LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-15-2014, 04:33 PM   #1
tkinsella
Member
 
Registered: Dec 2005
Distribution: CentOS 6.5
Posts: 45

Rep: Reputation: 0
TLS Error with LDAP Cert


Hello all,

I am trying to enable TLS on our LDAP server.

When I test with the server I get :

Code:
ldapsearch  -x -b "dc=example,dc=com" -ZZ
# search result
search: 3
result: 0 Success

# numResponses: 41
# numEntries: 40
When I test on a client machine I get :

Code:
ldapsearch  -x -b "dc=example,dc=com" -ZZ
ldap_start_tls: Can't contact LDAP server (-1)
	additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
What am I doing wrong? I can provide any thing you need to troubleshoot further...


Thanks!
 
Old 01-15-2014, 09:28 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,333

Rep: Reputation: Disabled
The error message says it all: The certificate issuer is not in the list of trusted certificate authorities on the client system.

How did you obtain or generate the certificate?
 
1 members found this post helpful.
Old 01-16-2014, 04:30 AM   #3
vishesh
Member
 
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 661

Rep: Reputation: 66
Also ensure CN of your server certificate match actual name of your ldap server.

Thanks
 
1 members found this post helpful.
Old 01-16-2014, 11:26 AM   #4
tkinsella
Member
 
Registered: Dec 2005
Distribution: CentOS 6.5
Posts: 45

Original Poster
Rep: Reputation: 0
I created the cert :

Code:
[root@ldap-01 certs]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/ldap.pem -keyout /etc/pki/tls/certs/ldapkey.pem -days 3650
Generating a 2048 bit RSA private key
.+++
........................................................................+++
writing new private key to '/etc/pki/tls/certs/ldapkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Washington
Locality Name (eg, city) [Default City]:Bellevue
Organization Name (eg, company) [Default Company Ltd]:Example
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ldap-01.ops.rm
Email Address []:itops@example.com

[root@ldap-01 certs]# ll ldap*
-rw-r--r--. 1 root ldap 1708 Jan 16 09:15 ldapkey.pem
-rw-r--r--. 1 root ldap 1452 Jan 16 09:15 ldap.pem

[root@ldap-01 certs]# cp ldap.pem /var/www/files/
Also configured these in slap.d
Code:
[root@ldap-01 certs]# cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif | grep olcTLSCertificate
olcTLSCertificateFile: /etc/pki/tls/certs/ldap.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/ldapkey.pem
Running the following on the client
Code:
[root@nr-client cacerts]# wget http://10.0.32.58/ldap.pem

[root@nr-client cacerts]# LDAPTLS_CACERTDIR=/etc/openldap/cacerts ldapsearch -d 1 -xLLL -s base -b ""
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap-01.ops.rm:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.32.58:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error.
TLS: skipping 'ldap.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: certificate [E=itops@example.com,CN=ldap-01.ops.rm,OU=IT,O=Example,L=Bellevue,ST=Washington,C=US] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 0 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
On the server, the response is a little more encouraging :
Code:
[root@ldap-01 cacerts]# LDAPTLS_CACERTDIR=/etc/openldap/cacerts ldapsearch -d 1 -xLLL -s base -b ""
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap-01.ops.rm:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 14 bytes to sd 3
ldap_result ld 0x17ac170 msgid 1
wait4msg ld 0x17ac170 msgid 1 (infinite timeout)
wait4msg continue ld 0x17ac170 msgid 1 all 1
** ld 0x17ac170 Connections:
* host: ldap-01.ops.rm  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jan 16 09:23:31 2014


** ld 0x17ac170 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x17ac170 request count 1 (abandoned 0)
** ld 0x17ac170 Response Queue:
   Empty
  ld 0x17ac170 response count 0
ldap_chkResponseList ld 0x17ac170 msgid 1 all 1
ldap_chkResponseList returns ld 0x17ac170 NULL
ldap_int_select
read1msg: ld 0x17ac170 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x17ac170 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x17ac170 0 new referrals
read1msg:  mark request completed, ld 0x17ac170 msgid 1
request done: ld 0x17ac170 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 39 bytes to sd 3
ldap_result ld 0x17ac170 msgid -1
wait4msg ld 0x17ac170 msgid -1 (infinite timeout)
wait4msg continue ld 0x17ac170 msgid -1 all 0
** ld 0x17ac170 Connections:
* host: ldap-01.ops.rm  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jan 16 09:23:31 2014


