Hi Neethiraj,
Following is the output of above command. Sorry i have changed domain name
to now example.com
CONNECTED(00000003)
depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, CN
= example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, CN
= example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, CN
= example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com
i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
-----BEGIN CERTIFICATE-----
MIIDyTCCArGgAwIBAgIJALD35nndyVZ2MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2
MTkzNzEwWhcNMTYxMDA1MTkzNzEwWjBuMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG
UHVuamFiMQ8wDQYDVQQHDAZsYWhvcmUxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbQggCnHerlgpmKIH4SZ2IsIGl7X8GTovV
Xtg0jcnPZa0xtMKo9EfR61HZK+Gfyv0d05WAfN7uy8vfEIWLUX8rAGJWG2j3GIUO
EnZg3oi65SUSyVDWKvVCSR+5qjkYZ7/Uf/trOkB35MtPnMzakZzjE1Q42DUKICFj
popIITLDzCMrtK3fcVHGEfv2AHhhAxS3psKrWOYkbjU3aYdHs8v32I0FUGt5Jg7S
hmBH0HsSb4HUbTh1Pqk1RFcSr8kRQoT1+LHZ19w9/J3D17nyLtOh7svpxDuVXeCE
NP25fN91PcKvrzWvMSXwWtzP4lc5cs+o1qKTBSovOyCQkTL6IOwrAgMBAAGjezB5
MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
cnRpZmljYXRlMB0GA1UdDgQWBBQrGnLQImKdyGR5Z+jN3Bb246uiUDAfBgNVHSME
GDAWgBS+EGZa4kNXhG4Hw/igdmJYd1zLPTANBgkqhkiG9w0BAQsFAAOCAQEAy9DL
ng/ZTXixzJYL0qPdglNE8AcD5N77noxFSNtBefFXk3ZdWa7uCndoOac6EoOoQKVt
nVp3d/ZScEu1UmbBlNi2lIpM4V2lADTtwhU07fSm98Cjs6a1T2mEsr5vkxOX4k6K
XN/zESQ0sn5+HuxONEcOKcvgZpttRElelZrban0BvX4StQcfG6g/EkS9R5DmmrzI
R9yBagkp0Pj1euggt30nCOnCK19sHQIgOo7ZiY3XYwX83zdnLZv/rn94BsXOfqCH
CE7wZRaiEznh2WuCeWQD5A9B9ADDplQYZsoqfFbIvJHaeh0Ada/HJNSPh3T98leK
bA+MDpEjs64kRdaC2w==
-----END CERTIFICATE-----
1 s:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
-----BEGIN CERTIFICATE-----
MIIDwzCCAqugAwIBAgIJALD35nndyVZ1MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2
MTkzMTEwWhcNMTgxMDA1MTkzMTEwWjBdMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG
UHVuamFiMRQwEgYDVQQKDAtwbGF0YWx5dGljczERMA8GA1UECwwIcGxhdGZvcm0x
FDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA0v/DuFdb+V4fpbPYnJpAzvca6DQaPJPdiEtkTcu/t8qKoiH5W8Pj6F95
nUhr/7oyGSnaZSZAGeYYzRfs4C/G3Fo+ZPw5Tm/5KGWLZG/SDDWMjwgOdPfvfTwb
P6nBOdlnW3OP7fOnKmvUJtml/N5IhNn20Sn0aHFFIRR5Apy1NcE/0poOw95bI6zl
Iiethqvng1P9uPWjViFV5MXRShn3IVlY02bj8ECap4ZvP9YSLPh80KiTxhB8oQ7r
QvMJkRpDaaqP8EmjvOgb3GE+VdL4wfsl23FDpTqRA+NSVJ6cLBFdzHQlUKQqtPzl
FanpWhjiigyaUGk1OEprTC2UTEp03QIDAQABo4GFMIGCMCUGA1UdEQQeMByCFGFu
ZWVsYS1MZW5vdm8tRzUwLTcwhwR6gU9FMAsGA1UdDwQEAwIFoDAdBgNVHQ4EFgQU
vhBmWuJDV4RuB8P4oHZiWHdcyz0wHwYDVR0jBBgwFoAUvhBmWuJDV4RuB8P4oHZi
WHdcyz0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAA+IBVHeJqjrk
3OqBGtxvW1HI3bFtaZKuXV/wNHzIrEbjvS2ezZTbBmzLvl0KjvWoF7m7Z6XjfYH3
kVL4/xqpeu2qk586ruTR8cXOXF9/IMdLnU287LvpGr5KXGmIwgjEDOxNYEnVIewO
uUiyY72a81VwXv7vFjFB8M5khM+60wQ/isLZJq4O0+C+xqKlXQvH28Ey6vq7WK91
chsY7jcmT+q/+CcgXxtc9+pjpZR35wsf/0jrNsH190w0YBzUWZIPHQx3ELg7GBQ1
iAlG0RkcWgrppSioekkEgC/gQbSBahWNVlaHTYNwCMjH7NyCDKa1d2+iby/b7k5G
L1ndgIax4Q==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com
issuer=/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
---
No client certificate CA names sent
---
SSL handshake has read 2368 bytes and written 663 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
Session-ID:
634C48D3BEF778B038BB1B61384727034EBF315F6BF9269D20AFD0D73BFB4825
Session-ID-ctx:
Master-Key:
84FBEC8A7C82E1C403566885E229B0A93AE09E220A0C23576E48D27763B5195F96D188537740F30621A58484E8BF6E03
