Friday, May 19, 2023

[389-users] Re: Unable to establish replication with STARTTLS

the error message
NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=DS11-ancds10" (ancds10:636) - Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) (error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get issuer certificate))

seems to indicate the LDAP service on the system trying to connect to ancds10:636 does not trust the issuer of the SSL server certificate installed for ancds10:636

a test command can be a LDAP search from DS11 trying to reach to ancds10:636
ldapsearch -LLLxD "cn=directory manager" -W -H ldaps://ancds10:636 -s base -b "" vendorVersion

Thanks,
M.


On Fri, May 19, 2023 at 4:22 PM John Thurston <john.thurston@alaska.gov> wrote:

Revisiting this problem of replication and certificates. Thank you Marc Sauton for pointing out the 'dsconf' command to spill the ca-cert list.

The synopsis is: instance #1 can replicate with instance #3 when #3 has a GlobalSign cert, but not when #3 has a Let's Encrypt cert. Instance #2 has no such problem replicating.

(All instances are running 1.4.4.17 B2021.280.1354 on CentOS)

On instance #1 (and on instance #2), when we use dsconf to ask about the ca-certificate list, we get:

Certificate Name: GlobalSign Root R3
Subject DN: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
Issuer DN: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
Expires: 2029-03-18 10:00:00
Trust Flags: CT,,

Certificate Name: GlobalSign RSA Organization Validation CA - 2018
Subject DN: CN=GlobalSign RSA OV SSL CA 2018,O=GlobalSign nv-sa,C=BE
Issuer DN: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
Expires: 2028-11-21 00:00:00
Trust Flags: CT,,

Certificate Name: Lets Encrypt Top
Subject DN: CN=ISRG Root X1,O=Internet Security Research Group,C=US
Issuer DN: CN=DST Root CA X3,O=Digital Signature Trust Co.
Expires: 2024-09-30 18:14:03
Trust Flags: CT,,

Certificate Name: Lets Encrypt Intermediate
Subject DN: CN=R3,O=Let's Encrypt,C=US
Issuer DN: CN=ISRG Root X1,O=Internet Security Research Group,C=US
Expires: 2025-09-15 16:00:00
Trust Flags: CT,,


On instance #3, when a GlobalSign cert is installed and port 636 is queried with openssl s_client:

CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
verify return:1
depth=0 C = US, ST = Alaska, L = Juneau, O = State of Alaska, CN = ancds10.state.ak.us
verify return:1
---
Certificate chain
 0 s:C = US, ST = Alaska, L = Juneau, O = State of Alaska, CN = ancds10.state.ak.us
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Apr 26 18:06:15 2023 GMT; NotAfter: May 27 18:06:14 2024 GMT
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 21 00:00:00 2018 GMT; NotAfter: Nov 21 00:00:00 2028 GMT
 2 s:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 18 10:00:00 2009 GMT; NotAfter: Mar 18 10:00:00 2029 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGijCCBXKgAwIBAgIMfqUEla3ttBPK/lvlMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H
bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yMzA0MjYxODA2MTVaFw0y
NDA1MjcxODA2MTRaMGcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZBbGFza2ExDzAN
BgNVBAcTBkp1bmVhdTEYMBYGA1UEChMPU3RhdGUgb2YgQWxhc2thMRwwGgYDVQQD
ExNhbmNkczEwLnN0YXRlLmFrLnVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA12s9pW28BNfMPMUdV54DFGg7EmJv7pcmYhnOvq0vqQ845tEillOHptUj
muwVOgj8Dcl+PPiDHXeggwKdMA9253Pov7eVGzKfmNN1IwSmOZYKaNLKy1CNQS13
eD0Wov0+yq35CqRHWwsl8+7Og56IfPXSmmRQPp21VBC//qkcBezomtTaSSzeE1op
248cN8H0wjL0gsPdujzrJmr7xP1gNT4gZQVkNlEAo8hJ3IxvSPvJ+E24FJwMixVb
ICUz/crjRXG9nSSudP/225GxaaG3QPOSzOIZD4sT+Pt7lxmQU1syTChd5SHVK1AS
WW4I2z1j68/o/ujXiqeP4iiMysRzXQIDAQABo4IDSzCCA0cwDgYDVR0PAQH/BAQD
AgWgMIGOBggrBgEFBQcBAQSBgTB/MEQGCCsGAQUFBzAChjhodHRwOi8vc2VjdXJl
Lmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc3JzYW92c3NsY2EyMDE4LmNydDA3Bggr
BgEFBQcwAYYraHR0cDovL29jc3AuZ2xvYmFsc2lnbi5jb20vZ3Nyc2FvdnNzbGNh
MjAxODBWBgNVHSAETzBNMEEGCSsGAQQBoDIBFDA0MDIGCCsGAQUFBwIBFiZodHRw
czovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgIwCQYD
VR0TBAIwADA/BgNVHR8EODA2MDSgMqAwhi5odHRwOi8vY3JsLmdsb2JhbHNpZ24u
Y29tL2dzcnNhb3Zzc2xjYTIwMTguY3JsMB4GA1UdEQQXMBWCE2FuY2RzMTAuc3Rh
dGUuYWsudXMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQY
MBaAFPjvf/LNeGeo3m+PJI2I8YcDArPrMB0GA1UdDgQWBBQ7Sj3cl8+m/NHTW2Gs
QN+x7P7iMTCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHYAc9meiRtMlnigIH1H
neayxhzQUV5xGSqMa4AQesF3crUAAAGHvr64EQAABAMARzBFAiBQcBIdszriaxKs
vUFlLbKEH4jRYQoKwWjWX7sKIJRn2AIhAJ54vIDKjHY+si3R6qKS/xKhHUWASU4l
YKxu/GPB+Z22AHYA7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGH
vr65OAAABAMARzBFAiBFFZn7eXA4dcDwX4+DbuHqMgtFSqGWcb18/kNymrcXzAIh
AI1RfNaDFrbkPE2l/xc/Rj9C6zI4BvlGpcyw7CI+qAB3AHcA2ra/az+1tiKfm8K7
XGvocJFxbLtRhIU0vaQ9MEjX+6sAAAGHvr64vwAABAMASDBGAiEAjTr0QpjbfuZw
kH1C6/rvfI8vcuZsMijy3cByBjpiO4ACIQDYFzAcyjiG+8WA0KpM1roXLFZp/GXf
8hJP+yYVvKVtXzANBgkqhkiG9w0BAQsFAAOCAQEAld/5Th8eHwDUO273c0ISRWfI
ts1j/AzyhbKhhKJI/CuALjB34jsynQoqDOS4LevMsVwftGcw0LYzTNDyKaKtUKb5
Uj5El1dUdhne2Je+5jKu6lOeCvM5HZg/kEBdb5JRsl1GQxvnxlgEMq+kfFaphUAj
3u+zVkJsdbMk6mUBy8+7+NZM7l5c1QiXbFMP/VGh3u3fgVOgcLUuKMZaHa9UbhUq
mS6nOmmuVE9xNBgyCYfS2Fwrp+2j5zktFBzoxe+L8i37DVp83GKZQZxx5mOCC28J
YN57RNh3T7i+nDsGRVoVp28b2SmDKTh20tOYMs89khe0npancuIl7rklo+BlSg==
-----END CERTIFICATE-----
subject=C = US, ST = Alaska, L = Juneau, O = State of Alaska, CN = ancds10.state.ak.us
issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4159 bytes and written 387 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE


