Ok, dumb question... The CA.sh (and CA.pl) both build with a passphrase on the *.pem. I've tried to NOT enter a passphrase, but it won't take it. I've tried using openssl commands to remove the passphrase...but, that's not working either. Any ideas? Thanks, John -----Original Message----- From: Dieter KlÃnter [mailto:dieter@dkluenter.de] Sent: Tuesday, March 11, 2014 2:17 PM To: Borresen, John - 0442 - MITLL Cc: openldap-technical@openldap.org Subject: Re: TLS QUESTION Am Tue, 11 Mar 2014 13:15:21 -0400 schrieb "Borresen, John - 0442 - MITLL" <John.Borresen@ll.mit.edu>: > Dieter; > > Now, receiving the following when attempting to sign the cert: > > Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase > for /usr/local/openldap/etc/openldap/CA_test/private/cakey.pem: Error > reading certificate request in /etc/openldap/CA_test/newreq.pem > 2729:error:0906D06C:PEM routines:PEM_read_bio:no start > line:pem_lib.c:647:Expecting: CERTIFICATE REQUEST Signed certificate > is in newcert.pem I would sys you delete all certificates and certificate database files and restart from scratch. If you are using the openssl CA tools in order to create certificates, /etc/ssl/openssl.cnf should be modified to meet your requirements (in particular FQDN). Run ./CA.pl -newca ./CA.pl -newreq ./CA.pl -sign openssl rsa -in nrewreq.pem -out myKey.pem mv newcert.pem host.pem ./CA.pl -verify host.pem -Dieter > > -----Original Message----- > From: Dieter KlÃnter [mailto:dieter@dkluenter.de] > Sent: Tuesday, March 11, 2014 9:31 AM > To: Borresen, John - 0442 - MITLL > Cc: openldap-technical@openldap.org > Subject: Re: TLS QUESTION > > Am Tue, 11 Mar 2014 09:19:15 -0400 > schrieb "Borresen, John - 0442 - MITLL" <John.Borresen@ll.mit.edu>: > > > Guten morgen Dieter; > > > > I ran the openssl commands indicated below. > > > > But, ran them against my cacert.pem -- both the original and new > > successfully (they failed with servercrt.pem). > > > > I re-ran the CA.sh script this morning, and receiving the following > > errors when creating a new CA: > > > > Certificate is to be certified until Mar 8 13:09:05 2024 GMT (3650 > > days) failed to update database > > TXT_DB error number 2 > > This is an error of your certificate database files index.txt and > serial. > > -Dieter > > > > > -----Original Message----- > > From: Dieter KlÃnter [mailto:dieter@dkluenter.de] > > Sent: Monday, March 10, 2014 5:12 PM > > To: Borresen, John - 0442 - MITLL > > Subject: Re: TLS QUESTION > > > > Am Mon, 10 Mar 2014 16:55:04 -0400 > > schrieb "Borresen, John - 0442 - MITLL" <John.Borresen@ll.mit.edu>: > > > > > Vielen Danke Dieter; > > > > > > Originally my command to create the client.pem was: > > > > > > grep -A 100 CERTIFICATE cacert.pem > client.pem > > > > > > Then I scp'd that out to the clients. That worked when doing SSL > > > on port 636 (and not wild-card certificates), but it is not > > > working now on TLS over 389 to mm-server1 and mm-server3 with > > > wild-card certs. > > > > > > The cacert.pem and client.pem is on each client. > > > > > > Doing further reading...the client.pem since it was built off the > > > cacert.pem (the server certificate) it should work. > > > > > > Should I use the cacert.pem or the servercrt.pem to create the > > > client.pem? > > > > Test this on each host > > openssl verify -CAfile path/to/ca client.pem servercert.pem > > > > openssl x509 -in servercert.pem -noout -text check for Common Name > > > > -Dieter > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > From: Dieter KlÃnter [mailto:dieter@dkluenter.de] > > > Sent: Monday, March 10, 2014 2:41 PM > > > To: Borresen, John - 0442 - MITLL > > > Subject: Re: TLS QUESTION > > > > > > Am Mon, 10 Mar 2014 13:33:53 -0400 schrieb "Borresen, John - 0442 > > > - MITLL" > > > <John.Borresen@ll.mit.edu>: > > > > > > > Thanks Dieter... > > > > > > > > As I stated I saw Howard Chu's response to an individual in > > > > 2005 with a similar issue and he stated then, " For the slapd > > > > server you use the corresponding TLSCACertificateFile directive. > > > > You must use these configuration directives if you want to > > > > accept a self-signed cert." > > > > > > > > I did add the olcTLSCACertificateFile attribute (just forgot to > > > > list it in my original post). Was not certain at the time if > > > > the "olcTLSCertificateFile" should be removed so I did not > > > > remove it. So, before I do remove it, the attribute should be > > > > "olcTLSCACertificateFile" instead of "olcTLSCertificateFile" > > > > (and this should be removed), correct? > > > > > > > > The CA directories on all three servers look like this: > > > > > > > > # ll > > > > total 28 > > > > lrwxrwxrwx 1 root root 10 Jan 24 11:44 600f07a1.0 -> > > > > cacert.pem --> client hash -rw-r--r-- 1 ldap ldap 5136 Jan 17 > > > > 12:15 cacert.pem --> Self-signed certificate -rw-r--r-- 1 ldap > > > > ldap 1090 Jan 17 12:07 cert.csr --> Certificate Signing Request > > > > -rw-r--r-- 1 ldap ldap 1757 Jan 17 12:23 client.pem --> Client > > > > Certificate PEM -rw-r--r-- 1 ldap ldap 0 Jan 14 