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1444161895
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
On Mon, Oct 5, 2015 at 10:22 PM, Selvamohan Neethiraj <
sneethi...@hortonworks.com> wrote:
> Aneela:
>
>
> To verify the certificate (chain), can you run the following command and
> send us the output of the command ?
>
>
> $ openssl s_client -showcerts -connect platalytics.com:636 < /dev/null
>
>
>
> Thanks,
>
> Selva-
>
> From: Aneela Saleem <ane...@platalytics.com>
> Reply-To: "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date: Monday, October 5, 2015 at 1:16 PM
> To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org>
>
> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>
> No there are no intermediate certificates. No i'm not using same trust
> store for performing ldapsearch. I'm using
> *TLS_CACERT /etc/ldap/cacert.pem* option in ldap.conf file
>
> On Mon, Oct 5, 2015 at 10:12 PM, Sailaja Polavarapu <
> spolavar...@hortonworks.com> wrote:
>
>> Are there any intermediate certs? If so, are they also added in the trust
>> store?
>> And just to make sure, in the ldap configuration, are you using same
>> trust store for performing ldapsearch?
>>
>>
>> From: Aneela Saleem
>> Reply-To: "user@ranger.incubator.apache.org"
>> Date: Sunday, October 4, 2015 at 10:15 AM
>>
>> To: "user@ranger.incubator.apache.org"
>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>
>> Is there any issue with JAVA keystore?
>>
>> On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <ane...@platalytics.com>
>> wrote:
>>
>>> Yes following command works fine
>>>
>>> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H
>>> ldaps://platalytics.com:636 -b "dc=platalytics,dc=com" -s sub
>>> 'cn=aneela'
>>>
>>> On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org>
>>> wrote:
>>>
>>>> It is surprising that it will just stop working. Are you able to do
>>>> ldapsearch from command line? Just to make sure there is nothing wrong on
>>>> the OpenLDAP side?
>>>>
>>>> Thanks
>>>>
>>>> Bosco
>>>>
>>>>
>>>> From: Aneela Saleem <ane...@platalytics.com>
>>>> Reply-To: <user@ranger.incubator.apache.org>
>>>> Date: Thursday, October 1, 2015 at 11:55 PM
>>>>
>>>> To: <user@ranger.incubator.apache.org>
>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>>
>>>> I also checked it on another machine. Same issue is there
>>>>
>>>> On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <ane...@platalytics.com>
>>>> wrote:
>>>>
>>>>> I guess no JDK changes. And i re-checked certificate infact generated
>>>>> a new one. Still same issue.
>>>>>
>>>>> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <dilli.do...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Aneela,
>>>>>> Please check whether the certificate has expired.
>>>>>> Dilli
>>>>>>
>>>>>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org>
>>>>>> wrote:
>>>>>>
>>>>>>> Any other changes you can think of? JDK changes, etcs?
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Bosco
>>>>>>>
>>>>>>>
>>>>>>> From: Aneela Saleem <ane...@platalytics.com>
>>>>>>> Reply-To: <user@ranger.incubator.apache.org>
>>>>>>> Date: Wednesday, September 30, 2015 at 9:37 PM
>>>>>>> To: <user@ranger.incubator.apache.org>
>>>>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>>>>>
>>>>>>> It was working fine one month ago. But now the same issue is
>>>>>>> occurred.
