self signed ca

[bkp]

I'm trying to get TLS and LDAP to work. I've imported the CA we use for the ldap server and when I try to connect ldap fails to start. Running ldapsearch to the ldap server in question gives me the following error. Note that I am able to connect from other machines using that CA, so I'm not sure why freenas is giving such a hard time (well, I sorta know, I just don't know what to do about it):

TLS certificate verification: depth: 2, err: 19, subject: /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority, issuer: /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
TLS certificate verification: Error, self signed certificate in certificate chain
tls_write: want=7, written=7
0000: 15 03 03 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain).
ldap_err2string
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)

 

[dlavigne]

I think you are getting bit by this bug: https://bugs.freenas.org/issues/8661. If so, please add a comment to that ticket.

 

[bkp]

That bug is dealing with nginx not ldap. So I don't think it is the same issue.

 

[dlavigne]

It is, but I think it is the lack of certificate chain support that is the real issue. If you decide to make a separate bug report, post the issue number here.

 

[bkp]

Good point. I tagged to the end of that bug and if they say it is a different issue I'll open another report and post here. Thanks.

That said...how am I to use ldap? I'm told we MUST use TLS (or SSL), but this is keeping me from doing that. Things are on a local network and frankly I was fine not encrypting for this use case. Not ideal, but it worked. Besides, ldap doesn't like certs with IP address it seems. At least, I've not gotten it to work. Now I'm having to try and connect to our remote server which IS encrypted, but I'm stuck with this error.

 

[bkp]

I posted to the bug above, but just to add to this thread: I created my on CA and signed my certs for use on our local network (which is where freeNAS is sitting). Now everything is working fine with encryption except FreeNAS. pam, ldapsearch, what have you. All works great. But when I do an ldapsearch (after importing my CA cert) I get:

ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)

 

[Dave Genton]

I posted to the bug above, but just to add to this thread: I created my on CA and signed my certs for use on our local network (which is where freeNAS is sitting). Now everything is working fine with encryption except FreeNAS. pam, ldapsearch, what have you. All works great. But when I do an ldapsearch (after importing my CA cert) I get:

ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)

Have you gotten any further ? I am having the same issues although I do have LDAP connected without SSL/TLS & Certificate but that's not what I am looking for. I need the SSO and Kerberos but apparently both the certificate and keytab issues are stopping me. Not only have I connected everything but freenas, but I can use my certificates on freenas and connect using cli without passwords but same certificate refuses to work with ldap service it appears, much like you are seeing.

 

[bkp]

No, Dave, I haven't gotten it to work. I'm really frustrated with this. Without encryption 'getent passwd' shows all my ldap users just fine. But no ssh/sftp which really is putting a kink in things. Even samba authenticates fine. But if I can't get ldap working with certs then I can never use ssh/sftp on this server unless I create a local user. I just don't get it.

 

[bkp]

I always get a "failed to restart" no matter what I do. I'm also having problems figuring where this is logging an error messages to.

 

[bkp]

I'm using the exact same CA for one of my other servers. That one makes a TLS connection just fine. FreeNAS gives me: conn=1028 fd=31 closed (TLS negotiation failure) on the server side when doing an ldap search. On the client side I get: additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate). This makes me think it doesn't like my CA cert.

 

[bkp]

Well, another morning wasted. Can someone point out where logging is being done for this? When I try to start ldap on the Directory->LDAP screen I'm told "failed to start". What failed to start, exactly? And where are the logs?

Like I said, I'm using TLS on my other servers without issue. In fact, I have two ldap servers, one of which has a commercial cert from RapidSSL. I used that CA cert for this and still no joy. (See last post).

b--

 

[Dave Genton]

No, Dave, I haven't gotten it to work. I'm really frustrated with this. Without encryption 'getent passwd' shows all my ldap users just fine. But no ssh/sftp which really is putting a kink in things. Even samba authenticates fine. But if I can't get ldap working with certs then I can never use ssh/sftp on this server unless I create a local user. I just don't get it.

