Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
01-15-2014, 04:33 PM
#1
Member
Registered: Dec 2005
Distribution: CentOS 6.5
Posts: 45
Rep:
TLS Error with LDAP Cert
Hello all,
I am trying to enable TLS on our LDAP server.
When I test with the server I get :
Code:
ldapsearch -x -b "dc=example,dc=com" -ZZ
# search result
search: 3
result: 0 Success
# numResponses: 41
# numEntries: 40
When I test on a client machine I get :
Code:
ldapsearch -x -b "dc=example,dc=com" -ZZ
ldap_start_tls: Can't contact LDAP server (-1)
additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
What am I doing wrong? I can provide any thing you need to troubleshoot further...
Thanks!
01-15-2014, 09:28 PM
#2
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,333
Rep:
The error message says it all: The certificate issuer is not in the list of trusted certificate authorities on the client system.
How did you obtain or generate the certificate?
1 members found this post helpful.
01-16-2014, 04:30 AM
#3
Member
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 661
Rep:
Also ensure CN of your server certificate match actual name of your ldap server.
Thanks
1 members found this post helpful.
01-16-2014, 11:26 AM
#4
Member
Registered: Dec 2005
Distribution: CentOS 6.5
Posts: 45
Original Poster
Rep:
I created the cert :
Code:
[root@ldap-01 certs]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/ldap.pem -keyout /etc/pki/tls/certs/ldapkey.pem -days 3650
Generating a 2048 bit RSA private key
.+++
........................................................................+++
writing new private key to '/etc/pki/tls/certs/ldapkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Washington
Locality Name (eg, city) [Default City]:Bellevue
Organization Name (eg, company) [Default Company Ltd]:Example
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ldap-01.ops.rm
Email Address []:itops@example.com
[root@ldap-01 certs]# ll ldap*
-rw-r--r--. 1 root ldap 1708 Jan 16 09:15 ldapkey.pem
-rw-r--r--. 1 root ldap 1452 Jan 16 09:15 ldap.pem
[root@ldap-01 certs]# cp ldap.pem /var/www/files/
Also configured these in slap.d
Code:
[root@ldap-01 certs]# cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif | grep olcTLSCertificate
olcTLSCertificateFile: /etc/pki/tls/certs/ldap.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/ldapkey.pem
Running the following on the client
Code:
[root@nr-client cacerts]# wget http://10.0.32.58/ldap.pem
[root@nr-client cacerts]# LDAPTLS_CACERTDIR=/etc/openldap/cacerts ldapsearch -d 1 -xLLL -s base -b ""
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap-01.ops.rm:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.32.58:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error.
TLS: skipping 'ldap.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: certificate [E=itops@example.com,CN=ldap-01.ops.rm,OU=IT,O=Example,L=Bellevue,ST=Washington,C=US] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 0 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
On the server, the response is a little more encouraging :
Code:
[root@ldap-01 cacerts]# LDAPTLS_CACERTDIR=/etc/openldap/cacerts ldapsearch -d 1 -xLLL -s base -b ""
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap-01.ops.rm:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 14 bytes to sd 3
ldap_result ld 0x17ac170 msgid 1
wait4msg ld 0x17ac170 msgid 1 (infinite timeout)
wait4msg continue ld 0x17ac170 msgid 1 all 1
** ld 0x17ac170 Connections:
* host: ldap-01.ops.rm port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jan 16 09:23:31 2014
** ld 0x17ac170 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x17ac170 request count 1 (abandoned 0)
** ld 0x17ac170 Response Queue:
Empty
ld 0x17ac170 response count 0
ldap_chkResponseList ld 0x17ac170 msgid 1 all 1
ldap_chkResponseList returns ld 0x17ac170 NULL
ldap_int_select
read1msg: ld 0x17ac170 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x17ac170 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x17ac170 0 new referrals
read1msg: mark request completed, ld 0x17ac170 msgid 1
request done: ld 0x17ac170 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 39 bytes to sd 3
ldap_result ld 0x17ac170 msgid -1
wait4msg ld 0x17ac170 msgid -1 (infinite timeout)
wait4msg continue ld 0x17ac170 msgid -1 all 0
** ld 0x17ac170 Connections:
* host: ldap-01.ops.rm port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jan 16 09:23:31 2014
** ld 0x17ac170 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x17ac170 request count 1 (abandoned 0)
** ld 0x17ac170 Response Queue:
Empty
ld 0x17ac170 response count 0
ldap_chkResponseList ld 0x17ac170 msgid -1 all 0
ldap_chkResponseList returns ld 0x17ac170 NULL
ldap_int_select
read1msg: ld 0x17ac170 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 48 contents:
