Help with Certificates

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Help with Certificates

Arron Fox
I have read many articles, tried various things and now going round in circles. Is anyone able to point me in the right direction, which certificate has expired. When I checked them they are valid?

Many thanks in advance

Arron

 tls {
        ca_file = "/etc/openldap/certs/cacert.pem"
        ca_path = "/etc/openldap/certs"
        certificate_file = "/etc/openldap/certs/radius.pem"
        private_key_file = "/etc/openldap/certs/radius.key"
        start_tls = yes
   }
  }
rlm_ldap: Falling back to build time libldap version info.  Query for LDAP_OPT_API_INFO returned: -1
rlm_ldap: libldap vendor: OpenLDAP version: 20439
   accounting {
        reference = "%{tolower:type.%{Acct-Status-Type}}"
   }
   post-auth {
        reference = "."
   }
rlm_ldap (ldap): Initialising connection pool
   pool {
        start = 5
        min = 4
        max = 32
        spare = 3
        uses = 0
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 1
        spread = no
   }
rlm_ldap (ldap): Opening additional connection (0) rlm_ldap (ldap): Connecting to ldap.prom.co.uk:389
TLS: error: the certificate '/etc/openldap/certs/radius.pem' could not be found in the database - error -8174:security library: bad database..
TLS: certificate '/etc/openldap/certs/radius.pem' successfully loaded from PEM file.
TLS: no unlocked certificate for certificate 'E=[hidden email],CN=domainA.dmz.local,OU=Company,O=Radius,L=Newbury,ST=Berkshire,C=GB'.
TLS: certificate [(null)] is not valid - error -8181:Peer's Certificate has expired..
TLS: error: connect - force handshake failure: errno 21 - moznss error -8174
TLS: can't connect: TLS error -8174:security library: bad database..
rlm_ldap (ldap): Could not start TLS: Connect error rlm_ldap (ldap): Opening connection failed (0) rlm_ldap (ldap): Removing connection pool
/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help with Certificates

Alan DeKok-2
On Aug 10, 2017, at 10:18 AM, Arron Fox <[hidden email]> wrote:
>
> I have read many articles, tried various things and now going round in circles. Is anyone able to point me in the right direction, which certificate has expired. When I checked them they are valid?

  Where did you get these certificates?  How did you configure them in FreeRADIUS?

> rlm_ldap (ldap): Opening additional connection (0) rlm_ldap (ldap): Connecting to ldap.prom.co.uk:389
> TLS: error: the certificate '/etc/openldap/certs/radius.pem' could not be found in the database - error -8174:security library: bad database..

  i.e. it's an *openldap* issue,  Because the certificates are in the OpenLDAP configuration.

  And if you're getting a "bad database" error, you should likely fix that.  It's often the case that one error will create subsequent ones.  If you only look at the later errors, you won't fix the real cause of the problem.

> TLS: certificate '/etc/openldap/certs/radius.pem' successfully loaded from PEM file.
> TLS: no unlocked certificate for certificate 'E=[hidden email],CN=domainA.dmz.local,OU=Company,O=Radius,L=Newbury,ST=Berkshire,C=GB'.
> TLS: certificate [(null)] is not valid - error -8181:Peer's Certificate has expired..
> TLS: error: connect - force handshake failure: errno 21 - moznss error -8174

  This won't work.  Ever.

  RedHat, etc. provides libldap which links to NSS.  FreeRADIUS uses OpenSSL.  The two just aren't compatible.

  You will need to install a version of libldap which uses OpenSSL.

> TLS: can't connect: TLS error -8174:security library: bad database..
> rlm_ldap (ldap): Could not start TLS: Connect error rlm_ldap (ldap): Opening connection failed (0) rlm_ldap (ldap): Removing connection pool
> /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"

  These errors are being produced by the OpenLDAP client library.  It doesn't like the certificates.

  As for why... ask the OpenLDAP people.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help with Certificates

Arron Fox
Many thanks for the swift reply, unfortunately I am out of my depth with the product suite, the previous sysadm configured the solution with no handover.



>   Where did you get these certificates?  How did you configure them in
> FreeRADIUS?

The CA's are from a Microsoft Certificate Authority, I believe that the configuration in /etc/raddb/mods-enabled/ldap which then references to the certs being held in
/etc/openstack/certs.

{tls............
                ca_file = /etc/openldap/certs/cacert.pem

                ca_path = /etc/openldap/certs
                certificate_file = /etc/openldap/certs/radius.pem
                private_key_file = /etc/openldap/certs/radius.key

I have been reviewing OpenLDAP but I cannot find any logs to this component, the solution was working fine and dandy up until Monday 07/08/2017. Is there a way to see if this is installed?

> > rlm_ldap (ldap): Opening additional connection (0) rlm_ldap (ldap):
> Connecting to ldap.prom.co.uk:389
> > TLS: error: the certificate '/etc/openldap/certs/radius.pem' could not be
> found in the database - error -8174:security library: bad database..
>
>   i.e. it's an *openldap* issue,  Because the certificates are in the OpenLDAP
> configuration.
>
>   And if you're getting a "bad database" error, you should likely fix that.  It's
> often the case that one error will create subsequent ones.  If you only look at
> the later errors, you won't fix the real cause of the problem.
>
> > TLS: certificate '/etc/openldap/certs/radius.pem' successfully loaded from
> PEM file.
> > TLS: no unlocked certificate for certificate
> 'E=[hidden email],CN=domainA.dmz.local,OU=Company,O=Radius,L
> =Newbury,ST=Berkshire,C=GB'.
> > TLS: certificate [(null)] is not valid - error -8181:Peer's Certificate has
> expired..
> > TLS: error: connect - force handshake failure: errno 21 - moznss error -8174
>
>   This won't work.  Ever.
>
>   RedHat, etc. provides libldap which links to NSS.  FreeRADIUS uses OpenSSL.
> The two just aren't compatible.
>
>   You will need to install a version of libldap which uses OpenSSL.
>
> > TLS: can't connect: TLS error -8174:security library: bad database..
> > rlm_ldap (ldap): Could not start TLS: Connect error rlm_ldap (ldap):
> Opening connection failed (0) rlm_ldap (ldap): Removing connection pool
> > /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
>
>   These errors are being produced by the OpenLDAP client library.  It doesn't
> like the certificates.
>
>   As for why... ask the OpenLDAP people.
>
>   Alan DeKok.
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help with Certificates

Alan DeKok-2
On Aug 10, 2017, at 12:58 PM, Arron Fox <[hidden email]> wrote:
>
> Many thanks for the swift reply, unfortunately I am out of my depth with the product suite, the previous sysadm configured the solution with no handover.

  That's always bad...

> The CA's are from a Microsoft Certificate Authority, I believe that the configuration in /etc/raddb/mods-enabled/ldap which then references to the certs being held in
> /etc/openstack/certs.

  Ok... it would have been good to explain that at the start.

> {tls............
>                ca_file = /etc/openldap/certs/cacert.pem
>
>                ca_path = /etc/openldap/certs
>                certificate_file = /etc/openldap/certs/radius.pem
>                private_key_file = /etc/openldap/certs/radius.key
>
> I have been reviewing OpenLDAP but I cannot find any logs to this component,

  You need to look at libldap.  That is the library used by FreeRADIUS.  It is part of the OpenLDAP project, but it is not the OpenLDAP server.

> the solution was working fine and dandy up until Monday 07/08/2017. Is there a way to see if this is installed?

  That isn't a FreeRADIUS questions.  Basic system administration is outside of the scope of this list.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...