enable ssl on 389 Directory Server LDAP, CentOS 7

Discussion in 'HOWTO-Related Questions' started by perkins1724, Sep 28, 2015.

  1. perkins1724

    perkins1724 New Member

    I've been following the instructions to secure Kolab (sry cannot link but is: docs dot kolab dot org slash howtos slash secure-kolab-server dot html) and have got stuck with the 389 Directory Service LDAP section. Note: I am aware it can be skipped but I had long term plans to access the service from remote machines.

    Log files show
    Code:
    Peer does not recognize and trust the CA that issued your certificate
    
    Each step of the process appears to work fine. However at the end I cannot connect securely:
    Code:
    [root@mail]# ldapsearch -x -H ldaps://XXXX.XXXX.XXX.XXX  -b "cn=kolab,cn=config" -D "cn=Directory Manager"  -w "${passwd}"
    ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
    Standard connection seems to work fine:
    Code:
    [root@mail]# ldapsearch -x -H ldap://XXXX.XXXX.XXX.XXX  -b "cn=kolab,cn=config" -D "cn=Directory Manager"  -w "${passwd}"
    # extended LDIF
    #
    # LDAPv3
    # base <cn=kolab,cn=config> with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #
    # kolab, config
    dn: cn=kolab,cn=config
    objectClass: top
    objectClass: extensibleobject
    cn: kolab
    # XXXX.XXX.XXX, kolab, config
    dn: associateddomain=XXXX.XXX.XXX,cn=kolab,cn=config
    objectClass: top
    objectClass: domainrelatedobject
    associatedDomain: XXXX.XXX.XXX
    associatedDomain: localhost
    associatedDomain: XXXX.XXXX.XXX.XXX
    associatedDomain: localhost.localdomain
    # search result
    search: 2
    result: 0 Success
    # numResponses: 3
    # numEntries: 2
    And I think an openssl connection works too:
    Code:
    [root@mail]# openssl s_client -connect localhost:636
    CONNECTED(00000003)
    depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
    verify return:1
    depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
    verify return:1
    depth=0 C = AU, CN = XXXX.XXXX.XXX.XXX, emailAddress = [email protected]
    verify return:1
    ---
    Certificate chain
    0 s:/C=AU/CN=XXXX.XXXX.XXX.XXX/[email protected]
      i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    XXXXXXXXXXXXXXx
    -----END CERTIFICATE-----
    subject=/C=AU/CN=XXXX.XXXX.XXX.XXX/[email protected]
    issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
    ---
    Acceptable client certificate CA names
    /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
    ---
    SSL handshake has read 1947 bytes and written 579 bytes
    ---
    New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
      Protocol  : TLSv1.2
      Cipher  : AES128-GCM-SHA256
      Session-ID: XXXXXXXXXXXXXXXX
      Session-ID-ctx:
      Master-Key: XXXXXXXXXXXXXXXXXX
      Key-Arg  : None
      Krb5 Principal: None
      PSK identity: None
      PSK identity hint: None
      Start Time: 1443403788
      Timeout  : 300 (sec)
      Verify return code: 0 (ok)
    ---
    Access log file shows following for failed ldaps connection:
    Code:
    [28/Sep/2015:11:13:38 +091800] conn=17 fd=64 slot=64 SSL connection from ::1 to ::1
    [28/Sep/2015:11:13:38 +091800] conn=17 op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate.
    Error log shows following at startup:
    Code:
    [28/Sep/2015:10:48:23 +091800] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.)

    I have tried numerous things, mostly variants of either moving the various .crt, .pem and .key files to different locations and adding the CA chain block to the end of the anything I can think of. But I feel I am shooting blind and am probably doing more damage than good at this point.

    This is a clean recent install of CentOS 7 and Kolab.

    Some specific guidance on where I need to be looking would be greatly appreciated.
     

Share This Page