Re: can't use godaddy SSL cert
I have also I have revised my /etc/ldap.conf on the client to read: uri ldaps://LBSD2.summitnjhome.com/ ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password crypt I have also tried using uri ldap://LBSD2.summitnjhome.com/ with the same results as before. thanks again. On Sun, Nov 28, 2010 at 1:49 PM, bluethundr wrote: > Hi Eric, > > Sorry I am clear on that now. I have tried the -h value that matches > the one in the cert, but I get the same result, unfortunately: > > [r...@vircent03:~]#ldapsearch -h LBSD2.summitnjhome.com -b > "dc=summitnjhome,dc=com" -Z -D "cn=Manager,dc=summitnjhome,dc=com" > "(objectclass=sudoRole)" -W > ldap_start_tls: Connect error (-11) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > Enter LDAP Password: > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > [r...@vircent03:~]#openssl s_client -connect > LBSD2.summitnjhome.com:389 -showcerts -CAfile > /usr/local/etc/openldap/certs/cacerts/all.crt > 10504:error:02001002:system library:fopen:No such file or > directory:bss_file.c:122:fopen('/usr/local/etc/openldap/certs/cacerts/all.crt','r') > 10504:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: > 10504:error:0B084002:x509 certificate > routines:X509_load_cert_crl_file:system lib:by_file.c:279: > CONNECTED(0003) > 10504:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: > > Thanks again for following up! > > > > On Sun, Nov 28, 2010 at 1:23 PM, Erik Norgaard wrote: >> On 28/11/10 18.51, bluethundr wrote: >> >>> Yes the hostname is in the CN of the cert file. So I agree that -h is >>> not the issue. :) >>> [r...@vircent03:~]#ldapsearch -h ldap -b "dc=summitnjhome,dc=com" -Z >>> -D "cn=Manager,dc=summitnjhome,dc=com" "(objectclass=sudoRole)" -W >> >> Maybe I didn't make myself clear: the host name you use to connect to (-h), >> in your command line example above, ldap, must be the same as the CN of the >> server certificate. It is irrelevant if the servers hostname is the same as >> the CN. >> >> That might be why you get >> >>> ldap_start_tls: Connect error (-11) >>> additional info: error:14090086:SSL >>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >> >> Try >> >> -h LBSD2.summitnjhome.com >> >> BR, Erik >> >> ___ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" >> > > > > -- > Here's my RSA Public key: > gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 > -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: can't use godaddy SSL cert
Hi Eric, Sorry I am clear on that now. I have tried the -h value that matches the one in the cert, but I get the same result, unfortunately: [r...@vircent03:~]#ldapsearch -h LBSD2.summitnjhome.com -b "dc=summitnjhome,dc=com" -Z -D "cn=Manager,dc=summitnjhome,dc=com" "(objectclass=sudoRole)" -W ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Enter LDAP Password: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [r...@vircent03:~]#openssl s_client -connect LBSD2.summitnjhome.com:389 -showcerts -CAfile /usr/local/etc/openldap/certs/cacerts/all.crt 10504:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('/usr/local/etc/openldap/certs/cacerts/all.crt','r') 10504:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: 10504:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:279: CONNECTED(0003) 10504:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: Thanks again for following up! On Sun, Nov 28, 2010 at 1:23 PM, Erik Norgaard wrote: > On 28/11/10 18.51, bluethundr wrote: > >> Yes the hostname is in the CN of the cert file. So I agree that -h is >> not the issue. :) >> [r...@vircent03:~]#ldapsearch -h ldap -b "dc=summitnjhome,dc=com" -Z >> -D "cn=Manager,dc=summitnjhome,dc=com" "(objectclass=sudoRole)" -W > > Maybe I didn't make myself clear: the host name you use to connect to (-h), > in your command line example above, ldap, must be the same as the CN of the > server certificate. It is irrelevant if the servers hostname is the same as > the CN. > > That might be why you get > >> ldap_start_tls: Connect error (-11) >> additional info: error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > Try > > -h LBSD2.summitnjhome.com > > BR, Erik > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: can't use godaddy SSL cert