>>>>>>>
>>>>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <
>>>>>>> ane...@platalytics.com> wrote:
>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> I followed all the following steps i.e.,
>>>>>>>>
>>>>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts
>>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>>>
>>>>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem
>>>>>>>> -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>>> (where cert.pem has the the LDAPS cert)
>>>>>>>>
>>>>>>>> Add java option
>>>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036
>>>>>>>> /ranger-usersync/userSyncCAcerts
>>>>>>>> To
>>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
>>>>>>>>
>>>>>>>> Where it invokes java command like the following
>>>>>>>>
>>>>>>>> nohup java
>>>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>>> . . .
>>>>>>>>
>>>>>>>>
>>>>>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates
>>>>>>>> validation issues. Following are the logs
>>>>>>>>
>>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] -
>>>>>>>> Starting User Sync Service!
>>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] -
>>>>>>>> Enabling Unix Auth Service!
>>>>>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>>> initializing sink:
>>>>>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
>>>>>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load
>>>>>>>> native-hadoop library for your platform... using builtin-java classes
>>>>>>>> where
>>>>>>>> applicable
>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>> Enabling Protocol: [SSLv2Hello]
>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>> Enabling Protocol: [TLSv1]
>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>> Enabling Protocol: [TLSv1.1]
>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>> Enabling Protocol: [TLSv1.2]
>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder
>>>>>>>> [UnixUserSyncThread] - LdapUserGroupBuilder created
>>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>>> initializing source:
>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
>>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>>> Begin: initial load of user/group from source==>sink
>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder
>>>>>>>> [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started
>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder
>>>>>>>> [UnixUserSyncThread] - LdapUserGroupBuilder initialization started
>>>>>>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] -
>>>>>>>> Failed to initialize UserGroup source/sink. Will retry after 21600000
>>>>>>>> milliseconds. Error details:
>>>>>>>> javax.naming.CommunicationException: simple bind failed:
>>>>>>>> platalytics.com:636 [Root exception is
>>>>>>>> javax.net.ssl.SSLHandshakeException:
>>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>>>>>> find
>>>>>>>> valid certification path to requested target]
>>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
>>>>>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
>>>>>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
>>>>>>>> at
>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>>>>>>>> at
>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>>>>>>>> at
>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
>>>>>>>> at
>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
>>>>>>>> at
>>>>>>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>>>>>>>> at
>>>>>>>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
>>>>>>>> at javax.naming.InitialContext.init(InitialContext.java:242)
>>>>>>>> at
>>>>>>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
>>>>>>>> at
>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
>>>>>>>> at
>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261)
>>>>>>>> at
>>>>>>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
>>>>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>>>>>> find
>>>>>>>> valid certification path to requested target
>>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
>>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
>>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
>>>>>>>> at
>>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
>>>>>>>> at
>>>>>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
>>>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
>>>>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
>>>>>>>> at
>>>>>>>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
>>>>>>>> at
>>>>>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
>>>>>>>> at
>>>>>>>> sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
>>>>>>>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
>>>>>>>> at
>>>>>>>> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
>>>>>>>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
>>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
>>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
>>>>>>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
>>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
>>>>>>>> ... 14 more
>>>>>>>> Caused by: sun.security.validator.ValidatorException: PKIX path
>>>>>>>> building failed:
>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>>>>>> find
>>>>>>>> valid certification path to requested target
>>>>>>>> at
>>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
>>>>>>>> at
>>>>>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>>>>>>>> at sun.security.validator.Validator.validate(Validator.java:260)
>>>>>>>> at
>>>>>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
>>>>>>>> at
>>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
>>>>>>>> at
>>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
>>>>>>>> at
>>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
>>>>>>>> ... 27 more
>>>>>>>> Caused by:
>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>>>>>> find
>>>>>>>> valid certification path to requested target
>>>>>>>> at
>>>>>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
>>>>>>>> at
>>>>>>>> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
>>>>>>>> at
>>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
>>>>>>>> ... 33 more
>>>>>>>>
>>>>>>>> And following is the output of nohup command:
>>>>>>>>
>>>>>>>> Host key verification failed.
>>>>>>>>
>>>>>>>> Can someone please help me figure out the issue?
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
