is, a ca, a server 
certificate and a server key.

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: 7770...@sipgate.de 
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6



pgp5P2b2GWi91.pgp
Description: PGP signature