Certificate issue after upgrade in the LDAP module - Let's Encrypt certs not working either
Hi everyone, it's been ages!! Unfortunately my health took a downturn and I have not been keeping up with anything and now finding myself needing to upgrade many almost archaic builds now. What was working on a previous version of FR seems to have stopped and now FR is complaining at me :-( I'm using StartTLS in OpenLDAP so FR got provisioned eons ago with a working setup which has been flawless for may years, I created an raddb/ldap folder where I put my ldap TLS certs. I performed an upgrade recently and then noticed that some services had gone down. This is the relevant output of radiusd -X: rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://fqdn:389 TLS certificate verification: Error, self signed certificate TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate). rlm_ldap (ldap): Could not start TLS: Connect error rlm_ldap (ldap): Opening connection failed (0) rlm_ldap (ldap): Removing connection pool /usr/local/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap" my ldap module in FR contains these lines: start_tls = yes #ca_file = /etc/ssl/cert.crt ca_file = /usr/local/etc/raddb/ldap/cert.pem #ca_path = /etc/ssl/ ca_path = /usr/local/etc/raddb/ldap/ #certificate_file = /etc/ssl/cert.crt certificate_file = /usr/local/etc/raddb/ldap/cert.pem #private_key_file = /etc/ssl/cert.key private_key_file = /usr/local/etc/raddb/ldap/privkey.pem Originally I had a cert.crt and cert.key file which I believe I generated using openssl? Judging from the records in the shell history I think it was something like this that I used: cd /etc/ssl openssl genrsa -out cert.key 1024 openssl req -new -key cert.key -out cert.csr openssl x509 -req -in cert.csr -days 365 -signkey cert.key -out cert.crt openssl x509 -req -in cert.csr -days 365 -signkey cert.key -out cert.crt of which I tried regenerating using the exact same lines as I thought originally that the cert had expired. From the radd -X error it's obvious that it doesn't like the certificate as it was self signed. As I'm not using a certificate provider since this is in my home lab, I thought about using Let's Encrypt so I manually generated certificates using the certbot tool. Unfortunately the error from radd -X is the same and is calling the certificate "self signed". I think the culprit is that LE doesn't have a CA associated with it. Does anyone have any advice on how to either get FR working with my certificates or would my only options be to either turn TLS in OpenLDAP off or to use an authoritative signing body? Many thanks in advance. Kaya
On Mar 30, 2023, at 12:02 AM, Kaya Saman via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm using StartTLS in OpenLDAP so FR got provisioned eons ago with a working setup which has been flawless for may years, I created an raddb/ldap folder where I put my ldap TLS certs. I performed an upgrade recently and then noticed that some services had gone down. This is the relevant output of radiusd -X:
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://fqdn:389 TLS certificate verification: Error, self signed certificate TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate).
Unfortunately that message is coming from libldap. So for some reason, libldap doesn't like the certificate. You may need to add the CA to the global certificate store on the machine running LDAP. Or update the LDAP server configuration to trust the CA which FreeRADIUS is using. Alan DeKok.
On 3/29/23 23:59, Alan DeKok wrote:
On Mar 30, 2023, at 12:02 AM, Kaya Saman via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm using StartTLS in OpenLDAP so FR got provisioned eons ago with a working setup which has been flawless for may years, I created an raddb/ldap folder where I put my ldap TLS certs. I performed an upgrade recently and then noticed that some services had gone down. This is the relevant output of radiusd -X:
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://fqdn:389 TLS certificate verification: Error, self signed certificate TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate). Unfortunately that message is coming from libldap. So for some reason, libldap doesn't like the certificate.
You may need to add the CA to the global certificate store on the machine running LDAP. Or update the LDAP server configuration to trust the CA which FreeRADIUS is using.
Alan DeKok.
Thanks Alan, I'll give it a shot! Hope you've been well in the meantime... it has been ages :-) Best Regards, Kaya
On 3/30/23 00:55, Kaya Saman via Freeradius-Users wrote:
On 3/29/23 23:59, Alan DeKok wrote:
On Mar 30, 2023, at 12:02 AM, Kaya Saman via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm using StartTLS in OpenLDAP so FR got provisioned eons ago with a working setup which has been flawless for may years, I created an raddb/ldap folder where I put my ldap TLS certs. I performed an upgrade recently and then noticed that some services had gone down. This is the relevant output of radiusd -X:
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://fqdn:389 TLS certificate verification: Error, self signed certificate TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate). Unfortunately that message is coming from libldap. So for some reason, libldap doesn't like the certificate.
You may need to add the CA to the global certificate store on the machine running LDAP. Or update the LDAP server configuration to trust the CA which FreeRADIUS is using.
Alan DeKok.
Thanks Alan, I'll give it a shot!
Hope you've been well in the meantime... it has been ages :-)
Best Regards,
Kaya
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hmm.... I just feel like I bypassed the problem and not solved it? I tested the certificate in ldap and and it seemed to work? Maybe I ran the incorrect test - I'm going to have to dig deeper and check on this one! From ldap my reading lead me to use the test command: ldapwhoami -H ldaps:// -x -ZZ which basically returned "anonymous" and apparently this is correct. I still need to read more on ldap though to find if things are actually ok or not. For now I added this to the ldap module which at least has FR working again: require_cert = 'allow' It's a temporary band aide I'm certain as I trust the FR output: TLS certificate verification: Error, self signed certificate TLS certificate verification: Error, self signed certificate TLS certificate verification: Error, self signed certificate TLS certificate verification: Error, self signed certificate TLS certificate verification: Error, self signed certificate Grrrr what a PITA sigh.... Hopefully I'll get this fixed properly and soon :-S
participants (2)
-
Alan DeKok -
Kaya Saman