[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS/SSL-ceritificate & Replication v2.1.3
Hi everybody,
after trying everything i'm here again looking for help.
What i want :
Replication with 2.1.3.
My environment :
openldap 2.1.3
openssl 0.96g
LINUX 7.1 Kernel 2.4.18
slapd is running on 486dx66.hrnet.de ports: 4389/4636 (master)
slapd is running on 486dx66.hrnet.de ports: 5389/5636 (master)
What's the problem :
I always get the same error with slurpd :
---snipp---
07d0: c2 79 b4 7e 70 4f c3 b1 8c .y.~pO...
TLS certificate verification: depth: 1, err: 19, subject: /C=DE/ST=
Germany/L=Niedernhausen-Oberjosbach/O=Harry Rueter Development/OU=
CAAUTHORITY/CN=caserver.hrnet.de/Email=harry@hrnet.de, issuer:
/C=DE/ST=Germany/L=Niedernhausen-Oberjosbach
/O=Harry Rueter Development/OU=CAAUTHORITY/CN=caserver.hrnet.de/
Email=harry@hrnet.de
TLS certificate verification: Error, self signed certificate in
certificate chain
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
---snipp---
So, i see what's the problem, slurpd doesn't like
selfsigned certificates.
I understand and i'm willig (and trying) to satisfy its
needs ..
The problem is, in my opinion i generated the certificates correct,
like Peter A. Savitch described in his mail on 10.08.2002
(Re: Doubt regarding the cert that signs the CRL)
These are the certificates i use for
master and replica (they run on the same host (486dx66.hrnet.de)!).
---schnipp---
TLSCertificateFile /etc/certificates/486dx66.crt
TLSCertificateKeyFile /etc/certificates/486dx66.key
TLSCACertificateFile /etc/certificates/CA.crt
---schnipp---
I generated the certificates with two scripts i attached,
mkCA generates the TLSCACertificateFile ...
mkert generates the server/client-certificates.
Example :
mkcert 486dx66
generates 486dx66.crt & 486dx66.key
mkCA caserver
generates CA.key & CA.crt
(caserver.hrnet.de has another hostname but is on the same server,
is this the error ? Must the CA reside on the same host ?)
I think the scripts are correct and the entries in slapd.conf
(master/replica) are too ..
Can anybody tell me how i can find a way out of this trap ?
greets Harry
#!/bin/sh
if [ $# -ne 1 ]
then
echo usage : $0 HOST_to_Certificate
exit 1
fi
SERVER=$1
MYNET=.hrnet.de
FQDN=$SERVER$MYNET
CERTDIR=/etc/certificates
TMPDIR=$CERTDIR/tmp
CAKEYDIR=$CERTDIR/private
MYCACERT="/etc/certificates/CA.crt"
MYCAKEY="/etc/certificates/private/CA.key"
ping -c1 $FQDN >/dev/null 2>&1
if [ $? -ne 0 ]
then
echo HOST $FQDN not reachable
exit 1
fi
echo -n Generating key for $SERVER ..
openssl genrsa -out $TMPDIR/$SERVER.key 2048 >/dev/null 2>&1
if [ $? -ne 0 ]
then
echo " error: couldn't create key"
rm $TMPDIR*
exit 1
fi
echo ready
echo
echo -n Generating Certificate Signing Request for $SERVER ..
openssl req -new -key $TMPDIR/$SERVER.key -out $TMPDIR/$SERVER.csr >/dev/null 2>&1 << ENDE
DE
Germany
Niedernhausen-Oberjosbach
Harry Rueter Development
Keymaker
$FQDN
harry@hrnet.de
"What's the cat ?"
Nooptionalname
ENDE
if [ $? -ne 0 ]
then
echo "error: couldn't create certificate"
rm $TMPDIR*
fi
echo ready
echo
echo -n Signing with CA ...
openssl x509 -req -days 365 -in $TMPDIR/$SERVER.csr -CA /etc/certificates/CA.crt -CAkey /etc/certificates/private/CA.key -CAcreateserial -out $TMPDIR/$SERVER.crt >/dev/null
if [ $? -ne 0 ]
then
echo "Couldn't create CA-certificated certificate"
rm $TMPDIR*
exit 1
fi
echo ready
echo
chmod 444 $TMPDIR/$SERVER.*
mv $TMPDIR/$SERVER.key $CERTDIR/$SERVER.key
mv $TMPDIR/$SERVER.crt $CERTDIR/$SERVER.crt
rm $TMPDIR/$SERVER.*
#!/bin/sh
if [ $# -ne 1 ]
then
echo usage : $0 HOST_to_Certificate
exit 1
fi
CASERVER=$1
MYNET=.hrnet.de
FQDN=$CASERVER$MYNET
KEYDIR=/etc/certificates/private
CERTDIR=/etc/certificates
TMPDIR=/etc/certificates/tmp
#echo -n Generating key for $CASERVER
openssl genrsa -des3 -out $TMPDIR/CA.key 2048
if [ $? -ne 0 ]
then
echo " error: couldn't create key"
rm $TMPDIR*
exit 1
fi
echo ready
echo
echo Generating Certificate Signing Request for $CASERVER
openssl req -new -key $TMPDIR/CA.key -out $TMPDIR/CA.csr >/dev/null << ENDE
DE
Germany
Niedernhausen-Oberjosbach
Harry Rueter Development
CAAUTHORITY
$FQDN
harry@hrnet.de
"What's the cat ?"
Nooptionalname
ENDE
if [ $? -ne 0 ]
then
echo "Error: couldn't create signing request"
rm $TMPDIR*
exit 1
fi
echo -n Generating CA for $CASERVER
openssl x509 -req -days 999 -in $TMPDIR/CA.csr -signkey $TMPDIR/CA.key \
-extensions x509v3_CA -out $TMPDIR/CA.crt
if [ $? -ne 0 ]
then
echo "Error: couldn't create CA"
rm $TMPDIR*
exit 1
fi
openssl x509 -text -noout -in $TMPDIR/CA.crt|less
echo "PRESS return"
read
chmod 400 $TMPDIR/CA.key
chmod 444 $TMPDIR/CA.crt
mv $TMPDIR/CA.key $KEYDIR/CA.key
mv $TMPDIR/CA.crt $CERTDIR/CA.crt
rm $TMPDIR/*