On 28/11/10 18.51, bluethundr wrote: Yes the hostname is in the CN of the cert file. So I agree that -h is not the issue. :) [r...@vircent03:~]#ldapsearch -h ldap -b "dc=summitnjhome,dc=com" -Z -D "cn=Manager,dc=summitnjhome,dc=com" "(objectclass=sudoRole)" -W Maybe I didn't make myself clear: the host name you use to connect to (-h), in your command line example above, ldap, must be the same as the CN of the server certificate. It is irrelevant if the servers hostname is the same as the CN. That might be why you get > ldap_start_tls: Connect error (-11) >additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Try -h LBSD2.summitnjhome.com BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: can't use godaddy SSL cert
Hi Eric and John Thanks for your input.. > As mentioned in my previous mail, there is no need to specify > TLSCACertificateFile in > > slapd.conf unless your server will request client > certificate for authentication. Nor is there > any point in trying multiple > files, you can concatenate the CA certificates into a single file. I have removed TLSCACertificateFile form slapd and now recognize that this directive is only needed on the client side. Thanks for clueing me into that. And here is my /etc/ldap.conf file on on the CentOS 5.5 client: [r...@vircent03:~]#cat /etc/ldap.conf host 192.168.1.44 base dc=summitnjhome,dc=com sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com scope sub pam_password exop nss_base_passwd ou=staff,dc=summitnjhome,dc=com nss_base_shadow ou=staff,dc=summitnjhome,dc=com TLS_CACERT /etc/openldap/cacerts/gd_sf_all.crt And here are the contents of the cacerts directory on the CentOS 55 client: [r...@vircent03:~]#ls -l /etc/openldap/cacerts/ total 36 -r--r--r-- 1 root root 27529 Nov 28 12:10 all.crt lrwxrwxrwx 1 root root 7 Nov 28 12:20 b737b221.0 -> all.crt And this is the way that nsswitch is setup on the CentOS client: passwd: files ldap shadow: files ldap group: files ldap sudoers:ldap I have revised the location of the cert files on the server noted in slapd.conf in order to separate out the certs from the cacerts. This is just to organize things a little more neatly. ## TLS options for slapd TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /usr/local/etc/openldap/certs/slapd.crt TLSCertificateKeyFile /usr/local/etc/openldap/certs/slapd.pem And here are the contents of the /usr/local/etc/openldap/certs directory, also on the server that is referenced in the TLS lines in slapd.conf: -r--r--r-- 1 root ldap 2309 Nov 26 18:52 LBSD2.summitnjhome.com.crt dr--r--r-- 3 root ldap 512 Nov 28 03:32 bak drwxr-xr-x 2 root ldap 512 Nov 28 03:26 cacerts -r--r--r-- 1 root ldap 2309 Nov 26 18:53 slapd.crt -r--r--r-- 1 root ldap 1781 Nov 26 18:36 slapd.csr -r--r--r-- 1 root ldap 3311 Nov 26 18:35 slapd.key -r--r--r-- 1 root ldap 3243 Nov 26 18:54 slapd.pem Here is the location of the cacert file on the server that the /etc/ldap.conf file on the client references; LBSD2# ls -l /usr/local/etc/openldap/certs/cacerts -r--r--r-- 1 root ldap 27529 Nov 28 15:49 all.crt The all.crt file is the result of concatenating these files together: all.crtgdroot-g2.crt sf_issuing.crt ca_bundle.crtsf_bundle.crt sfroot-g2.crt gd_bundle.crtsf-class2-root.crt sfsroot.crt gd-class2-root.crt sf_cross_intermediate.crt sfsroot-g2.crt gd_intermediate.crt sf_intermediate.crt Here is where the testing begins: [r...@vircent03:~]#openssl s_client -connect ldap.summitnjhome.com:389 -showcerts -CAfile /usr/local/etc/openldap/certs/cacerts/all.crt 10073:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('/usr/local/etc/openldap/certs/cacerts/all.crt','r') 10073:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: 10073:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:279: CONNECTED(0003) 10073:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: CONNECTED(0003) 10065:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: As you can see I have provided openssl the full path to the all.crt file on the server and am still receiving a handshake failure. It looks like When I turn > No. I assume that your hostname is the CN indicated above, so your -h is not > the issue. >When you do -ZZ then ldapsearch will fail if it cannot validate > the certificate. You can try >with a single -Z to see if it works. Yes the hostname is in the CN of the cert file. So I agree that -h is not the issue. :) When I try to turn on LDAP with tls on a centos machine, getent freezes when it tries to access the information in ldap: I have scp'd the cert file to the right location on the centos machine (/etc/openldap/cacerts) Here's what happens when I try to connect using openssl s_client from a remote machine (CentOS): [r...