read1msg: ld 0x17ac170 msgid 2 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn:
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: top
objectClass: OpenLDAProotDSE
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x17ac170 msgid -1
wait4msg ld 0x17ac170 msgid -1 (infinite timeout)
wait4msg continue ld 0x17ac170 msgid -1 all 0
** ld 0x17ac170 Connections:
* host: ldap-01.ops.rm port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jan 16 09:23:31 2014
** ld 0x17ac170 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x17ac170 request count 1 (abandoned 0)
** ld 0x17ac170 Response Queue:
Empty
ld 0x17ac170 response count 0
ldap_chkResponseList ld 0x17ac170 msgid -1 all 0
ldap_chkResponseList returns ld 0x17ac170 NULL
ldap_int_select
read1msg: ld 0x17ac170 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x17ac170 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x17ac170 0 new referrals
read1msg: mark request completed, ld 0x17ac170 msgid 2
request done: ld 0x17ac170 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
And hostname of server is :
Code:
[root@ldap-01 openldap]# hostname
ldap-01.ops.rm
01-16-2014, 02:47 PM
#5
Member
Registered: Dec 2005
Distribution: CentOS 6.5
Posts: 45
Original Poster
Rep:
Continuing to troubleshoot this, I managed to find some other steps that MIGHT have been missing?
On the server I created a CA cert and then used that to sign my ldap.pem file :
Code:
CREATE CA
950 echo '01'>serial
951 echo '01'>crlnumber
952 openssl req -new -x509 -extensions v3_ca -keyout private/ca-cert.key -out certs/ca-cert-crt -days 3650
953 chmod 400 private/ca-cert.key
955 cp /etc/pki/tls/certs/ldap.pem /etc/pki/CA/crl
958 touch index.txt
CREATE NEW CERT
970 openssl genrsa -out ldap.key 2048
971 openssl req -new -key ldap.key -out ldap.csr
972 openssl ca -in ldap.csr -out newcerts/ldap.pem -keyfile private/ca-cert.key -cert certs/ca-cert-crt
On the Server things seem to run OK
Code:
LDAPTLS_CACERTDIR=/etc/pki/CA/newcerts/ ldapsearch -d 1 -xLLL -s base -b ""
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap-01.ops.rm:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 14 bytes to sd 3
ldap_result ld 0x1791170 msgid 1
wait4msg ld 0x1791170 msgid 1 (infinite timeout)
wait4msg continue ld 0x1791170 msgid 1 all 1
** ld 0x1791170 Connections:
* host: ldap-01.ops.rm port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jan 16 12:45:56 2014
** ld 0x1791170 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x1791170 request count 1 (abandoned 0)
** ld 0x1791170 Response Queue:
Empty
ld 0x1791170 response count 0
ldap_chkResponseList ld 0x1791170 msgid 1 all 1
ldap_chkResponseList returns ld 0x1791170 NULL
ldap_int_select
read1msg: ld 0x1791170 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x1791170 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1791170 0 new referrals
read1msg: mark request completed, ld 0x1791170 msgid 1
request done: ld 0x1791170 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 39 bytes to sd 3
ldap_result ld 0x1791170 msgid -1
wait4msg ld 0x1791170 msgid -1 (infinite timeout)
wait4msg continue ld 0x1791170 msgid -1 all 0
** ld 0x1791170 Connections:
* host: ldap-01.ops.rm port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jan 16 12:45:56 2014
** ld 0x1791170 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x1791170 request count 1 (abandoned 0)
** ld 0x1791170 Response Queue:
Empty
ld 0x1791170 response count 0
ldap_chkResponseList ld 0x1791170 msgid -1 all 0
ldap_chkResponseList returns ld 0x1791170 NULL
ldap_int_select
read1msg: ld 0x1791170 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 48 contents:
read1msg: ld 0x1791170 msgid 2 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn:
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: top
objectClass: OpenLDAProotDSE
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x1791170 msgid -1
wait4msg ld 0x1791170 msgid -1 (infinite timeout)
wait4msg continue ld 0x1791170 msgid -1 all 0
** ld 0x1791170 Connections:
* host: ldap-01.ops.rm port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jan 16 12:45:56 2014
** ld 0x1791170 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x1791170 request count 1 (abandoned 0)
** ld 0x1791170 Response Queue:
Empty
ld 0x1791170 response count 0
ldap_chkResponseList ld 0x1791170 msgid -1 all 0
ldap_chkResponseList returns ld 0x1791170 NULL
ldap_int_select
read1msg: ld 0x1791170 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x1791170 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1791170 0 new referrals
read1msg: mark request completed, ld 0x1791170 msgid 2
request done: ld 0x1791170 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
Now on the client machine they fail, but with a new error....
