[389-users] Re: DSIDM/TLS: certificate verify failed (unable to get local issuer certificate)

Sat, 25 Sep 2021 12:52:33 -0700 


On 9/25/21 12:52 PM, Daniel wrote:

Hello, currently i am a bit stuck with getting 389- Server working and
would appreciate any help... I have followed
https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html

and a guide to import certificates and keys from letsencrypt, which
seems to work accordingly.

but whenever i make a secure connection, i get the error above. i.e.
using dsidm:

obel1x:/ # dsidm -v ldaps://obel1x.de:636 -b 'dc=obel1x,dc=de' -D
'cn=Directory Manager' client_config sssd.conf server_admins
DEBUG: The 389 Directory Server Identity Manager
DEBUG: Inspired by works of: ITS, The University of Adelaide
DEBUG: dsrc path: /root/.dsrc
DEBUG: dsrc container path: /data/config/container.inf
DEBUG: dsrc instances: ['obel1x']
DEBUG: dsrc no such section: slapd-ldaps://obel1x.de:636
DEBUG: Called with: Namespace(allowed_group='server_admins',
basedn='dc=obel1x,dc=de', binddn='cn=Directory Manager', bindpw=None,
func=<function sssd_conf at 0x7fbd8cd3a6a8>,
instance='ldaps://obel1x.de:636', json=False, prompt=False,
pwdfile=None, starttls=False, verbose=True)
DEBUG: Instance details: {'uri': 'ldaps://obel1x.de:636', 'basedn':
'dc=obel1x,dc=de', 'binddn': 'cn=Directory Manager', 'bindpw': None,
'saslmech': None, 'tls_cacertdir': None, 'tls_cert': None, 'tls_key':
None, 'tls_reqcert': None, 'starttls': False, 'prompt': False,
'pwdfile': None, 'args': {'ldapurl': 'ldaps://obel1x.de:636', 'root-dn':
'cn=Directory Manager'}}
DEBUG: SER_SERVERID_PROP not provided, assuming non-local instance
DEBUG: Allocate <class 'lib389.DirSrv'> with ldaps://obel1x.de:636
DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389
DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389
Enter password for cn=Directory Manager on ldaps://obel1x.de:636:
DEBUG: SER_SERVERID_PROP not provided, assuming non-local instance
DEBUG: Allocate <class 'lib389.DirSrv'> with ldaps://obel1x.de:636
DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389
DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389
DEBUG: open(): Connecting to uri ldaps://obel1x.de:636
DEBUG: Using dirsrv ca certificate /etc/dirsrv/slapd-{instance_name}
DEBUG: Using external ca certificate /etc/dirsrv/slapd-{instance_name}
DEBUG: Using external ca certificate /etc/dirsrv/slapd-{instance_name}
DEBUG: Using /etc/openldap/ldap.conf certificate policy
DEBUG: ldap.OPT_X_TLS_REQUIRE_CERT = 2
DEBUG: Cannot connect to 'ldaps://obel1x.de:636'
DEBUG: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
(unable to get local issuer certificate)'}
Traceback (most recent call last):
  File "/usr/sbin/dsidm", line 129, in <module>
    inst = connect_instance(dsrc_inst=dsrc_inst, verbose=args.verbose,
args=args)
  File "/usr/lib/python3.6/site-packages/lib389/cli_base/__init__.py",
line 152, in connect_instance
    starttls=dsrc_inst['starttls'], connOnly=True)
  File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line
1074, in open
    raise e
  File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line
1070, in open
    self.simple_bind_s(ensure_str(self.binddn), self.bindpw,
escapehatch='i am sure')
  File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 175,
in inner
    return f(*args, **kwargs)
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line
443, in simple_bind_s
    msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
  File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 175,
in inner
    return f(*args, **kwargs)
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line
437, in simple_bind
    return
self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls)) 
  File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 175,
in inner
    return f(*args, **kwargs)
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line
329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 44, in
reraise
    raise exc_value
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line
313, in _ldap_call
    result = func(*args,**kwargs)
ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server", 'info':
'error:1416F086:SSL routines:tls_process_server_certificate:certificate
verify failed (unable to get local issuer certificate)'}
ERROR: Error: Can't contact LDAP server - error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
(unable to get local issuer certificate)

This also affects sssd and ldapsearch of course.

Testing SSL looks ok for me

obel1x:~ #openssl s_client -connect obel1x.de:636 -showcerts </dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = obel1x.de
verify return:1
---
Certificate chain
0 s:CN = obel1x.de
  i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
xxx

-----END CERTIFICATE-----
1 s:C = US, O = Let's Encrypt, CN = R3
  i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
xxx

-----END CERTIFICATE-----
---
Server certificate
subject=CN = obel1x.de

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3107 bytes and written 375 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

and the keystore is:

obel1x:/etc/dirsrv/slapd-obel1x #certutil -K -d .
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa      88a40a16c8cee80cda1804e08f3f87eea6f6a2ab   Server-Cert
obel1x:/etc/dirsrv/slapd-obel1x #certutil -L -d .
Certificate Nickname                                         Trust
Attributes
                                                            SSL,S/MIME,JAR/XPI 

Server-Cert                                                  u,u,u
ca_cert                                                      C,,


The ca_cert should have the trust flags:   CT,,

Trying fixing this first.
Then make sure /etc/openldap/ldap.conf has the TLS_CACERTDIR set to /etc/dirsrv/slapd-YOUR_INSTANCE_NAME
Second we just fixed a bug in the CLI tools and trying to use LDAPS.  To verify if you are running into this bug setup the ~/.dsrc file: 

Here is an example of .dsrc file.  Adjust this for your setup.

/root/.dsrc

-----------------------------------------------------------

[localhost]
uri = ldaps://localhost
basedn = dc=example,dc=com
binddn = cn=Directory Manager
# You need to copy /etc/dirsrv/slapd-localhost/ca.crt to your host for this to work. 
tls_cacertdir = /etc/dirsrv/slapd-localhost/

----------------------------------------------------------

More info on this:

https://www.port389.org/docs/389ds/howto/howto-install-389.html#setting-up-directory-manager-credentials

https://www.port389.org/docs/389ds/design/dsadm-dsconf.html#what-will-it-look-like
Then when you use the CLI tools you specify the instance identifier.  In this example it is "localhost", and it will use the configuration from /root/.dsrc 

# dsidm localhost user get

HTH,

Mark



where Server-Cert corresponds to cert.pem and ca_cert is chain.pem in
letsencrypt.

I have only found a small difference in the docs, which do say the key
should read like:

|< 0> rsa 79187d744c73cd2f098edc80ce261e5ad94c4db2 NSS Certificate
DB:Server-Cert|

to define that the key matches the certificate. I have not found a way
to "bind" the key to the certificate or to link them, but the
certificate should the one of the key, as it has been derived from it
and was imported with pk12util in the database.

What can be is wrong with dsidm connecting - is it the key? why is
openssl not complaining then? and if so, how to import it the rigth way?

--
Mit freundlichen Grüßen,
Daniel
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ 
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure 

--
Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to