** ld 0x17ac170 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x17ac170 request count 1 (abandoned 0)
** ld 0x17ac170 Response Queue:
   Empty
  ld 0x17ac170 response count 0
ldap_chkResponseList ld 0x17ac170 msgid -1 all 0
ldap_chkResponseList returns ld 0x17ac170 NULL
ldap_int_select
read1msg: ld 0x17ac170 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 48 contents:
read1msg: ld 0x17ac170 msgid 2 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn:
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: top
objectClass: OpenLDAProotDSE
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x17ac170 msgid -1
wait4msg ld 0x17ac170 msgid -1 (infinite timeout)
wait4msg continue ld 0x17ac170 msgid -1 all 0
** ld 0x17ac170 Connections:
* host: ldap-01.ops.rm  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jan 16 09:23:31 2014


** ld 0x17ac170 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x17ac170 request count 1 (abandoned 0)
** ld 0x17ac170 Response Queue:
   Empty
  ld 0x17ac170 response count 0
ldap_chkResponseList ld 0x17ac170 msgid -1 all 0
ldap_chkResponseList returns ld 0x17ac170 NULL
ldap_int_select
read1msg: ld 0x17ac170 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x17ac170 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x17ac170 0 new referrals
read1msg:  mark request completed, ld 0x17ac170 msgid 2
request done: ld 0x17ac170 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)

ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
And hostname of server is :
Code:
[root@ldap-01 openldap]# hostname
ldap-01.ops.rm
 
Old 01-16-2014, 02:47 PM   #5
tkinsella
Member
 
Registered: Dec 2005
Distribution: CentOS 6.5
Posts: 45

Original Poster
Rep: Reputation: 0
Continuing to troubleshoot this, I managed to find some other steps that MIGHT have been missing?

On the server I created a CA cert and then used that to sign my ldap.pem file :

Code:
CREATE CA
  950  echo '01'>serial
  951  echo '01'>crlnumber
  952  openssl req -new -x509 -extensions v3_ca -keyout private/ca-cert.key -out certs/ca-cert-crt -days 3650
  953  chmod 400 private/ca-cert.key
  955  cp /etc/pki/tls/certs/ldap.pem /etc/pki/CA/crl
  958  touch index.txt
CREATE NEW CERT
  970  openssl genrsa -out ldap.key 2048
  971  openssl req -new -key ldap.key -out ldap.csr
  972  openssl ca -in ldap.csr -out newcerts/ldap.pem -keyfile private/ca-cert.key -cert certs/ca-cert-crt
On the Server things seem to run OK
Code:
LDAPTLS_CACERTDIR=/etc/pki/CA/newcerts/ ldapsearch -d 1 -xLLL -s base -b ""
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap-01.ops.rm:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 14 bytes to sd 3
ldap_result ld 0x1791170 msgid 1
wait4msg ld 0x1791170 msgid 1 (infinite timeout)
wait4msg continue ld 0x1791170 msgid 1 all 1
** ld 0x1791170 Connections:
* host: ldap-01.ops.rm  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jan 16 12:45:56 2014


** ld 0x1791170 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x1791170 request count 1 (abandoned 0)
** ld 0x1791170 Response Queue:
   Empty
  ld 0x1791170 response count 0
ldap_chkResponseList ld 0x1791170 msgid 1 all 1
ldap_chkResponseList returns ld 0x1791170 NULL
ldap_int_select
read1msg: ld 0x1791170 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x1791170 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1791170 0 new referrals
read1msg:  mark request completed, ld 0x1791170 msgid 1
request done: ld 0x1791170 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 39 bytes to sd 3
ldap_result ld 0x1791170 msgid -1
wait4msg ld 0x1791170 msgid -1 (infinite timeout)
wait4msg continue ld 0x1791170 msgid -1 all 0
** ld 0x1791170 Connections:
* host: ldap-01.ops.rm  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jan 16 12:45:56 2014


** ld 0x1791170 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x1791170 request count 1 (abandoned 0)
** ld 0x1791170 Response Queue:
   Empty
  ld 0x1791170 response count 0
ldap_chkResponseList ld 0x1791170 msgid -1 all 0
ldap_chkResponseList returns ld 0x1791170 NULL
ldap_int_select
read1msg: ld 0x1791170 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 48 contents:
read1msg: ld 0x1791170 msgid 2 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn:
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: top
objectClass: OpenLDAProotDSE
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x1791170 msgid -1
wait4msg ld 0x1791170 msgid -1 (infinite timeout)
wait4msg continue ld 0x1791170 msgid -1 all 0
** ld 0x1791170 Connections:
* host: ldap-01.ops.rm  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jan 16 12:45:56 2014