On instance #3 when a Let's Encrypt cert is installed and port 636 queried with openssl s_client:


CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
verify return:1
depth=0 C = US, ST = Alaska, L = Juneau, O = State of Alaska, CN = ancds10.state.ak.us
verify return:1
---
Certificate chain
 0 s:C = US, ST = Alaska, L = Juneau, O = State of Alaska, CN = ancds10.state.ak.us
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Apr 26 18:06:15 2023 GMT; NotAfter: May 27 18:06:14 2024 GMT
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 21 00:00:00 2018 GMT; NotAfter: Nov 21 00:00:00 2028 GMT
 2 s:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 18 10:00:00 2009 GMT; NotAfter: Mar 18 10:00:00 2029 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGijCCBXKgAwIBAgIMfqUEla3ttBPK/lvlMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H
bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yMzA0MjYxODA2MTVaFw0y
NDA1MjcxODA2MTRaMGcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZBbGFza2ExDzAN
BgNVBAcTBkp1bmVhdTEYMBYGA1UEChMPU3RhdGUgb2YgQWxhc2thMRwwGgYDVQQD
ExNhbmNkczEwLnN0YXRlLmFrLnVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA12s9pW28BNfMPMUdV54DFGg7EmJv7pcmYhnOvq0vqQ845tEillOHptUj
muwVOgj8Dcl+PPiDHXeggwKdMA9253Pov7eVGzKfmNN1IwSmOZYKaNLKy1CNQS13
eD0Wov0+yq35CqRHWwsl8+7Og56IfPXSmmRQPp21VBC//qkcBezomtTaSSzeE1op
248cN8H0wjL0gsPdujzrJmr7xP1gNT4gZQVkNlEAo8hJ3IxvSPvJ+E24FJwMixVb
ICUz/crjRXG9nSSudP/225GxaaG3QPOSzOIZD4sT+Pt7lxmQU1syTChd5SHVK1AS
WW4I2z1j68/o/ujXiqeP4iiMysRzXQIDAQABo4IDSzCCA0cwDgYDVR0PAQH/BAQD
AgWgMIGOBggrBgEFBQcBAQSBgTB/MEQGCCsGAQUFBzAChjhodHRwOi8vc2VjdXJl
Lmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc3JzYW92c3NsY2EyMDE4LmNydDA3Bggr
BgEFBQcwAYYraHR0cDovL29jc3AuZ2xvYmFsc2lnbi5jb20vZ3Nyc2FvdnNzbGNh
MjAxODBWBgNVHSAETzBNMEEGCSsGAQQBoDIBFDA0MDIGCCsGAQUFBwIBFiZodHRw
czovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgIwCQYD
VR0TBAIwADA/BgNVHR8EODA2MDSgMqAwhi5odHRwOi8vY3JsLmdsb2JhbHNpZ24u
Y29tL2dzcnNhb3Zzc2xjYTIwMTguY3JsMB4GA1UdEQQXMBWCE2FuY2RzMTAuc3Rh
dGUuYWsudXMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQY
MBaAFPjvf/LNeGeo3m+PJI2I8YcDArPrMB0GA1UdDgQWBBQ7Sj3cl8+m/NHTW2Gs
QN+x7P7iMTCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHYAc9meiRtMlnigIH1H
neayxhzQUV5xGSqMa4AQesF3crUAAAGHvr64EQAABAMARzBFAiBQcBIdszriaxKs
vUFlLbKEH4jRYQoKwWjWX7sKIJRn2AIhAJ54vIDKjHY+si3R6qKS/xKhHUWASU4l
YKxu/GPB+Z22AHYA7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGH
vr65OAAABAMARzBFAiBFFZn7eXA4dcDwX4+DbuHqMgtFSqGWcb18/kNymrcXzAIh
AI1RfNaDFrbkPE2l/xc/Rj9C6zI4BvlGpcyw7CI+qAB3AHcA2ra/az+1tiKfm8K7
XGvocJFxbLtRhIU0vaQ9MEjX+6sAAAGHvr64vwAABAMASDBGAiEAjTr0QpjbfuZw
kH1C6/rvfI8vcuZsMijy3cByBjpiO4ACIQDYFzAcyjiG+8WA0KpM1roXLFZp/GXf
8hJP+yYVvKVtXzANBgkqhkiG9w0BAQsFAAOCAQEAld/5Th8eHwDUO273c0ISRWfI
ts1j/AzyhbKhhKJI/CuALjB34jsynQoqDOS4LevMsVwftGcw0LYzTNDyKaKtUKb5
Uj5El1dUdhne2Je+5jKu6lOeCvM5HZg/kEBdb5JRsl1GQxvnxlgEMq+kfFaphUAj
3u+zVkJsdbMk6mUBy8+7+NZM7l5c1QiXbFMP/VGh3u3fgVOgcLUuKMZaHa9UbhUq
mS6nOmmuVE9xNBgyCYfS2Fwrp+2j5zktFBzoxe+L8i37DVp83GKZQZxx5mOCC28J
YN57RNh3T7i+nDsGRVoVp28b2SmDKTh20tOYMs89khe0npancuIl7rklo+BlSg==
-----END CERTIFICATE-----
