Greetings,
I'm trying to get LDAP to work with TLS but when I used the ldapsearch
command to verify TLS is working, this error is showstopping me.
The error is:
TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown
PKCS #11 error.
!!Here's how this surfaced!!
I just created a CA using a openssl.cnf and the openssl command.
Here's my openssl.cnf:
[ ca ]
default_ca = mypersonalca
[ mypersonalca ]
#
# WARNING: if you change that, change the default_keyfile in the [req]
section below too
# Where everything is kept
dir = ./mypersonalca
# Where the issued certs are kept
certs = $dir/certs
# Where the issued crl are kept
crl_dir = $dir/crl
# database index file
database = $dir/index.txt
# default place for new certs
new_certs_dir = $dir/certs
#
# The CA certificate
certificate = $dir/certs/ca.pem
# The current serial number
serial = $dir/serial
# The current CRL
crl = $dir/crl/crl.pem
# WARNING: if you change that, change the default_keyfile in the [req]
section below too
# The private key
private_key = $dir/private/ca.key
# private random number file
RANDFILE = $dir/private/.rand
# The extentions to add to the cert
x509_extensions = usr_cert
# how long to certify for
default_days = 365
# how long before next CRL
default_crl_days= 30
# which md to use; people in comments indicated to use sha1 here
default_md = sha1
# keep passed DN ordering
preserve = no
# Section names
policy = mypolicy
x509_extensions = certificate_extensions
[ mypolicy ]
# Use the supplied information
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = optional
[ certificate_extensions ]
# The signed certificate cannot be used as CA
basicConstraints = CA:false
[ req ]
# same as private_key
default_keyfile = ./mypersonalca/private/ca.key
# Which hash to use
default_md = sha1
# No prompts
prompt = no
# This is for CA
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
string_mask = utf8only
basicConstraints = CA:true
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
# EDIT THOSE
commonName = My Personal CA
stateOrProvinceName = California
countryName = US
emailAddress = ce...@example.com
organizationName = My Personal Certification Authority
[ root_ca_extensions ]
basicConstraints = CA:true
Here's the command that I used to create the CA.
OPENSSL=ca.cnf openssl req -x509 -nodes -days 3650 \
-newkey rsa:2048 -out mypersonalca/certs/ca.pem \
-outform PEM -keyout ./mypersonalca/private/ca.key
Here's the command that created the certificates.
openssl req -newkey rsa:1024 -nodes -sha1 \
-keyout cert.key -keyform PEM -out cert.req -outform PEM
Here's the command that signed the certificate.
OPENSSL_CONF=ca.cnf openssl ca -batch -notext -in cert.req -out cert.pem
But when I did ' ldapsearch -d -1 -x -LLL -ZZ' to verify that TLS is
working, I got:
[root@fl1-lsh99apa007 ~]# ldapsearch -d -1 -x -LLL -ZZ
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP fl1-lsh99apa007.securesites.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.227.2.122:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x10c8b00 ptr=0x10c8b00 end=0x10c8b1f len=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
.4.1.1466.20037
ber_scanf fmt ({) ber:
ber_dump: buf=0x10c8b00 ptr=0x10c8b05 end=0x10c8b1f len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e
w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
ber_flush2: 31 bytes to sd 3
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
.4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
.4.1.1466.20037
ldap_result ld 0x10bf150 msgid 1
wait4msg ld 0x10bf150 msgid 1 (infinite timeout)
wait4msg continue ld 0x10bf150 msgid 1 all 1
** ld 0x10bf150 Connections:
* host: fl1-lsh99apa007.securesites.com port: 389 (default)
refcnt: 2 status: Connected
last used: Tue Jun 18 15:19:12 2013
** ld 0x10bf150 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x10bf150 request count 1 (abandoned 0)
** ld 0x10bf150 Response Queue:
Empty
ld 0x10bf150 response count 0
ldap_chkResponseList ld 0x10bf150 msgid 1 all 1
ldap_chkResponseList returns ld 0x10bf150 NULL
ldap_int_select
read1msg: ld 0x10bf150 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 0c 02 01 01 78 07 0a 0....x..
ldap_read: want=6, got=6
0000: 01 00 04 00 04 00 ......
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x10c9f30 ptr=0x10c9f30 end=0x10c9f3c len=12
0000: 02 01 01 78 07 0a 01 00 04 00 04 00 ...x........
read1msg: ld 0x10bf150 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x10c9f30 ptr=0x10c9f33 end=0x10c9f3c len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
read1msg: ld 0x10bf150 0 new referrals
read1msg: mark request completed, ld 0x10bf150 msgid 1
request done: ld 0x10bf150 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x10c9f30 ptr=0x10c9f33 end=0x10c9f3c len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x10c9f30 ptr=0x10c9f33 end=0x10c9f3c len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
ber_scanf fmt (}) ber:
ber_dump: buf=0x10c9f30 ptr=0x10c9f3c end=0x10c9f3c len=0
ldap_msgfree
TLS: certdb config: configDir='/etc/openldap/cacerts'
tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown
PKCS #11 error.
TLS: skipping 'ca.pem' - filename does not have expected format
(certificate hash with numeric suffix)
tls_write: want=102, written=102
0000: 16 03 01 00 61 01 00 00 5d 03 01 51 c0 b2 b0 28
....a...]..Q...(
0010: c8 32 f9 e5 2a ec da dc 3d a0 76 5a 4b f1 5f 96
.2..*...=.vZK._.
0020: 9e 8f f2 26 f3 35 14 34 9a 53 76 00 00 36 00 ff
...&.5.4.Sv..6..
0030: 00 88 00 87 00 39 00 38 00 84 00 35 00 45 00 44
.....9.8...5.E.D
0040: 00 66 00 33 00 32 00 96 00 41 00 05 00 04 00 2f
.f.3.2...A...../
0050: 00 16 00 13 00 0a 00 15 00 12 00 09 00 64 00 62
.............d.b
0060: 00 03 00 06 01 00 ......
tls_read: want=5, got=0
TLS: error: connect - force handshake failure: errno 0 - moznss error
-5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_start_tls: Connect error (-11)
additional info: TLS error -5938:Encountered end of file
I also have this in my ldif file:
olcTLSCACertificateFile: /home/rsimioni/mypersonalca/certs/ca.pem
olcTLSCertificateFile: /home/rsimioni/cert.pem
olcTLSCertificateKeyFile: /home/rsimioni/cert.key
olcTLSVerifyClient: allow
This email message is intended for the use of the person to whom it has been
sent, and may contain information that is confidential or legally protected. If
you are not the intended recipient or have received this message in error, you
are not authorized to copy, distribute, or otherwise use this message or its
attachments. Please notify the sender immediately by return e-mail and
permanently delete this message and any attachments. Verio Inc. makes no
warranty that this email is error or virus free. Thank you.