I hear you. Countless (literally) days, weeks, months now but I gave up after the unprofessionalism of the bug ticket I last opened, and had closed due to being one month old with no activity. Yet each week of those four weeks the owning engineer/programmer made a single entry stating "not this week, too busy, maybe next week" or something to that effect. Entire lab environment built for my "lab" that travels with me when I design and build a new datacenter or datacenter "pod" within an existing dc for my customers. Needing to generate traffic, both block and file level to emulate day to day file shares and transfer, plus dedicated SAN booting from iSCSI LUNs for some guests and hosts. With one physical and one virtual for replication between nodes etc. LDAP needed for authentication of all devices in my "pod". This is production to me, and used as a temporary environment on new datacenter networks as part of my resiliency and redundancy testing. Prior to handing off to customer for live traffic I spend days using this gear emulating real world scenarios to prove hardware and sofware as well as my design. This was HUGE exposure with many clients inquiring specifically into my Storage/SAN hosts and wanted help setting FreeNAS up in their lab right then and there. Now, iSCSI wont work if I update it above 2015-07162300 which appears to delete the /etc/ctl.conf. But for LDAP network is a single Cisco switch, servers using LDAP in that common switch, common vlan/subnet, no routing, standard mtu yet only assistance I got was diagnosed as a network "issue" c'mon the network engineer gets the network scapegoat....Well I gave up, but left configured and started allowing daily builds to attempt to bind each day one was released as an automated or automatic way of checking. Knowing I went thru all parameters, and majority of users doing the same thing appear online to have consistently same failures/issues I am having, some exact down to the smallest detail. Well June 27th 0630hrs nightly image release booted up and went green !!! meaning it did bind with Open Directory, and then Active Directory as well as others prior have but this time it marked a milestone being the first time with security enabled !! yes with ssl/tls, my certificates generated for this system specifically, it started working.

Now another consistency though, for the Kerberos I set the realm, but MUST leave the keytab untouched. In that version and in all tested since then if I attempt to select a keytab file in the GUI drop down menu the FreeNAS GUI crashes !!! 2-3 pages like "dump" for django and nginx if I recall correctly. So working around the GUI for keytab I got it working with AD 2008, AD 2012, and Open Directory with is always 10.10 Yosemite. The next image worked as well, stable version worked but then it broke again. I left configured on nightly version for awhile then abandoned altogether as its to inconsistent. Some days the groups show, but no users, then users but no groups, or they all show, and all works via CLI perfectly, but authentication fails using tested and working accounts in CLI and its just up and down like that to the point I am fed up. Need a new NAS I think because centralized authorization and CONSISTENCY is required for my job. I am the trusted advisor as many of my clients call me, and I was the FreeNAS cheerleader until recently. I was a traveling commercial giving live demo's surprising many customers using EMC and NetApp in their datacenters I am building. Small and Medium businesses almost always call me back or pull me aside to speak to FreeNAS and how it can help them out, many large Enterprises inquire just the same or want in their lab for SAN/NAS side. Never asked for anything but some LDAP config assistance and testing due to SO MANY people having same issue. Instead you get insulted by the bully watch dog in the forums speaking to technical aspects he has no business guessing about, let alone speaking on as an authority on the subject. Or your bug gets closed for inactivity caused by internal folks.....Keep me posted if you find anything, but hey one more point I of contention for me that possibly affects you. The IdMap backend settings documented int the config guide, back then and today, still. I found a bug ticket someone opened on behavior of the IdMap backend changing or not working in his network and the programmer berated him asking why he used "that" setting. he said its clearly incorrect and for AD you should be using "this" setting instead. We both changed that setting and BAM,again green connection where for weeks it was red and inoperable. If anyone would have listened I would have raised issue again and calling out exact pages its documented wrong per that particular engineer. I remember customer with the issue stating the document statement is why he had it selected but all this time later, nothing updated in the document that I have seen.

All in all with all this non working LDAP time over the past 90 days, I have had only about a week or two of time it was green or "up" and connected. Thru those days of testing etc. not once ever did it work across the board. NEver did an account authenticate properly 100% of the time in both the CLI window and then from a workstation or server once the CLI tested successfully. That and groups/users appearing and disappearing was irritating but the end all be all is once I finally saw SSO/Kerberos working across both windows and macs to freenas in a fashion that started looking acceptable something of course would pop up. In my case, and when I called it, the GUI started flaking again. Keytab still NEVER could be filled in since june 27th and it started connecting, but this new issue when clients authenticated fine in CLI and across network using shares the Storage Tab, Permissions, Groups were fine, Users didn't show, only local freenas users.. but CLI showed them in testing... cant keep going but this loop is likely never ending so like ldap on freenas, iscsi, and likely freenas unless drastic changes pop up this weekend, I'm calling it.

Good Luck !! Hope yours goes better than mine
dave

 

[dlavigne]

Which bug #?

