can't use godaddy SSL cert
bluethundr
bluethundr at gmail.com
Sun Nov 28 17:51:50 UTC 2010
Hi Eric and John
Thanks for your input..
> As mentioned in my previous mail, there is no need to specify TLSCACertificateFile in > > slapd.conf unless your server will request client certificate for authentication. Nor is there > any point in trying multiple files, you can concatenate the CA certificates into a single file.
I have removed TLSCACertificateFile form slapd and now recognize that
this directive is only needed on the client side. Thanks for clueing
me into that.
And here is my /etc/ldap.conf file on on the CentOS 5.5 client:
[root at VIRCENT03:~]#cat /etc/ldap.conf
host 192.168.1.44
base dc=summitnjhome,dc=com
sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com
scope sub
pam_password exop
nss_base_passwd ou=staff,dc=summitnjhome,dc=com
nss_base_shadow ou=staff,dc=summitnjhome,dc=com
TLS_CACERT /etc/openldap/cacerts/gd_sf_all.crt
And here are the contents of the cacerts directory on the CentOS 55 client:
[root at VIRCENT03:~]#ls -l /etc/openldap/cacerts/
total 36
-r--r--r-- 1 root root 27529 Nov 28 12:10 all.crt
lrwxrwxrwx 1 root root 7 Nov 28 12:20 b737b221.0 -> all.crt
And this is the way that nsswitch is setup on the CentOS client:
passwd: files ldap
shadow: files ldap
group: files ldap
sudoers: ldap
I have revised the location of the cert files on the server noted in
slapd.conf in order to separate out the certs from the cacerts. This
is just to organize things a little more neatly.
## TLS options for slapd
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/local/etc/openldap/certs/slapd.crt
TLSCertificateKeyFile /usr/local/etc/openldap/certs/slapd.pem
And here are the contents of the /usr/local/etc/openldap/certs
directory, also on the server that is referenced in the TLS lines in
slapd.conf:
-r--r--r-- 1 root ldap 2309 Nov 26 18:52 LBSD2.summitnjhome.com.crt
dr--r--r-- 3 root ldap 512 Nov 28 03:32 bak
drwxr-xr-x 2 root ldap 512 Nov 28 03:26 cacerts
-r--r--r-- 1 root ldap 2309 Nov 26 18:53 slapd.crt
-r--r--r-- 1 root ldap 1781 Nov 26 18:36 slapd.csr
-r--r--r-- 1 root ldap 3311 Nov 26 18:35 slapd.key
-r--r--r-- 1 root ldap 3243 Nov 26 18:54 slapd.pem
Here is the location of the cacert file on the server that the
/etc/ldap.conf file on the client references;
LBSD2# ls -l /usr/local/etc/openldap/certs/cacerts
-r--r--r-- 1 root ldap 27529 Nov 28 15:49 all.crt
The all.crt file is the result of concatenating these files together:
all.crt gdroot-g2.crt sf_issuing.crt
ca_bundle.crt sf_bundle.crt sfroot-g2.crt
gd_bundle.crt sf-class2-root.crt sfsroot.crt
gd-class2-root.crt sf_cross_intermediate.crt sfsroot-g2.crt
gd_intermediate.crt sf_intermediate.crt
Here is where the testing begins:
[root at VIRCENT03:~]#openssl s_client -connect ldap.summitnjhome.com:389
-showcerts -CAfile /usr/local/etc/openldap/certs/cacerts/all.crt
10073:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('/usr/local/etc/openldap/certs/cacerts/all.crt','r')
10073:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
10073:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:279:
CONNECTED(00000003)
10073:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
CONNECTED(00000003)
10065:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
As you can see I have provided openssl the full path to the all.crt
file on the server and am still receiving a handshake failure. It
looks like
When I turn
> No. I assume that your hostname is the CN indicated above, so your -h is not the issue. >When you do -ZZ then ldapsearch will fail if it cannot validate the certificate. You can try >with a single -Z to see if it works.
Yes the hostname is in the CN of the cert file. So I agree that -h is
not the issue. :)
When I try to turn on LDAP with tls on a centos machine, getent
freezes when it tries to access the information in ldap:
I have scp'd the cert file to the right location on the centos machine
(/etc/openldap/cacerts)
Here's what happens when I try to connect using openssl s_client from
a remote machine (CentOS):
[root at LCENT01 ~]# LBSD2# openssl s_client -connect
ldap.summitnjhome.com:389 -showcerts -CAfile
/usr/local/etc/openldap/certs/cacerts/gd_sf_all.crt
-bash: LBSD2#: command not found
[root at LCENT01 ~]# openssl s_client -connect ldap.summitnjhome.com:389
-showcerts -CAfile /usr/local/etc/openldap/certs/cacerts/gd_sf_all.crt
4299:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('/usr/local/etc/openldap/certs/cacerts/gd_sf_all.crt','r')
4299:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
4299:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:279:
CONNECTED(00000003)
4299:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
As you can see I have provided openssl s_client with the full path to
the cacert (all.crt) on the server. It looks as if it's claiming that
the file isn't there, when it clearly is.