16:20 > > > > index.txt drwxr-xr-x 2 ldap ldap 4096 Jan 14 16:18 newcerts > > > > (empty) drwxr-xr-x 2 ldap ldap 4096 Jan 17 12:06 private --> > > > > server private key directory (cakey.pem) -rw-r--r-- 1 ldap > > > > ldap 3 Jan 17 11:59 serial This may sound like a dumb > > > > question... > > > > > > > > I created the client.pem from the cacert.pem (as indicated on > > > > openssl.org) then copied that to each client. Is there a step I > > > > missed in there? > > > > > > Yes, you have to create a client certificate for each host, while > > > the Common Name must match the FQDN of this host. my blog entry > > > may be of help: > > > > > > https://sys4.de/de/blog/2013/08/20/how-create-and-administer-x509- > > > ce > > > rt > > > ificate-chains-part-i > > > > > > -Dieter > > > > > > > If so, where? > > > > > > > > Thanks in advance > > > > > > > > John > > > > -----Original Message----- > > > > From: openldap-technical-bounces@OpenLDAP.org > > > > [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of > > > > Dieter KlÃnter Sent: Monday, March 10, 2014 12:58 PM To: > > > > openldap-technical@openldap.org Subject: Re: TLS QUESTION > > > > > > > > Am Mon, 10 Mar 2014 11:18:14 -0400 schrieb "Borresen, John - > > > > 0442 > > > > - MITLL" > > > > <John.Borresen@ll.mit.edu>: > > > > > > > > > All, > > > > > > > > > > > > > > > > > > > > My set up consists of three servers each syncing with each > > > > > other. The host names are: > > > > > > > > > > 1) mm-server1.example.ldap > > > > > > > > > > 2) mm-server2.example.ldap > > > > > > > > > > 3) mm-server3.example.ldap > > > > > > > > > > > > > > > > > > > > Utilizing TLSv1, on all three I have: > > > > > > > > > > olcTLSCertificateFile: > > > > > /usr/local/openldap/etc/openldap/CA/cacert.pem > > > > > > > > this should be opcTLSCAcertificateFile > > > > > > > > > > > > > > olcTLSCertificateKeyFile: > > > > > /usr/local/openldap/etc/openldap/CA/private/cakey.pem > > > > > > > > you are misssing the host certificate, something like > > > > olcTLSCertificateFile > > > > /usr/local/openldap/etc/openldap/CA/host.pem > > > > > > > > > > > > > > olcTLSCipherSuite: HIGH:MEDIUM+TLSv1+SSLv3 > > > > > > > > > > > > > > > > > > > > Configured with self-signed wild-card certs, originally > > > > > configured (using openssl 0.9.8) on mm-server2 and exported to > > > > > the other servers. > > > > > > > > > > > > > > > > > > > > When running ldapmodify, ldapsearch, etc with a "-Z", and > > > > > openssl s_client on mm-server1 or mm-server3 or any client > > > > > pointing back to mm-server1 or 3, I receive the following > > > > > error: > > > > > > > > > > > > > > > > > > > > TLS certificate verification: Error, self signed certificate > > > > > > > > > > TLS: can't connect: error:14090086:SSL > > > > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > > > > (self signed certificate). > > > > > > > > > > ldap_start_tls: Connect error (-11) > > > > > > > > > > additional info: error:14090086:SSL > > > > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > > > > (self signed certificate) > > > > > > > > > > > > > > > > > > > > Running any of those to mm-server2, it works with no such > > > > > error. > > > > > > > > > > > > > > > > > > > > I am guessing, that since the certs were created on > > > > > mm-server2, originally, that is why it works this way. Also, > > > > > guessing I missed a step somewhere. > > > > > > > > > > > > > > > > > > > > I read online a post from 2005 with a good explanation of > > > > > self-signed from Howard Chu about a similar problem. > > > > > > > > > > > > > > > > > > > > What is the best procedure for creating wild-card certs and > > > > > sharing those out to other servers? The procedure that was > > > > > used was from openssl.org so it was not a fly-by-night weblog. > > > > > > > > > > > > > > > > > > > > What did I miss (besides: a lot)? > > > > > > > > > > > > > > > > > > > > Thanks in advance, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > John D. Borresen (Dave) > > > > > > > > > > Linux/Unix Systems Administrator > > > > > > > > > > MIT Lincoln Laboratory > > > > > > > > > > Surveillance Systems Group > > > > > > > > > > 244 Wood St > > > > > > > > > > Lexington, MA 02420 > > > > > > > > > > Ph: (781) 981-1609 > > > > > > > > > > Email: john.borresen@ll.mit.edu > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Dieter KlÃnter | Systemberatung > > > > http://sys4.de > > > > GPG Key ID: E9ED159B > > > > 53Â37'09,95"N > > > > 10Â08'02,42"E > > > > > > > > > > > > > > > > -- > > > Dieter KlÃnter | Systemberatung > > > http://sys4.de > > > GPG Key ID: E9ED159B > > > 53Â37'09,95"N > > > 10Â08'02,42"E > > > > > > > > -- > > Dieter KlÃnter | Systemberatung > > http://sys4.de > > GPG Key ID: E9ED159B > > 53Â37'09,95"N > > 10Â08'02,42"E > > > > -- > Dieter KlÃnter | Systemberatung > http://sys4.de > GPG Key ID: E9ED159B > 53Â37'09,95"N > 10Â08'02,42"E -- Dieter KlÃnter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53Â37'09,95"N 10Â08'02,42"E
Attachment:
smime.p7s
Description: S/MIME cryptographic signature