** ld 0x1791170 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x1791170 request count 1 (abandoned 0)
** ld 0x1791170 Response Queue:
   Empty
  ld 0x1791170 response count 0
ldap_chkResponseList ld 0x1791170 msgid -1 all 0
ldap_chkResponseList returns ld 0x1791170 NULL
ldap_int_select
read1msg: ld 0x1791170 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x1791170 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1791170 0 new referrals
read1msg:  mark request completed, ld 0x1791170 msgid 2
request done: ld 0x1791170 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)

ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
Now on the client machine they fail, but with a new error....
Code:
LDAPTLS_CACERTDIR=/etc/openldap/cacerts ldapsearch -d 1 -xLLL -s base -b ""
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap-01.ops.rm:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.32.58:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error.
TLS: skipping 'ldap.pem' - filename does not have expected format (certificate hash with numeric suffix)
TLS: certificate [E=itops@rootmetrics.com,CN=ldap-01.ops.rm,OU=Information Technology,O=RootMetrics,ST=Washington,C=US] is not valid - error -8179:Peer's Certificate issuer is not recognized..
TLS: error: connect - force handshake failure: errno 0 - moznss error -8179
TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized..
The key new is : TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized..


Thoughts?

Thanks!
 
Old 01-17-2014, 07:55 AM   #6
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,333

Rep: Reputation: Disabled
A client validates an X.509 certificate by checking the cryptographic signature. To do this, the client must be able to access the issuer's certificate, and the issuer of the issuer's certificate, and so on all the way up to the top of the chain (the root CA).

Validation may fail for several reasons:
  • The client may not have access to the issuer's certificate
  • The client may not have access to the root certificate at the top of the chain
  • The client may not trust the root CA
The error message "peer's certificate issuer is not recognized" would indicate that the client does not have access to the certificate of the issuing CA (which obviously means that this CA is not trusted).

You're generating your own certificates with openssl. Such certificates can be validated by precisely no-one. When using X.509 certificates, you'll either have to use certificates issued by a CA participating in the PKI infrastructure on the Internet (which means paying for every certificate), create your own public key infrastructure and distribute root certificates manually to all clients, or disable certificate validation altogether.
 
Old 01-17-2014, 11:58 AM   #7
tkinsella
Member
 
Registered: Dec 2005
Distribution: CentOS 6.5
Posts: 45

Original Poster
Rep: Reputation: 0
How would I go about disabling certificate validation?
 
Old 01-19-2014, 12:44 PM   #8
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,333

Rep: Reputation: Disabled
Have you seen this thread on stackoverflow.com?

Apparently, adding "TLS_REQCERT ALLOW" to the local or global configuration file will disable certificate verification. I haven't tried it myself, though.
 
Old 01-19-2014, 01:09 PM   #9
andrew44
Member
 
Registered: Apr 2011
Posts: 31

Rep: Reputation: 0
Not sure if it helps but I've been playing with 389 all weekend and I setup the ssl using this script.

https://github.com/richm/scripts/blo...r/setupssl2.sh

Lazy I know but until I understand 389 better I'd rather use it.
 
Old 01-20-2014, 03:20 PM   #10
tkinsella
Member
 
Registered: Dec 2005
Distribution: CentOS 6.5
Posts: 45

Original Poster
Rep: Reputation: 0
Ser Olmy, I did try that originally and that failed me (Just to make the new LDAP more confusing...)

I'll give that a shot andrew! thanks!
 
Old 01-21-2014, 03:25 PM   #11
tkinsella
Member
 
Registered: Dec 2005
Distribution: CentOS 6.5
Posts: 45

Original Poster
Rep: Reputation: 0
I am now getting a different error... maybe a good thing?

additional info: TLS error -8157:Certificate extension not found
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ldap:TLS directives error in cent os 6.3 sasaditya Linux - Server 7 04-21-2013 01:56 PM
Error: Can't read cert file /etc/pki/tls/certs/cert.pem in Twiki jsaravana87 Linux - Server 1 09-09-2011 06:01 PM
OpenSSL / Sendmail verifies both "TLS cert" and "x509 cert" in client mode, why? fast-reflexes Linux - Server 0 09-12-2010 11:32 AM
How can I generate cert.pem for TLS? abefroman Linux - Software 1 06-15-2008 08:17 AM
TLS cert problem ayush1440 Linux - Server 0 03-03-2008 08:11 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration