Support #2435
closedUnable to authentication with LDAP server using ldaps
Description
Hey there,
My specs:
Foreman 1.1
RHEL 6.4
I'm attempting to configure LDAP authentication with Foreman 1.1, I'm able to connect with plain ldap. When ldaps is enabled I get the following message:
@
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
If you feel this is an error with Foreman itself, please open a new issue with Foreman ticketing system, You would probably need to attach the Full trace and relevant log entries.
OpenSSL::SSL::SSLError
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
app/models/auth_source_ldap.rb:135:in `search_for_user_entries'
app/models/auth_source_ldap.rb:40:in `authenticate'
app/models/user.rb:112:in `try_to_login'
app/controllers/users_controller.rb:90:in `login'
lib/foreman/thread_session.rb:31:in `clear_thread'@
I did import the SSL certificate used for ldaps communication into /etc/openldap/certs on my local host (just to be sure), but that didn't help. I feel like I'm missing something obvious, any assist would be appreciated.
Updated by Dominic Cleal over 11 years ago
- Category set to Authentication
- Status changed from New to Feedback
This has been coming up quite a bit and I think it's caused by a recent change to Puppet (2.6.18, 2.7.21, 3.1.1) which monkey patched OpenSSL. Since OpenSSL gets used for LDAPS support too and we load Puppet in the app, this change by Puppet now affects Foreman too.
The monkey patch disables SSLv2 support, but also seems to force verification of SSL certificates. Try adding your SSL certificate into the OpenSSL bundle at /etc/pki/tls/certs/ca-bundle.crt, restart Foreman and see if that helps.
Updated by Luke Baker over 11 years ago
- Status changed from Feedback to Closed
Yep that did it. Thanks!
Updated by François Deppierraz over 11 years ago
For the record, here's how to fix this issue under Ubuntu 12.04.
- Copy your CA certificate in
/usr/local/share/ca-certificates/MyCA.crt
- Run
sudo update-ca-certificates
Updated by Mikael Fridh over 11 years ago
Had similar issue with foreman()
and smartvar()
functions so did this on Puppet master:
export CACERT=/var/lib/puppet/ssl/certs/ca.pem; ln -s $CACERT /etc/pki/tls/certs/$(openssl x509 -noout -hash -in $CACERT).0
Updated by Dominic Cleal over 9 years ago
- Description updated (diff)
This has returned in Foreman 1.7.4 and 1.8.0-RC2 and above as part of a CVE fix (#9858), so if you come across this and need to trust your LDAP cert, please see this section in our manual for instructions:
http://theforeman.org/manuals/latest/index.html#4.1.1LDAPAuthentication
Updated by Mizuki Kara over 9 years ago
Just upgraded foreman-1.7.1->1.7.4 today and seems to have this issue after that. I imported the both LDAP CA cert & Foreman CA cert to my Debian /usr/local/share/ca-certificates/ and update-ca-certificate. I can verify the certs be added successfully but won't do the trick. What I see on LDAP server side is following:
Apr 8 12:37:19 ns2 slapd2576: conn=809043 fd=21 ACCEPT from IP=10.0.1.59:37084 (IP=0.0.0.0:636)
Apr 8 12:37:19 ns2 slapd2576: conn=809043 fd=21 closed (TLS negotiation failure)
But other services who connect to LDAP servers through LDAPs works just fine. Any hints?
Updated by Dominic Cleal over 9 years ago
Try running: openssl s_client -connect ldap.example.com:636 -CApath /etc/ssl/certs
and at the end of the output, it should say, Verify return code: 0 (ok)
, if not, please pastebin the output.
Updated by Mizuki Kara over 9 years ago
Dominic Cleal wrote:
Try running:
openssl s_client -connect ldap.example.com:636 -CApath /etc/ssl/certs
and at the end of the output, it should say,Verify return code: 0 (ok)
, if not, please pastebin the output.
Yes, it does say Verify return code: 0 (ok) indeed.
Updated by Vasil Mikhalenya over 9 years ago
The same issue for me after 1.6 -> 1.7.4 upgrade. Foreman AD through LDAPs auth stopped working.
But certs are trusted
root@v-foreman:~# openssl s_client -CApath /etc/ssl/certs -connect dc.corp.local:636 2>/dev/null |grep Verify
Verify return code: 0 (ok)
Updated by Vasil Mikhalenya over 9 years ago
lsb_release -d
Description: Ubuntu 12.04.4 LTS
Updated by Olivier Widmer over 9 years ago
We have the same problem as Mizuki Kara described. LDAP stopped working after upgrade to Version 1.7.4
lsb_release -d
Description: Ubuntu 14.04.2 LTS
Updated by Dominic Cleal over 9 years ago
- Related to Bug #10139: Cannot verify LDAPS SSL certificate on Debian installation added
Updated by Marek Hulán over 9 years ago
Just verified steps mentioned in comment 3 on Debian GNU/Linux 7.8 (wheezy), works for me (the cert is self-signed).
You can use following command to find the correct certificate
openssl s_client -connect ldap.example.com:636 -showcerts
Updated by Benjamin Stevenson about 4 years ago
Projects and all citation is pushed for the counting of the norms for all field. Parts of the (help with statistics homework online: https://domyhomeworkfor.me/statistics-homework-help) are argued for the field. Works shred for the terms for the use of the offered data for the axed items for feelings.