Code:
LDAPTLS_CACERTDIR=/etc/openldap/cacerts ldapsearch -d 1 -xLLL -s base -b ""
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap-01.ops.rm:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.32.58:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error.
TLS: skipping 'ldap.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: certificate [E=itops@rootmetrics.com,CN=ldap-01.ops.rm,OU=Information Technology,O=RootMetrics,ST=Washington,C=US] is not valid - error -8179:Peer's Certificate issuer is not recognized..
TLS: error: connect - force handshake failure: errno 0 - moznss error -8179
TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized..
The key new is : TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized..
Thoughts?
Thanks!
01-17-2014, 07:55 AM
#6
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,333
Rep:
A client validates an X.509 certificate by checking the cryptographic signature. To do this, the client must be able to access the issuer's certificate, and the issuer of the issuer's certificate, and so on all the way up to the top of the chain (the root CA).
Validation may fail for several reasons:
The client may not have access to the issuer's certificate
The client may not have access to the root certificate at the top of the chain
The client may not trust the root CA
The error message "peer's certificate issuer is not recognized" would indicate that the client does not have access to the certificate of the issuing CA (which obviously means that this CA is not trusted).
You're generating your own certificates with openssl. Such certificates can be validated by precisely no-one. When using X.509 certificates, you'll either have to use certificates issued by a CA participating in the PKI infrastructure on the Internet (which means paying for every certificate), create your own public key infrastructure and distribute root certificates manually to all clients, or disable certificate validation altogether.
01-17-2014, 11:58 AM
#7
Member
Registered: Dec 2005
Distribution: CentOS 6.5
Posts: 45
Original Poster
Rep:
How would I go about disabling certificate validation?
01-19-2014, 12:44 PM
#8
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,333
Rep:
Have you seen
this thread on stackoverflow.com?
Apparently, adding "TLS_REQCERT ALLOW" to the local or global configuration file will disable certificate verification. I haven't tried it myself, though.
01-19-2014, 01:09 PM
#9
Member
Registered: Apr 2011
Posts: 31
Rep:
Not sure if it helps but I've been playing with 389 all weekend and I setup the ssl using this script.
https://github.com/richm/scripts/blo...r/setupssl2.sh
Lazy I know but until I understand 389 better I'd rather use it.
01-20-2014, 03:20 PM
#10
Member
Registered: Dec 2005
Distribution: CentOS 6.5
Posts: 45
Original Poster
Rep:
Ser Olmy, I did try that originally and that failed me (Just to make the new LDAP more confusing...)
I'll give that a shot andrew! thanks!
01-21-2014, 03:25 PM
#11
Member
Registered: Dec 2005
Distribution: CentOS 6.5
Posts: 45
Original Poster
Rep:
I am now getting a different error... maybe a good thing?
additional info: TLS error -8157:Certificate extension not found
All times are GMT -5. The time now is 09:52 AM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News