[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS/SSL-ceritificate & Replication v2.1.3

To: "OpenLDAP-software@OpenLDAP.org" <OpenLDAP-software@OpenLDAP.org>
Subject: TLS/SSL-ceritificate & Replication v2.1.3
From: Harry Rüter <harry_rueter@gmx.de>
Date: Tue, 20 Aug 2002 17:09:32 +0200

Hi everybody,

after trying everything i'm here again looking for help.

What i want :


Replication with 2.1.3.

My environment :

openldap 2.1.3
openssl 0.96g
LINUX 7.1 Kernel 2.4.18 

slapd is running on 486dx66.hrnet.de  ports: 4389/4636 (master)
slapd is running on 486dx66.hrnet.de  ports: 5389/5636 (master)

What's the problem :

I always get the same error with slurpd :

---snipp---
  07d0:  c2 79 b4 7e 70 4f c3 b1  8c                        .y.~pO...
TLS certificate verification: depth: 1, err: 19, subject: /C=DE/ST=
Germany/L=Niedernhausen-Oberjosbach/O=Harry Rueter Development/OU=
CAAUTHORITY/CN=caserver.hrnet.de/Email=harry@hrnet.de, issuer: 
/C=DE/ST=Germany/L=Niedernhausen-Oberjosbach
/O=Harry Rueter Development/OU=CAAUTHORITY/CN=caserver.hrnet.de/
Email=harry@hrnet.de
TLS certificate verification: Error, self signed certificate in 
certificate chain
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
---snipp---

So, i see what's the problem, slurpd doesn't like 
selfsigned certificates.

I understand and i'm willig (and trying) to satisfy its
needs ..

The problem is, in my opinion i generated the certificates correct,
like Peter A. Savitch described in his mail on 10.08.2002 
(Re: Doubt regarding the cert that signs the CRL)

These are the certificates i use for
master and replica (they run on the same host (486dx66.hrnet.de)!).

---schnipp---
TLSCertificateFile      /etc/certificates/486dx66.crt
TLSCertificateKeyFile   /etc/certificates/486dx66.key
TLSCACertificateFile    /etc/certificates/CA.crt
---schnipp---

I generated the certificates with two scripts i attached,
mkCA generates the  TLSCACertificateFile ...
mkert generates the server/client-certificates.

Example :

mkcert 486dx66

generates 486dx66.crt & 486dx66.key

mkCA caserver             

generates  CA.key & CA.crt 
(caserver.hrnet.de has another hostname but is on the same server,
is this the error ? Must the CA reside on the same host ?)

I think the scripts are correct and the entries in slapd.conf 
(master/replica) are too ..

Can anybody tell me how i can find a way out of this trap ?


greets Harry

#!/bin/sh

if [ $# -ne 1 ]
then
  echo usage : $0 HOST_to_Certificate
  exit 1
fi

SERVER=$1
MYNET=.hrnet.de
FQDN=$SERVER$MYNET

CERTDIR=/etc/certificates
TMPDIR=$CERTDIR/tmp
CAKEYDIR=$CERTDIR/private

MYCACERT="/etc/certificates/CA.crt"
MYCAKEY="/etc/certificates/private/CA.key"


ping -c1 $FQDN >/dev/null 2>&1

if [ $?  -ne 0 ]
then
  echo HOST $FQDN not reachable
  exit 1
fi  

echo -n Generating key for $SERVER ..
openssl genrsa   -out $TMPDIR/$SERVER.key 2048 >/dev/null 2>&1

if [ $?  -ne 0 ]
then
  echo " error: couldn't create key" 
  rm $TMPDIR*
  exit 1
fi  

echo ready
echo


echo -n Generating Certificate Signing Request for $SERVER ..
openssl req -new -key $TMPDIR/$SERVER.key -out $TMPDIR/$SERVER.csr >/dev/null 2>&1   << ENDE
DE
Germany
Niedernhausen-Oberjosbach
Harry Rueter Development
Keymaker
$FQDN
harry@hrnet.de
"What's the cat ?"
Nooptionalname
ENDE


if [ $?  -ne 0 ]
then
  echo "error: couldn't create certificate"
  rm $TMPDIR*
fi  
echo ready 
echo


echo -n Signing with CA ...
openssl x509 -req -days 365 -in $TMPDIR/$SERVER.csr -CA /etc/certificates/CA.crt  -CAkey /etc/certificates/private/CA.key  -CAcreateserial -out $TMPDIR/$SERVER.crt >/dev/null 


if [ $?  -ne 0 ]
then
  echo "Couldn't create CA-certificated certificate" 
  rm $TMPDIR*
  exit 1
fi  
echo ready 
echo

chmod 444 $TMPDIR/$SERVER.*

mv $TMPDIR/$SERVER.key $CERTDIR/$SERVER.key
mv $TMPDIR/$SERVER.crt $CERTDIR/$SERVER.crt
rm $TMPDIR/$SERVER.*

#!/bin/sh

if [ $# -ne 1 ]
then
  echo usage : $0 HOST_to_Certificate
  exit 1
fi

CASERVER=$1
MYNET=.hrnet.de
FQDN=$CASERVER$MYNET

KEYDIR=/etc/certificates/private
CERTDIR=/etc/certificates
TMPDIR=/etc/certificates/tmp

#echo -n Generating key for $CASERVER
openssl genrsa -des3 -out $TMPDIR/CA.key 2048

if [ $?  -ne 0 ]
then
  echo " error: couldn't create key"
  rm $TMPDIR*
  exit 1
fi

echo ready
echo
      
echo Generating Certificate Signing Request for $CASERVER 

openssl req -new -key $TMPDIR/CA.key -out $TMPDIR/CA.csr >/dev/null   << ENDE
DE
Germany
Niedernhausen-Oberjosbach
Harry Rueter Development
CAAUTHORITY
$FQDN
harry@hrnet.de
"What's the cat ?"
Nooptionalname
ENDE

if [ $?  -ne 0 ]
then
  echo "Error: couldn't create signing request"
  rm $TMPDIR*
  exit 1
fi

echo -n Generating CA for $CASERVER 

openssl x509 -req -days 999 -in $TMPDIR/CA.csr -signkey $TMPDIR/CA.key \
       -extensions x509v3_CA -out $TMPDIR/CA.crt
       
if [ $?  -ne 0 ]
then
  echo "Error: couldn't create CA"
  rm $TMPDIR*
  exit 1
fi

openssl x509 -text -noout -in $TMPDIR/CA.crt|less

echo "PRESS return"
read

chmod 400 $TMPDIR/CA.key
chmod 444 $TMPDIR/CA.crt
       
mv $TMPDIR/CA.key $KEYDIR/CA.key
mv $TMPDIR/CA.crt $CERTDIR/CA.crt
rm $TMPDIR/*

Follow-Ups:
- Re: TLS/SSL-ceritificate & Replication v2.1.3
  - From: Will Day <willday@rom.oit.gatech.edu>

Prev by Date: ldapsearch question..
Next by Date: Problems building nss_ldap and pam_ldap with Openldap
Index(es):
- Chronological
- Thread