@lcent01 ~]# LBSD2# openssl s_client -connect ldap.summitnjhome.com:389 -showcerts -CAfile /usr/local/etc/openldap/certs/cacerts/gd_sf_all.crt -bash: LBSD2#: command not found [r...@lcent01 ~]# openssl s_client -connect ldap.summitnjhome.com:389 -showcerts -CAfile /usr/local/etc/openldap/certs/cacerts/gd_sf_all.crt 4299:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('/usr/local/etc/openldap/certs/cacerts/gd_sf_all.crt','r') 4299:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: 4299:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:279: CONNECTED(0003) 4299:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
Re: can't use godaddy SSL cert
Don't know if this applies, but I had to install the intermediate cert to get the godaddy Certs to work. You can download it from the gd website. -- John Sent from my iPhone, so may be a bit brief. On Nov 25, 2010, at 11:26, bluethundr wrote: > Hey list, > > I was having a similar SSL/openLDAP problem to this last week. I had > a chance to look at this again today and it still appears to not be > working. I called godaddy and had the last cert cancelled and reissued > as I had mis-typed the name of the CN on the last one. > > I am trying to setup a Godaddy turbo SSL certificate with an openLDAP > 2.4 server under FreeBSD 8.1. > > [r...@lbsd2:/usr/home/bluethundr]#pkg_info | grep openldap > openldap-sasl-client-2.4.23 Open source LDAP client implementation > with SASL2 support > openldap-sasl-server-2.4.23 Open source LDAP server implementation > > > > I have setup the certificate chain in my slapd.conf like so: > > [r...@lbsd2:/usr/home/bluethundr]#grep -i tls > /usr/local/etc/openldap/slapd.conf## TLS options for slapd > TLSCipherSuite HIGH:MEDIUM:+SSLv2 > TLSCertificateFile /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt > TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem > TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt > > I have tried each of the following certs with no luck in getting my > cert to talk to it's CA: > > -rw-r--r-- 1 root bluethundr 2604 Nov 25 11:37 ca_bundle.crt > -r--r- 1 root ldap4604 Nov 24 18:57 gd_bundle.crt > -r--r- 1 root ldap1537 Nov 25 02:00 sf_issuing.crt > > > and I get the same result for each when I attempt to connect to SSL on > the LDAP server: > > [r...@lcent01:/tmp/Foswiki-1.1.2]#openssl s_client -connect > ldap.example.com:389 -showcerts -CAfile sf_issuing.crt > 13730:error:02001002:system library:fopen:No such file or > directory:bss_file.c:122:fopen('sf_issuing.crt','r') > 13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: > 13730:error:0B084002:x509 certificate > routines:X509_load_cert_crl_file:system lib:by_file.c:279: > CONNECTED(0003) > 13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: > > > ldapsearch -h ldap.example.com -d -1 -ZZ "dc=example,dc=com" > > TLS certificate verification: depth: 0, err: 20, subject: > /O=LBSD2.summitnjhome.com/OU=Domain Control > Validated/CN=LBSD2.summitnjhome.com, issuer: > /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, > Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure > Certification Authority/serialNumber=07969287 > TLS certificate verification: Error, unable to get local issuer certificate > tls_write: want=7, written=7 > : 15 03 01 00 02 02 30 ..0 > TLS trace: SSL3 alert write:fatal:unknown CA > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS: can't connect. > ldap_perror > ldap_start_tls: Connect error (-11) >additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > It seems to indicate that it can't talk to it's CA... > > does anyone have any suggestions on how to make this work? > > thanks! > > > -- > Here's my RSA Public key: > gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: can't use godaddy SSL cert