 

[Dave Genton]

idk, I put a whole reply here but deleted it knowing better from recent past. I remember being told ad for active directory, and rfc2307 for open directory, and I think guide said that. This is memory from back then and no freenas in front of me now. Then in bug from search I did user with symptoms like mine where clean ldap server system flaky when you can get it to bind was told to use rid with active direction instead of ad. I changed to rid and clicked box to activate and clicked save, service restarted and connected for first time ever to ad with months of posts and tickets under my belt at that point...live and learn but that alone cost many folks much time they cannot get back and it was like common knowledge despite going against current docs and ALL other post responses for ad. Learned ALOT, good thing, but unfortunately it all goes against freenas documentation giving impression simply type domain name, username and password in a wizard and ad/ldap is completed, all other settings for advanced setup only...hardly true but could be close I found with AD, if AD tweaked far from defaults in 2012/2012r2, 2008/2008r2 and I didn't go farther. But with few gpo changes on clean directories its sort of that simple..precludes security stated mandatory, speak nothing of deep changes in windows server to be done that storage guy likely wont have access to but dropping security to do so, enought to say no. Then other than AD, forget about it, once you do get it done and working like I did with specific image out of about 60 of them, omitting the keytab but including realm makes it work. Adding keytab crashed that gui frame inside browser stating django and nginx issues for 2-3 pages, consistently every time, no saving, just selecting the keytab, any keytab and crash, before saving or trying tot activate. Had to add keytab manually via cli, but it works great in cli, again in gui, here and there, never "the way it should" while all other servers in room are working as expected using same certs, setting etc.. Sorry much more than I had time for, gotta go get a new /etc/ctl.conf on my freenas as every upgrade deletes them now I found is reason iSCSI dies when upgraded from that june 26th image posted earlier...cant get around it, been doing it for four weeks, I am sure others are posting bug id's, I revert and iscsi is back, steel ctl.conf and can be working, but have to find "somethign" with ldap authentication and kerberos to replace these 2 freenas in very near future for new position I took seeing much higher volume of Enterprise customer across more territory..Good advertisement if you got a "working" build somewhere that's stable and has all today's features I can use...

dave

 

[Ericloewe]

I hear you. Countless (literally) days, weeks, months now but I gave up after the unprofessionalism of the bug ticket I last opened, and had closed due to being one month old with no activity. Yet each week of those four weeks the owning engineer/programmer made a single entry stating "not this week, too busy, maybe next week" or something to that effect. Entire lab environment built for my "lab" that travels with me when I design and build a new datacenter or datacenter "pod" within an existing dc for my customers. Needing to generate traffic, both block and file level to emulate day to day file shares and transfer, plus dedicated SAN booting from iSCSI LUNs for some guests and hosts. With one physical and one virtual for replication between nodes etc. LDAP needed for authentication of all devices in my "pod". This is production to me, and used as a temporary environment on new datacenter networks as part of my resiliency and redundancy testing. Prior to handing off to customer for live traffic I spend days using this gear emulating real world scenarios to prove hardware and sofware as well as my design. This was HUGE exposure with many clients inquiring specifically into my Storage/SAN hosts and wanted help setting FreeNAS up in their lab right then and there. Now, iSCSI wont work if I update it above 2015-07162300 which appears to delete the /etc/ctl.conf. But for LDAP network is a single Cisco switch, servers using LDAP in that common switch, common vlan/subnet, no routing, standard mtu yet only assistance I got was diagnosed as a network "issue" c'mon the network engineer gets the network scapegoat....Well I gave up, but left configured and started allowing daily builds to attempt to bind each day one was released as an automated or automatic way of checking. Knowing I went thru all parameters, and majority of users doing the same thing appear online to have consistently same failures/issues I am having, some exact down to the smallest detail. Well June 27th 0630hrs nightly image release booted up and went green !!! meaning it did bind with Open Directory, and then Active Directory as well as others prior have but this time it marked a milestone being the first time with security enabled !! yes with ssl/tls, my certificates generated for this system specifically, it started working.

Now another consistency though, for the Kerberos I set the realm, but MUST leave the keytab untouched. In that version and in all tested since then if I attempt to select a keytab file in the GUI drop down menu the FreeNAS GUI crashes !!! 2-3 pages like "dump" for django and nginx if I recall correctly. So working around the GUI for keytab I got it working with AD 2008, AD 2012, and Open Directory with is always 10.10 Yosemite. The next image worked as well, stable version worked but then it broke again. I left configured on nightly version for awhile then abandoned altogether as its to inconsistent. Some days the groups show, but no users, then users but no groups, or they all show, and all works via CLI perfectly, but authentication fails using tested and working accounts in CLI and its just up and down like that to the point I am fed up. Need a new NAS I think because centralized authorization and CONSISTENCY is required for my job. I am the trusted advisor as many of my clients call me, and I was the FreeNAS cheerleader until recently. I was a traveling commercial giving live demo's surprising many customers using EMC and NetApp in their datacenters I am building. Small and Medium businesses almost always call me back or pull me aside to speak to FreeNAS and how it can help them out, many large Enterprises inquire just the same or want in their lab for SAN/NAS side. Never asked for anything but some LDAP config assistance and testing due to SO MANY people having same issue. Instead you get insulted by the bully watch dog in the forums speaking to technical aspects he has no business guessing about, let alone speaking on as an authority on the subject. Or your bug gets closed for inactivity caused by internal folks.....Keep me posted if you find anything, but hey one more point I of contention for me that possibly affects you. The IdMap backend settings documented int the config guide, back then and today, still. I found a bug ticket someone opened on behavior of the IdMap backend changing or not working in his network and the programmer berated him asking why he used "that" setting. he said its clearly incorrect and for AD you should be using "this" setting instead. We both changed that setting and BAM,again green connection where for weeks it was red and inoperable. If anyone would have listened I would have raised issue again and calling out exact pages its documented wrong per that particular engineer. I remember customer with the issue stating the document statement is why he had it selected but all this time later, nothing updated in the document that I have seen.

All in all with all this non working LDAP time over the past 90 days, I have had only about a week or two of time it was green or "up" and connected. Thru those days of testing etc. not once ever did it work across the board. NEver did an account authenticate properly 100% of the time in both the CLI window and then from a workstation or server once the CLI tested successfully. That and groups/users appearing and disappearing was irritating but the end all be all is once I finally saw SSO/Kerberos working across both windows and macs to freenas in a fashion that started looking acceptable something of course would pop up. In my case, and when I called it, the GUI started flaking again. Keytab still NEVER could be filled in since june 27th and it started connecting, but this new issue when clients authenticated fine in CLI and across network using shares the Storage Tab, Permissions, Groups were fine, Users didn't show, only local freenas users.. but CLI showed them in testing... cant keep going but this loop is likely never ending so like ldap on freenas, iscsi, and likely freenas unless drastic changes pop up this weekend, I'm calling it.

Good Luck !! Hope yours goes better than mine
dave

idk, I put a whole reply here but deleted it knowing better from recent past. I remember being told ad for active directory, and rfc2307 for open directory, and I think guide said that. This is memory from back then and no freenas in front of me now. Then in bug from search I did user with symptoms like mine where clean ldap server system flaky when you can get it to bind was told to use rid with active direction instead of ad. I changed to rid and clicked box to activate and clicked save, service restarted and connected for first time ever to ad with months of posts and tickets under my belt at that point...live and learn but that alone cost many folks much time they cannot get back and it was like common knowledge despite going against current docs and ALL other post responses for ad. Learned ALOT, good thing, but unfortunately it all goes against freenas documentation giving impression simply type domain name, username and password in a wizard and ad/ldap is completed, all other settings for advanced setup only...hardly true but could be close I found with AD, if AD tweaked far from defaults in 2012/2012r2, 2008/2008r2 and I didn't go farther. But with few gpo changes on clean directories its sort of that simple..precludes security stated mandatory, speak nothing of deep changes in windows server to be done that storage guy likely wont have access to but dropping security to do so, enought to say no. Then other than AD, forget about it, once you do get it done and working like I did with specific image out of about 60 of them, omitting the keytab but including realm makes it work. Adding keytab crashed that gui frame inside browser stating django and nginx issues for 2-3 pages, consistently every time, no saving, just selecting the keytab, any keytab and crash, before saving or trying tot activate. Had to add keytab manually via cli, but it works great in cli, again in gui, here and there, never "the way it should" while all other servers in room are working as expected using same certs, setting etc.. Sorry much more than I had time for, gotta go get a new /etc/ctl.conf on my freenas as every upgrade deletes them now I found is reason iSCSI dies when upgraded from that june 26th image posted earlier...cant get around it, been doing it for four weeks, I am sure others are posting bug id's, I revert and iscsi is back, steel ctl.conf and can be working, but have to find "somethign" with ldap authentication and kerberos to replace these 2 freenas in very near future for new position I took seeing much higher volume of Enterprise customer across more territory..Good advertisement if you got a "working" build somewhere that's stable and has all today's features I can use...

dave

Paragraphs are your friend, by the way. That is one mighty hard to follow wall of text.

 

[DaveY]

I know this thread is super old, but has anyone else found a fix? I'm running into the same issue not being able to authenticate users over ssh. I can't believe this is still not resolved after 3 years.

Is there a way maybe add the self-signed cert into the trust file maybe?

 

[dlavigne]

Please start a new post that contains your hardware specs, version, and details on your configuration.