subject=C = US, ST = Alaska, L = Juneau, O = State of Alaska, CN = ancds10.state.ak.us
issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4159 bytes and written 387 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE


It looks to me like that certificate is signed by the certs included in the list of ca-certs shown with dsconf.

But when I try to establish a replication agreement (#1 as the supplier/#3 as the consumer), I get the following in the error log:

slapi_ldap_bind - Could not send bind request for id [cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error -1 (Can't contact LDAP server), system error -5987 (Invalid function argument.), network error 0 (Unknown error, host "ancds10.state.ak.us:636")

NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=DS11-ancds10" (ancds10:636) - Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) (error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get issuer certificate))

That says to me that instance #1 is unable to validate the certificate being offered by instance #3

But if I define #2 as the supplier, the replication works just fine to #3 . . and dsconf on instance #2 shows exactly the same ca-certs list as on #1

I can't figure out what I'm missing.


--  Do things because you should, not just because you can.     John Thurston    907-465-8591  John.Thurston@alaska.gov  Department of Administration  State of Alaska
On 4/26/2023 12:43 PM, John Thurston wrote:

I have two hosts with 389-Directory/1.4.4.17 B2021.280.1354 on CentOS Stream release 8 (4.18.0-448.el8.x86_64)

On a.state.ak.us, there is one instance defined (call this instance #1)

On b.state.ak.us, there are two instances defined (call them #2 and #3)

Instances #1 and #3 have GlobalSign certificates installed. Instance #2 currently has a Let's Encrypt certificate installed. All instances also have root and intermediate certs in their databases for GlobalSign, which are marked with Trust Flags "CT,,".

I can define instance #2 as a supplier, and define a replication agreement which populates #3. This works with both LDAPS and STARTTLS.

If I, instead, try to define the same replication agreement on instance #1, it fails with:

slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error)

NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=DS11-1to3" (b:389) - Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) (error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get issuer certificate))

slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error)


I am unable to figure out how instances #1 and #2 differ.

Instance #1 has long-established supplier-agreements (using both LDAPS and STARTTLS) with other instances of 389-Directory. So I know instance #1 can function correctly as a supplier. Instance #3 demonstrates it can be a consumer when supplied by instance #2. I can perform LDAPS and STARTTLS queries from a.state.ak.us to instance #3, so I know it is listening on the network and not blocked by a host-based firewall.

Any suggestions of where to look, or config-attributes to check, would be appreciated.

_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

No comments:

Post a Comment