I have read many articles, tried various things and now going round in circles. Is anyone able to point me in the right direction, which certificate has expired. When I checked them they are valid? Many thanks in advance Arron tls { ca_file = "/etc/openldap/certs/cacert.pem" ca_path = "/etc/openldap/certs" certificate_file = "/etc/openldap/certs/radius.pem" private_key_file = "/etc/openldap/certs/radius.key" start_tls = yes } } rlm_ldap: Falling back to build time libldap version info. Query for LDAP_OPT_API_INFO returned: -1 rlm_ldap: libldap vendor: OpenLDAP version: 20439 accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } rlm_ldap (ldap): Initialising connection pool pool { start = 5 min = 4 max = 32 spare = 3 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 1 spread = no } rlm_ldap (ldap): Opening additional connection (0) rlm_ldap (ldap): Connecting to ldap.prom.co.uk:389 TLS: error: the certificate '/etc/openldap/certs/radius.pem' could not be found in the database - error -8174:security library: bad database.. TLS: certificate '/etc/openldap/certs/radius.pem' successfully loaded from PEM file. TLS: no unlocked certificate for certificate 'E=radius@domainA.co.uk,CN=domainA.dmz.local,OU=Company,O=Radius,L=Newbury,ST=Berkshire,C=GB'. TLS: certificate [(null)] is not valid - error -8181:Peer's Certificate has expired.. TLS: error: connect - force handshake failure: errno 21 - moznss error -8174 TLS: can't connect: TLS error -8174:security library: bad database.. rlm_ldap (ldap): Could not start TLS: Connect error rlm_ldap (ldap): Opening connection failed (0) rlm_ldap (ldap): Removing connection pool /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
On Aug 10, 2017, at 10:18 AM, Arron Fox <arronf@hotmail.com> wrote:
I have read many articles, tried various things and now going round in circles. Is anyone able to point me in the right direction, which certificate has expired. When I checked them they are valid?
Where did you get these certificates? How did you configure them in FreeRADIUS?
rlm_ldap (ldap): Opening additional connection (0) rlm_ldap (ldap): Connecting to ldap.prom.co.uk:389 TLS: error: the certificate '/etc/openldap/certs/radius.pem' could not be found in the database - error -8174:security library: bad database..
i.e. it's an *openldap* issue, Because the certificates are in the OpenLDAP configuration. And if you're getting a "bad database" error, you should likely fix that. It's often the case that one error will create subsequent ones. If you only look at the later errors, you won't fix the real cause of the problem.
TLS: certificate '/etc/openldap/certs/radius.pem' successfully loaded from PEM file. TLS: no unlocked certificate for certificate 'E=radius@domainA.co.uk,CN=domainA.dmz.local,OU=Company,O=Radius,L=Newbury,ST=Berkshire,C=GB'. TLS: certificate [(null)] is not valid - error -8181:Peer's Certificate has expired.. TLS: error: connect - force handshake failure: errno 21 - moznss error -8174
This won't work. Ever. RedHat, etc. provides libldap which links to NSS. FreeRADIUS uses OpenSSL. The two just aren't compatible. You will need to install a version of libldap which uses OpenSSL.
TLS: can't connect: TLS error -8174:security library: bad database.. rlm_ldap (ldap): Could not start TLS: Connect error rlm_ldap (ldap): Opening connection failed (0) rlm_ldap (ldap): Removing connection pool /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
These errors are being produced by the OpenLDAP client library. It doesn't like the certificates. As for why... ask the OpenLDAP people. Alan DeKok.
Many thanks for the swift reply, unfortunately I am out of my depth with the product suite, the previous sysadm configured the solution with no handover.
Where did you get these certificates? How did you configure them in FreeRADIUS?
The CA's are from a Microsoft Certificate Authority, I believe that the configuration in /etc/raddb/mods-enabled/ldap which then references to the certs being held in /etc/openstack/certs. {tls............ ca_file = /etc/openldap/certs/cacert.pem ca_path = /etc/openldap/certs certificate_file = /etc/openldap/certs/radius.pem private_key_file = /etc/openldap/certs/radius.key I have been reviewing OpenLDAP but I cannot find any logs to this component, the solution was working fine and dandy up until Monday 07/08/2017. Is there a way to see if this is installed?
rlm_ldap (ldap): Opening additional connection (0) rlm_ldap (ldap): Connecting to ldap.prom.co.uk:389 TLS: error: the certificate '/etc/openldap/certs/radius.pem' could not be found in the database - error -8174:security library: bad database..
i.e. it's an *openldap* issue, Because the certificates are in the OpenLDAP configuration.
And if you're getting a "bad database" error, you should likely fix that. It's often the case that one error will create subsequent ones. If you only look at the later errors, you won't fix the real cause of the problem.
TLS: certificate '/etc/openldap/certs/radius.pem' successfully loaded from PEM file. TLS: no unlocked certificate for certificate 'E=radius@domainA.co.uk,CN=domainA.dmz.local,OU=Company,O=Radius,L =Newbury,ST=Berkshire,C=GB'. TLS: certificate [(null)] is not valid - error -8181:Peer's Certificate has expired.. TLS: error: connect - force handshake failure: errno 21 - moznss error -8174
This won't work. Ever.
RedHat, etc. provides libldap which links to NSS. FreeRADIUS uses OpenSSL. The two just aren't compatible.
You will need to install a version of libldap which uses OpenSSL.
TLS: can't connect: TLS error -8174:security library: bad database.. rlm_ldap (ldap): Could not start TLS: Connect error rlm_ldap (ldap): Opening connection failed (0) rlm_ldap (ldap): Removing connection pool /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
These errors are being produced by the OpenLDAP client library. It doesn't like the certificates.
As for why... ask the OpenLDAP people.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Aug 10, 2017, at 12:58 PM, Arron Fox <arronf@hotmail.com> wrote:
Many thanks for the swift reply, unfortunately I am out of my depth with the product suite, the previous sysadm configured the solution with no handover.
That's always bad...
The CA's are from a Microsoft Certificate Authority, I believe that the configuration in /etc/raddb/mods-enabled/ldap which then references to the certs being held in /etc/openstack/certs.
Ok... it would have been good to explain that at the start.
{tls............ ca_file = /etc/openldap/certs/cacert.pem
ca_path = /etc/openldap/certs certificate_file = /etc/openldap/certs/radius.pem private_key_file = /etc/openldap/certs/radius.key
I have been reviewing OpenLDAP but I cannot find any logs to this component,
You need to look at libldap. That is the library used by FreeRADIUS. It is part of the OpenLDAP project, but it is not the OpenLDAP server.
the solution was working fine and dandy up until Monday 07/08/2017. Is there a way to see if this is installed?
That isn't a FreeRADIUS questions. Basic system administration is outside of the scope of this list. Alan DeKok.
participants (2)
-
Alan DeKok -
Arron Fox