LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   TLS Error with LDAP Cert (https://www.linuxquestions.org/questions/linux-security-4/tls-error-with-ldap-cert-4175491417/)

tkinsella 01-15-2014 04:33 PM
TLS Error with LDAP Cert
 
Hello all,

I am trying to enable TLS on our LDAP server.

When I test with the server I get :

Code:
ldapsearch  -x -b "dc=example,dc=com" -ZZ
# search result
search: 3
result: 0 Success

# numResponses: 41
# numEntries: 40
When I test on a client machine I get :

Code:
ldapsearch  -x -b "dc=example,dc=com" -ZZ
ldap_start_tls: Can't contact LDAP server (-1)
        additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
What am I doing wrong? I can provide any thing you need to troubleshoot further...


Thanks!

Ser Olmy 01-15-2014 09:28 PM
The error message says it all: The certificate issuer is not in the list of trusted certificate authorities on the client system.

How did you obtain or generate the certificate?

vishesh 01-16-2014 04:30 AM
Also ensure CN of your server certificate match actual name of your ldap server.

Thanks

tkinsella 01-16-2014 11:26 AM
I created the cert :

Code:
[root@ldap-01 certs]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/ldap.pem -keyout /etc/pki/tls/certs/ldapkey.pem -days 3650
Generating a 2048 bit RSA private key
.+++
........................................................................+++
writing new private key to '/etc/pki/tls/certs/ldapkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Washington
Locality Name (eg, city) [Default City]:Bellevue
Organization Name (eg, company) [Default Company Ltd]:Example
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ldap-01.ops.rm
Email Address []:itops@example.com

[root@ldap-01 certs]# ll ldap*
-rw-r--r--. 1 root ldap 1708 Jan 16 09:15 ldapkey.pem
-rw-r--r--. 1 root ldap 1452 Jan 16 09:15 ldap.pem

[root@ldap-01 certs]# cp ldap.pem /var/www/files/
Also configured these in slap.d
Code:
[root@ldap-01 certs]# cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif | grep olcTLSCertificate
olcTLSCertificateFile: /etc/pki/tls/certs/ldap.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/ldapkey.pem
Running the following on the client
Code:
[root@nr-client cacerts]# wget http://10.0.32.58/ldap.pem

[root@nr-client cacerts]# LDAPTLS_CACERTDIR=/etc/openldap/cacerts ldapsearch -d 1 -xLLL -s base -b ""
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap-01.ops.rm:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.32.58:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error.
TLS: skipping 'ldap.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: certificate [E=itops@example.com,CN=ldap-01.ops.rm,OU=IT,O=Example,L=Bellevue,ST=Washington,C=US] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 0 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
On the server, the response is a little more encouraging :
Code:
[root@ldap-01 cacerts]# LDAPTLS_CACERTDIR=/etc/openldap/cacerts ldapsearch -d 1 -xLLL -s base -b ""
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap-01.ops.rm:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 14 bytes to sd 3
ldap_result ld 0x17ac170 msgid 1
wait4msg ld 0x17ac170 msgid 1 (infinite timeout)
wait4msg continue ld 0x17ac170 msgid 1 all 1
** ld 0x17ac170 Connections:
* host: ldap-01.ops.rm  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jan 16 09:23:31 2014


** ld 0x17ac170 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
  outstanding referrals 0, parent count 0
  ld 0x17ac170 request count 1 (abandoned 0)
** ld 0x17ac170 Response Queue:
  Empty
  ld 0x17ac170 response count 0
ldap_chkResponseList ld 0x17ac170 msgid 1 all 1
ldap_chkResponseList returns ld 0x17ac170 NULL
ldap_int_select
read1msg: ld 0x17ac170 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x17ac170 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x17ac170 0 new referrals
read1msg:  mark request completed, ld 0x17ac170 msgid 1
request done: ld 0x17ac170 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 39 bytes to sd 3
ldap_result ld 0x17ac170 msgid -1
wait4msg ld 0x17ac170 msgid -1 (infinite timeout)
wait4msg continue ld 0x17ac170 msgid -1 all 0
** ld 0x17ac170 Connections:
* host: ldap-01.ops.rm  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jan 16 09:23:31 2014


