Quote:
Originally Posted by sag47
I'm not an expert on LDAP but have you tried testing the connectivity to the LDAP server using telnet or openssl? You can use openssl to verify the certificates as well.
Code:
telnet puppet.mydomain.com 636
timeout 3 openssl s_client -CApath /etc/ssl/certs -servername puppet.mydomain.com -connect puppet.mydomain.com:636
The -CApath will allow openssl to validate the certificates. -servername is for Server Name Indication (SNI) which is usually associated with using Apache virtual hosts with SSL but I included it for the sake of being thorough. To learn more about the arguments see "man s_client". That is to say can you connect to the port? When you connect to the port do you get a validated certificate?
View the certificate information on that port as well....
|
Thanks for your reply! Telnet can connect to port 636:
Code:
[bluethundr@vbox:~] #telnet puppet.mydomain.com 636
Trying xxx.xxx.xx.xxx...
Connected to puppet.mydomain.com.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
However I can't seem to feed this command the correct path.. Either that or the cert I'm trying to give it is invalild.
First I tried pointing it at the directory where the cert is located:
Code:
[bluethundr@vbox:~] #timeout 3 openssl s_client -CApath /etc/pki/CA/certs -servername puppet.mydomain.com -connect puppet.mydomain.com:636
CONNECTED(00000003)
3073743112:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 253 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
And it failes as above. The command also fails when I give it the full path to the cert:
Code:
[bluethundr@vbox:~] #timeout 3 openssl s_client -CApath /etc/pki/CA/certs/ca.crt -servername puppet.jokefire.com -connect puppet.mydomain.com:636
CONNECTED(00000003)
3073378568:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 253 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Quote:
Originally Posted by sag47
Code:
timeout 3 openssl s_client -connect puppet.mydomain.com:636 < /dev/null | openssl x509 -text | less
That will convert the remote certificate information into a human readable format. Is the certificate what you expect? Is the common name of the certificate puppet.mydomain.com? To learn more about the arguments see "man x509".
|
Hmmm.. it seems that the certifcate may in fact be invalid according to what I see here:
Code:
[bluethundr@vbox:~] #timeout 3 openssl s_client -connect puppet.mydomain.com:636 < /dev/null | openssl x509 -text | less
3073956104:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
unable to load certificate
3073603848:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
Quote:
Originally Posted by sag47
Also, by providing your certificate you have provided the name of your server. Perhaps you'll want to edit that (the same could be said about your other attachments)? Assuming your host is what is in your certificate you have many ports open but the ldapssl port 636 is not one of them.
|
WHOOPS!!! I'll try not to make that mistake again!
Quote:
Originally Posted by sag47
If you're using your LDAP command as you describe perhaps doing the following command.
Code:
ldapsearch -x -H 'ldaps://puppet.mydomain.com' -b "dc=mydomain,dc=com" sub "objectclass=*"
|
And as you might expect, given the nature of the cert, this command also fails:
Code:
[root@puppet:/etc/puppet] #ldapsearch -x -H 'ldaps://puppet.mydomain.com' -b "dc=mydomain,dc=com" sub "objectclass=*"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
But the fact that the cert would be bad is a little troubling. This is the method I used to generate both the ca and the ldap server certs:
Code:
Create CA key
1) openssl genrsa -des3 -out ca.key 4096
Create CA cert
2) openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Create director1 key and certificate signing request
3) openssl genrsa -des3 -out director1key.key 4096
4) openssl req -new -key director1.key -out director1.csr
Sign the director1 certificate
5) openssl x509 -req -days 3650 -in director1.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out director1.crt
Donīt know if it is necessary, but converted .crt to .pem
6) openssl x509 -in director1.crt -out director1.pem
7) openssl x509 -in ca.crt -out ca.pem
Really important! Remove the password from the director1 private key
8) openssl rsa -in director1key.key -out director1.key
Where the term 'director' substitutes for the name of your cert (in my case ldap.crt).
This is puzzling also in light of the fact that other apache related certs I have created this way work just fine. But I suppose one thing I need to try is to recreate the cert. I'll give that a shot and let the thread know how it goes.