Saturday, September 25, 2021

[389-users] Re: DSIDM/TLS: certificate verify failed (unable to get local issuer certificate)

On 9/25/21 12:52 PM, Daniel wrote:
> Hello, currently i am a bit stuck with getting 389- Server working and
> would appreciate any help... I have followed
> https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html
>
> and a guide to import certificates and keys from letsencrypt, which
> seems to work accordingly.
>
> but whenever i make a secure connection, i get the error above. i.e.
> using dsidm:
>
> obel1x:/ # dsidm -v ldaps://obel1x.de:636 -b 'dc=obel1x,dc=de' -D
> 'cn=Directory Manager' client_config sssd.conf server_admins
> DEBUG: The 389 Directory Server Identity Manager
> DEBUG: Inspired by works of: ITS, The University of Adelaide
> DEBUG: dsrc path: /root/.dsrc
> DEBUG: dsrc container path: /data/config/container.inf
> DEBUG: dsrc instances: ['obel1x']
> DEBUG: dsrc no such section: slapd-ldaps://obel1x.de:636
> DEBUG: Called with: Namespace(allowed_group='server_admins',
> basedn='dc=obel1x,dc=de', binddn='cn=Directory Manager', bindpw=None,
> func=<function sssd_conf at 0x7fbd8cd3a6a8>,
> instance='ldaps://obel1x.de:636', json=False, prompt=False,
> pwdfile=None, starttls=False, verbose=True)
> DEBUG: Instance details: {'uri': 'ldaps://obel1x.de:636', 'basedn':
> 'dc=obel1x,dc=de', 'binddn': 'cn=Directory Manager', 'bindpw': None,
> 'saslmech': None, 'tls_cacertdir': None, 'tls_cert': None, 'tls_key':
> None, 'tls_reqcert': None, 'starttls': False, 'prompt': False,
> 'pwdfile': None, 'args': {'ldapurl': 'ldaps://obel1x.de:636', 'root-dn':
> 'cn=Directory Manager'}}
> DEBUG: SER_SERVERID_PROP not provided, assuming non-local instance
> DEBUG: Allocate <class 'lib389.DirSrv'> with ldaps://obel1x.de:636
> DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389
> DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389
> Enter password for cn=Directory Manager on ldaps://obel1x.de:636:
> DEBUG: SER_SERVERID_PROP not provided, assuming non-local instance
> DEBUG: Allocate <class 'lib389.DirSrv'> with ldaps://obel1x.de:636
> DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389
> DEBUG: Allocate <class 'lib389.DirSrv'> with obel1x:389
> DEBUG: open(): Connecting to uri ldaps://obel1x.de:636
> DEBUG: Using dirsrv ca certificate /etc/dirsrv/slapd-{instance_name}
> DEBUG: Using external ca certificate /etc/dirsrv/slapd-{instance_name}
> DEBUG: Using external ca certificate /etc/dirsrv/slapd-{instance_name}
> DEBUG: Using /etc/openldap/ldap.conf certificate policy
> DEBUG: ldap.OPT_X_TLS_REQUIRE_CERT = 2
> DEBUG: Cannot connect to 'ldaps://obel1x.de:636'
> DEBUG: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed
> (unable to get local issuer certificate)'}
> Traceback (most recent call last):
>   File "/usr/sbin/dsidm", line 129, in <module>
>     inst = connect_instance(dsrc_inst=dsrc_inst, verbose=args.verbose,
> args=args)
>   File "/usr/lib/python3.6/site-packages/lib389/cli_base/__init__.py",
> line 152, in connect_instance
>     starttls=dsrc_inst['starttls'], connOnly=True)
>   File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line
> 1074, in open
>     raise e
>   File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line
> 1070, in open
>     self.simple_bind_s(ensure_str(self.binddn), self.bindpw,
> escapehatch='i am sure')
>   File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 175,
> in inner
>     return f(*args, **kwargs)
>   File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line
> 443, in simple_bind_s
>     msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
>   File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 175,
> in inner
>     return f(*args, **kwargs)
>   File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line
> 437, in simple_bind
>     return
> self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
>
>   File "/usr/lib/python3.6/site-packages/lib389/__init__.py", line 175,
> in inner
>     return f(*args, **kwargs)
>   File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line
> 329, in _ldap_call
>     reraise(exc_type, exc_value, exc_traceback)
>   File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 44, in
> reraise
>     raise exc_value
>   File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line
> 313, in _ldap_call
>     result = func(*args,**kwargs)
> ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server", 'info':
> 'error:1416F086:SSL routines:tls_process_server_certificate:certificate
> verify failed (unable to get local issuer certificate)'}
> ERROR: Error: Can't contact LDAP server - error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed
> (unable to get local issuer certificate)
>
> This also affects sssd and ldapsearch of course.
>
> Testing SSL looks ok for me
>
> obel1x:~ #openssl s_client -connect obel1x.de:636 -showcerts </dev/null
> CONNECTED(00000003)
> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3
> verify return:1
> depth=0 CN = obel1x.de
> verify return:1
> ---
> Certificate chain
> 0 s:CN = obel1x.de
>   i:C = US, O = Let's Encrypt, CN = R3
> -----BEGIN CERTIFICATE-----
> xxx
>
> -----END CERTIFICATE-----
> 1 s:C = US, O = Let's Encrypt, CN = R3
>   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
> -----BEGIN CERTIFICATE-----
> xxx
>
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=CN = obel1x.de
>
> issuer=C = US, O = Let's Encrypt, CN = R3
>
> ---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 3107 bytes and written 375 bytes
> Verification: OK
> ---
> New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
> ---
> DONE
>
> and the keystore is:
>
> obel1x:/etc/dirsrv/slapd-obel1x #certutil -K -d .
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
> Key and Certificate Services"
> Enter Password or Pin for "NSS Certificate DB":
> < 0> rsa      88a40a16c8cee80cda1804e08f3f87eea6f6a2ab   Server-Cert
> obel1x:/etc/dirsrv/slapd-obel1x #certutil -L -d .
> Certificate Nickname                                         Trust
> Attributes
>                                                             SSL,S/MIME,JAR/XPI
>
>
> Server-Cert                                                  u,u,u
> ca_cert                                                      C,,