** ld 0x17ac170 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
  outstanding referrals 0, parent count 0
  ld 0x17ac170 request count 1 (abandoned 0)
** ld 0x17ac170 Response Queue:
  Empty
  ld 0x17ac170 response count 0
ldap_chkResponseList ld 0x17ac170 msgid -1 all 0
ldap_chkResponseList returns ld 0x17ac170 NULL
ldap_int_select
read1msg: ld 0x17ac170 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 48 contents:
read1msg: ld 0x17ac170 msgid 2 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn:
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: top
objectClass: OpenLDAProotDSE
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x17ac170 msgid -1
wait4msg ld 0x17ac170 msgid -1 (infinite timeout)
wait4msg continue ld 0x17ac170 msgid -1 all 0
** ld 0x17ac170 Connections:
* host: ldap-01.ops.rm  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jan 16 09:23:31 2014


** ld 0x17ac170 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
  outstanding referrals 0, parent count 0
  ld 0x17ac170 request count 1 (abandoned 0)
** ld 0x17ac170 Response Queue:
  Empty
  ld 0x17ac170 response count 0
ldap_chkResponseList ld 0x17ac170 msgid -1 all 0
ldap_chkResponseList returns ld 0x17ac170 NULL
ldap_int_select
read1msg: ld 0x17ac170 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x17ac170 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x17ac170 0 new referrals
read1msg:  mark request completed, ld 0x17ac170 msgid 2
request done: ld 0x17ac170 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)

ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
And hostname of server is :
Code:
[root@ldap-01 openldap]# hostname
ldap-01.ops.rm

tkinsella 01-16-2014 02:47 PM
Continuing to troubleshoot this, I managed to find some other steps that MIGHT have been missing?

On the server I created a CA cert and then used that to sign my ldap.pem file :

Code:
CREATE CA
  950  echo '01'>serial
  951  echo '01'>crlnumber
  952  openssl req -new -x509 -extensions v3_ca -keyout private/ca-cert.key -out certs/ca-cert-crt -days 3650
  953  chmod 400 private/ca-cert.key
  955  cp /etc/pki/tls/certs/ldap.pem /etc/pki/CA/crl
  958  touch index.txt
CREATE NEW CERT
  970  openssl genrsa -out ldap.key 2048
  971  openssl req -new -key ldap.key -out ldap.csr
  972  openssl ca -in ldap.csr -out newcerts/ldap.pem -keyfile private/ca-cert.key -cert certs/ca-cert-crt
On the Server things seem to run OK
Code:
LDAPTLS_CACERTDIR=/etc/pki/CA/newcerts/ ldapsearch -d 1 -xLLL -s base -b ""
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap-01.ops.rm:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 14 bytes to sd 3
ldap_result ld 0x1791170 msgid 1
wait4msg ld 0x1791170 msgid 1 (infinite timeout)
wait4msg continue ld 0x1791170 msgid 1 all 1
** ld 0x1791170 Connections:
* host: ldap-01.ops.rm  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jan 16 12:45:56 2014


** ld 0x1791170 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
  outstanding referrals 0, parent count 0
  ld 0x1791170 request count 1 (abandoned 0)
** ld 0x1791170 Response Queue:
  Empty
  ld 0x1791170 response count 0
ldap_chkResponseList ld 0x1791170 msgid 1 all 1
ldap_chkResponseList returns ld 0x1791170 NULL
ldap_int_select
read1msg: ld 0x1791170 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x1791170 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1791170 0 new referrals
read1msg:  mark request completed, ld 0x1791170 msgid 1
request done: ld 0x1791170 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 39 bytes to sd 3
ldap_result ld 0x1791170 msgid -1
wait4msg ld 0x1791170 msgid -1 (infinite timeout)
wait4msg continue ld 0x1791170 msgid -1 all 0
** ld 0x1791170 Connections:
* host: ldap-01.ops.rm  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jan 16 12:45:56 2014


