[389-users] Problems with replication over SSL

John A. Sullivan III jsullivan at opensourcedevel.com
Wed Jun 17 22:05:02 UTC 2009 

Hi, Dan.  You might want to remove whatever CA certs you've got in the
database and then re-add just in case.  I don't recall the command to do
that.  Here is all we did to import our CA cert:
certutil -A -d . -n "CA certificate" -t "CT,," -a -i CA.pem

Are you certain you have the correct CA cert and that it is valid (not
expired, etc.)?

You can try doing:
openssl x509 -in clientcertname.pem -noout -issuer

and compare that to 
openssl x509 -in CA.pem -noout -subject

This would also reveal if your copy of the CA cert is malformed for some
reason.

I'm pulling the syntax off the top of my head so it might be in error.
I might also suggest editing this thread and bottom posting rather than
top posting; it would make it a little easier to follow.  Hope this
helps - John

On Wed, 2009-06-17 at 17:48 -0400, Dan Weintraub wrote:
> Hi all,
> 
> I've been looking into this and I first found out that your suspicions 
> are correct. The trust attributes on my CA certificate are incorrect.
> 
> certutil -L shows them as "CT,,"
> 
> To fix this I tried the modify command,
> 
> certutil -M -n cacert -t CTu,u,u -d .
> 
> It gives no error, but unfortunately, does nothing and certutil -L still 
> shows me "CT,,"
> 
> I thought this might have been because I used openssh tools instead of 
> certutil, so I removed all my certificates and created a new CA with 
> certutil, specifying "CTu,u,u" on the command line when I created the CA 
> cert. I then added the CA with the Certificate Manager and did a 
> certutil -L only to find that it was marked "CT,," I tried to modify 
> this certificate with certutil -M, but it still doesn't work.
> 
> Do I have some permissions wrong somewhere? Am I using the tools 
> incorrectly? Any suggestions?
> 
> Thanks in advance,
> Dan
> 
> 
> 
> jean-Noël Chardron wrote:
> > hi,
> > 
> > Dan Weintraub a écrit :
> >> Thanks, that's exactly what I was following. Now that I've got the 
> >> port corrected I'm getting a certificate error despite having the 
> >> correct certificates setup (or so I thought...) I'll read through that 
> >> documentation you posted and see if I can sort it out.
> >>
> >> Thanks,
> >> Dan
> >>
> >> PS
> >> NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple bind failed, 
> >> LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable 
> >> Runtime error -8172
> > 
> >> (Peer's certificate issuer has been marked as not trusted by the user.)
> >>
> > Can you post the output of the command :
> > #certutil -L -d /path/of/directory/where/is/the/certificate/
> > 
> > The path of the directory where is the certificate has 2 files : key3.db 
> > and cert8.db
> > 
> > For example, on my server the output is :
> > # certutil -L -d /etc/dirsrv/slapd-aragon/
> > Certificate Nickname                                         Trust 
> > Attributes
> >                                                             
> > SSL,S/MIME,JAR/XPI
> > 
> > CNRS2-Standard                                               CT,C,C
> > aragon.dr15.cnrs.fr Cert                                     u,u,u
> > CNRS-Standard                                                CT,C,C
> > CNRS                                                         CT,C,C
> > CNRS2                                                        CT,C,C
> > 
> > I suppose (it's a hypothesis) that  your certificate doesn't have the 
> > tag u,u,u or something like this or the CA can't trust the certificate
> > 
> >> John A. Sullivan III wrote:
> > 
> >>> On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote:
> >>>> Hi all,
> >>>>
> >>>> I'm trying to setup replication over ssl and am running into 
> >>>> problems. I
> >>>> first tried it unencrypted and all worked fine. I then copied over the
> >>>> consumer's CA certificate and set up replication with SSL and Simple
> >>>> Authentication. It doesn't work and I now get the following errors:
> >>>>
> >>>> When I set it up:
> >>>> supplier error log:
> >>>> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin - agmt="cn=One"
> >>>> (fds:389): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP
> >>>> server), Netscape Portable Runtime error -5938 (Encountered end of 
> >>>> file.)
> >>>>
> >>>> these appear thereafter:
> >>>> consumer access log:
> >>>> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from
> >>>> 10.1.1.100 to 10.1.1.101
> >>>> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71
> >>>> (Protocol error) - B1
> >>>>
> >>>> consumer error log:
> >>>> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP message 
> >>>> (tag
> >>>> 0x80, expected 0x30)
> >>>>
> >>>> Versions:
> >>>> Supplier:
> >>>> fedora-ds-1.1.2-1.fc6
> >>>> fedora-ds-dsgw-1.1.1-1.fc6
> >>>> fedora-ds-base-1.1.3-2.fc6
> >>>> fedora-ds-admin-1.1.6-1.fc6
> >>>> fedora-ds-admin-console-1.1.2-1.fc6
> >>>> fedora-ds-console-1.1.2-1.fc6
> >>>>
> >>>> Consumer:
> >>>> fedora-ds-admin-1.1.7-3.fc6
> >>>> fedora-ds-admin-console-1.1.3-1.fc6
> >>>> fedora-ds-base-1.2.0-2.fc6
> >>>> fedora-ds-dsgw-1.1.2-1.fc6
> >>>> fedora-ds-console-1.2.0-1.fc6
> >>>> fedora-ds-1.1.3-1.fc6
> >>>>
> >>>> I'm at a loss as to how to proceed with troubleshooting and would
> >>>> appreciate any suggestions.
> >>>>
> >>>> Thanks,
> >>>> Dan Weintraub
> >>> <snip>
> >>> Hi, Dan. Here is a snippet from our internal documentation.  I apologize
> >>> that I don't have time to customize it or analyze your issue more deeply
> >>> but perhaps our findings will help you in your environment.  Given
> >>> Rich's comment, I wonder if you were stung by the same error in
> >>> documentation we noted below:
> >>>
> >>>         Go back to the centos-idm-console on ldap1
> >>>         Go to the Configuration tab, select the userRoot under the
> >>>         Replication
> >>>         object in the left panel.  Left/right client and choose New
> >>>         Replication
> >>>         Agreement
> >>>         The name is "mycompany.com ldap1->ldap2" and the Description is
> >>>         "Replicates mycompany.com from ldap1 to ldap2".  Click Next.
> >>>         Set the Consumer to ldap2.mycompany.com:389 from the drop down
> >>>         box (389 is correct even though we are really using 636) - Oops!
> >>>         That is not true despite what the documentation says.  Click
> >>>         other and create a new entry for ldap2.mycompany.com on port
> >>>         636.
> >>>         Enable the SSL connection.
> >>>         Enter cn=repuser,cn=config for the Bind As and enter the
> >>>         password.
> >>>         Click Next and then Next again.
> >>>         We will always keep directories in sync so click Next again.
> >>>         Choose Initialize Consumer Now and click Next
> >>>         Click Done
> >>>
> >>> If you need more details, e.g., about how we set up SSL, I posted most
> >>> of our internal procedure a day or two ago on this mailing list in
> >>> response to a post entitled "Developting a CentOS-DS setup".  You can
> >>> find much more detail there.
> >>>
> >>> Good luck - John
> >>
> >> -- 
> >> 389 users mailing list
> >> 389-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > 
> > 
> 
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

More information about the Fedora-directory-users mailing list