The ca_cert should have the trust flags:   CT,,

Trying fixing this first.

Then make sure /etc/openldap/ldap.conf has the TLS_CACERTDIR set to
/etc/dirsrv/slapd-YOUR_INSTANCE_NAME

Second we just fixed a bug in the CLI tools and trying to use LDAPS.  To
verify if you are running into this bug setup the ~/.dsrc file:

Here is an example of .dsrc file.  Adjust this for your setup.

/root/.dsrc

-----------------------------------------------------------

[localhost]
uri = ldaps://localhost
basedn = dc=example,dc=com
binddn = cn=Directory Manager
# You need to copy /etc/dirsrv/slapd-localhost/ca.crt to your host for
this to work.
tls_cacertdir = /etc/dirsrv/slapd-localhost/

----------------------------------------------------------

More info on this:

https://www.port389.org/docs/389ds/howto/howto-install-389.html#setting-up-directory-manager-credentials

https://www.port389.org/docs/389ds/design/dsadm-dsconf.html#what-will-it-look-like


Then when you use the CLI tools you specify the instance identifier.  In
this example it is "localhost", and it will use the configuration from
/root/.dsrc

# dsidm localhost user get

HTH,

Mark

>
> where Server-Cert corresponds to cert.pem and ca_cert is chain.pem in
> letsencrypt.
>
> I have only found a small difference in the docs, which do say the key
> should read like:
>
> |< 0> rsa 79187d744c73cd2f098edc80ce261e5ad94c4db2 NSS Certificate
> DB:Server-Cert|
>
> to define that the key matches the certificate. I have not found a way
> to "bind" the key to the certificate or to link them, but the
> certificate should the one of the key, as it has been derived from it
> and was imported with pk12util in the database.
>
> What can be is wrong with dsidm connecting - is it the key? why is
> openssl not complaining then? and if so, how to import it the rigth way?
>
> --
> Mit freundlichen Grüßen,
> Daniel
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure

--
Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

No comments:

Post a Comment