** ld 0x1791170 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
  outstanding referrals 0, parent count 0
  ld 0x1791170 request count 1 (abandoned 0)
** ld 0x1791170 Response Queue:
  Empty
  ld 0x1791170 response count 0
ldap_chkResponseList ld 0x1791170 msgid -1 all 0
ldap_chkResponseList returns ld 0x1791170 NULL
ldap_int_select
read1msg: ld 0x1791170 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 48 contents:
read1msg: ld 0x1791170 msgid 2 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn:
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: top
objectClass: OpenLDAProotDSE
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x1791170 msgid -1
wait4msg ld 0x1791170 msgid -1 (infinite timeout)
wait4msg continue ld 0x1791170 msgid -1 all 0
** ld 0x1791170 Connections:
* host: ldap-01.ops.rm  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jan 16 12:45:56 2014


** ld 0x1791170 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
  outstanding referrals 0, parent count 0
  ld 0x1791170 request count 1 (abandoned 0)
** ld 0x1791170 Response Queue:
  Empty
  ld 0x1791170 response count 0
ldap_chkResponseList ld 0x1791170 msgid -1 all 0
ldap_chkResponseList returns ld 0x1791170 NULL
ldap_int_select
read1msg: ld 0x1791170 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x1791170 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1791170 0 new referrals
read1msg:  mark request completed, ld 0x1791170 msgid 2
request done: ld 0x1791170 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)

ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
Now on the client machine they fail, but with a new error....
Code:
LDAPTLS_CACERTDIR=/etc/openldap/cacerts ldapsearch -d 1 -xLLL -s base -b ""
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap-01.ops.rm:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.32.58:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error.
TLS: skipping 'ldap.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: certificate [E=itops@rootmetrics.com,CN=ldap-01.ops.rm,OU=Information Technology,O=RootMetrics,ST=Washington,C=US] is not valid - error -8179:Peer's Certificate issuer is not recognized..
TLS: error: connect - force handshake failure: errno 0 - moznss error -8179
TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized..
The key new is : TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized..


Thoughts?

Thanks!

Ser Olmy 01-17-2014 07:55 AM
A client validates an X.509 certificate by checking the cryptographic signature. To do this, the client must be able to access the issuer's certificate, and the issuer of the issuer's certificate, and so on all the way up to the top of the chain (the root CA).

Validation may fail for several reasons:
  • The client may not have access to the issuer's certificate
  • The client may not have access to the root certificate at the top of the chain
  • The client may not trust the root CA
The error message "peer's certificate issuer is not recognized" would indicate that the client does not have access to the certificate of the issuing CA (which obviously means that this CA is not trusted).

You're generating your own certificates with openssl. Such certificates can be validated by precisely no-one. When using X.509 certificates, you'll either have to use certificates issued by a CA participating in the PKI infrastructure on the Internet (which means paying for every certificate), create your own public key infrastructure and distribute root certificates manually to all clients, or disable certificate validation altogether.

tkinsella 01-17-2014 11:58 AM
How would I go about disabling certificate validation?

Ser Olmy 01-19-2014 12:44 PM
Have you seen this thread on stackoverflow.com?

Apparently, adding "TLS_REQCERT ALLOW" to the local or global configuration file will disable certificate verification. I haven't tried it myself, though.

andrew44 01-19-2014 01:09 PM
Not sure if it helps but I've been playing with 389 all weekend and I setup the ssl using this script.

https://github.com/richm/scripts/blo...r/setupssl2.sh

Lazy I know but until I understand 389 better I'd rather use it.

tkinsella 01-20-2014 03:20 PM
Ser Olmy, I did try that originally and that failed me (Just to make the new LDAP more confusing...)

I'll give that a shot andrew! thanks!

tkinsella 01-21-2014 03:25 PM
I am now getting a different error... maybe a good thing?

additional info: TLS error -8157:Certificate extension not found


All times are GMT -5. The time now is 11:50 PM.