On 25/11/10 17.26, bluethundr wrote: I have setup the certificate chain in my slapd.conf like so: [r...@lbsd2:/usr/home/bluethundr]#grep -i tls /usr/local/etc/openldap/slapd.conf## TLS options for slapd TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt I have tried each of the following certs with no luck in getting my cert to talk to it's CA: -rw-r--r-- 1 root bluethundr 2604 Nov 25 11:37 ca_bundle.crt -r--r- 1 root ldap4604 Nov 24 18:57 gd_bundle.crt -r--r- 1 root ldap1537 Nov 25 02:00 sf_issuing.crt As mentioned in my previous mail, there is no need to specify TLSCACertificateFile in slapd.conf unless your server will request client certificate for authentication. Nor is there any point in trying multiple files, you can concatenate the CA certificates into a single fiel. Since these are certificates you can leave global read access. and I get the same result for each when I attempt to connect to SSL on the LDAP server: [r...@lcent01:/tmp/Foswiki-1.1.2]#openssl s_client -connect ldap.example.com:389 -showcerts -CAfile sf_issuing.crt 13730:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('sf_issuing.crt','r') 13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: 13730:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:279: CONNECTED(0003) 13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: Can't find sf_issuing.crt, well, from your CWD it appears that the certificate is not found in that path. ldapsearch -h ldap.example.com -d -1 -ZZ "dc=example,dc=com" TLS certificate verification: depth: 0, err: 20, subject: /O=LBSD2.summitnjhome.com/OU=Domain Control Validated/CN=LBSD2.summitnjhome.com, issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 TLS certificate verification: Error, unable to get local issuer certificate tls_write: want=7, written=7 : 15 03 01 00 02 02 30 ..0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed It seems to indicate that it can't talk to it's CA... does anyone have any suggestions on how to make this work? No. I assume that your hostname is the CN indicated above, so your -h is not the issue. When you do -ZZ then ldapsearch will fail if it cannot validate the certificate. You can try with a single -Z to see if it works. You have not included your ldap.conf above, the ldapsearch reads ldap.conf, including where to find any ca certificates. Either you have not installed the godaddy CA certificate or not updated our ldap.conf accordingly. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
can't use godaddy SSL cert
Hey list, I was having a similar SSL/openLDAP problem to this last week. I had a chance to look at this again today and it still appears to not be working. I called godaddy and had the last cert cancelled and reissued as I had mis-typed the name of the CN on the last one. I am trying to setup a Godaddy turbo SSL certificate with an openLDAP 2.4 server under FreeBSD 8.1. [r...@lbsd2:/usr/home/bluethundr]#pkg_info | grep openldap openldap-sasl-client-2.4.23 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.23 Open source LDAP server implementation I have setup the certificate chain in my slapd.conf like so: [r...@lbsd2:/usr/home/bluethundr]#grep -i tls /usr/local/etc/openldap/slapd.conf## TLS options for slapd TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt I have tried each of the following certs with no luck in getting my cert to talk to it's CA: -rw-r--r-- 1 root bluethundr 2604 Nov 25 11:37 ca_bundle.crt -r--r- 1 root ldap4604 Nov 24 18:57 gd_bundle.crt -r--r- 1 root ldap1537 Nov 25 02:00 sf_issuing.crt and I get the same result for each when I attempt to connect to SSL on the LDAP server: [r...@lcent01:/tmp/Foswiki-1.1.2]#openssl s_client -connect ldap.example.com:389 -showcerts -CAfile sf_issuing.crt 13730:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('sf_issuing.crt','r') 13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: 13730:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:279: CONNECTED(0003) 13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: ldapsearch -h ldap.example.com -d -1 -ZZ "dc=example,dc=com" TLS certificate verification: depth: 0, err: 20, subject: /O=LBSD2.summitnjhome.com/OU=Domain Control Validated/CN=LBSD2.summitnjhome.com, issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 TLS certificate verification: Error, unable to get local issuer certificate tls_write: want=7, written=7 : 15 03 01 00 02 02 30 ..0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed It seems to indicate that it can't talk to it's CA... does anyone have any suggestions on how to make this work? thanks! -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"