If I do an ldapsearch from the CentOS client it claims that it can't
verify the certificate:
[root at VIRCENT03:~]#ldapsearch -h ldap -b "dc=summitnjhome,dc=com" -Z
-D "cn=Manager,dc=summitnjhome,dc=com" "(objectclass=sudoRole)" -W
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Enter LDAP Password:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
If I provide some more information with the -d -44 flags this is what I see:
[root at VIRCENT03:~]#ldapsearch -h ldap -b "dc=summitnjhome,dc=com" -d
-44 -Z -D "cn=Manager,dc=summitnjhome,dc=com" "(objectclass=sudoRole)"
-W
ber_dump: buf=0x8eb62e8 ptr=0x8eb62e8 end=0x8eb6307 len=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ber_dump: buf=0x8eb62e8 ptr=0x8eb62ed end=0x8eb6307 len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
ber_dump: buf=0x8eb7678 ptr=0x8eb7678 end=0x8eb7684 len=12
0000: 02 01 01 78 07 0a 01 00 04 00 04 00 ...x........
ber_dump: buf=0x8eb7678 ptr=0x8eb767b end=0x8eb7684 len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
request done: ld 0x8ead530 msgid 1
ber_dump: buf=0x8eb7678 ptr=0x8eb767b end=0x8eb7684 len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
ber_dump: buf=0x8eb7678 ptr=0x8eb767b end=0x8eb7684 len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
ber_dump: buf=0x8eb7678 ptr=0x8eb7684 end=0x8eb7684 len=0
TLS certificate verification: Error, unable to get local issuer certificate
TLS: can't connect.
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Enter LDAP Password:
ldap_build_search_req ATTRS:
supportedSASLMechanisms
ber_dump: buf=0x8f1e6a0 ptr=0x8f1e6a0 end=0x8f1e6e0 len=64
0000: 30 3e 02 01 02 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9.........
0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object
0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support
0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms
ber_dump: buf=0x8f1e6a0 ptr=0x8f1e6a5 end=0x8f1e6e0 len=59
0000: 63 39 04 00 0a 01 00 0a 01 00 02 01 00 02 01 00 c9..............
0010: 01 01 00 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 .....objectclass
0020: 30 19 04 17 73 75 70 70 6f 72 74 65 64 53 41 53 0...supportedSAS
0030: 4c 4d 65 63 68 61 6e 69 73 6d 73 LMechanisms
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I am including the output of a -d -1 as an attachment for those that
are still curious because the output of that command is quite long. :)
When I issue getent commands for passwd and group it hangs forever
when it tries to access information from ldap:
[root at VIRCENT03:~]#getent passwd | grep ldapAccount
[root at VIRCENT03:~]#getent group | grep ldapAccount
However if I remove TLS from the equation with the -x flag everything
starts working again:
[root at VIRCENT03:~]#ldapsearch -x -h ldap -b "dc=summitnjhome,dc=com"
-D "cn=Manager,dc=summitnjhome,dc=com" -w localG30rg3T0wn
"(objectclass=sudoRole)"
# extended LDIF
#
# LDAPv3
# base <dc=summitnjhome,dc=com> with scope subtree
# filter: (objectclass=sudoRole)
# requesting: ALL
#
# defaults, sudoers, Services, summitnjhome.com
dn: cn=defaults,ou=sudoers,ou=Services,dc=summitnjhome,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
# %wheel, sudoers, Services, summitnjhome.com
dn: cn=%wheel,ou=sudoers,ou=Services,dc=summitnjhome,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate
sudoUser: %wheel
sudoUser: bluethundr
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
That's all I have for now. Sincere thanks to all those who have
provided input. I'll keep pounding away at this and hopefully figure
this out today.
Best regards!!!
freebsd-questions at freebsd.o
On Thu, Nov 25, 2010 at 12:10 PM, Erik Norgaard <norgaard at locolomo.org> wrote:
> On 25/11/10 17.26, bluethundr wrote:
>
>> I have setup the certificate chain in my slapd.conf like so:
>>
>> [root at LBSD2:/usr/home/bluethundr]#grep -i tls
>> /usr/local/etc/openldap/slapd.conf## TLS options for slapd
>> TLSCipherSuite HIGH:MEDIUM:+SSLv2
>> TLSCertificateFile
>> /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt
>> TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem
>> TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt
>>
>> I have tried each of the following certs with no luck in getting my
>> cert to talk to it's CA:
>>
>> -rw-r--r-- 1 root bluethundr 2604 Nov 25 11:37 ca_bundle.crt
>> -r--r----- 1 root ldap 4604 Nov 24 18:57 gd_bundle.crt
>> -r--r----- 1 root ldap 1537 Nov 25 02:00 sf_issuing.crt
>
> As mentioned in my previous mail, there is no need to specify
> TLSCACertificateFile in slapd.conf unless your server will request client
> certificate for authentication. Nor is there any point in trying multiple
> files, you can concatenate the CA certificates into a single fiel.
>
> Since these are certificates you can leave global read access.
>
>> and I get the same result for each when I attempt to connect to SSL on
>> the LDAP server:
>>
>> [root at LCENT01:/tmp/Foswiki-1.1.2]#openssl s_client -connect
>> ldap.example.com:389 -showcerts -CAfile sf_issuing.crt
>> 13730:error:02001002:system library:fopen:No such file or
>> directory:bss_file.c:122:fopen('sf_issuing.crt','r')
>> 13730:error:2006D080:BIO routines:BIO_new_file:no such
>> file:bss_file.c:125:
>> 13730:error:0B084002:x509 certificate
>> routines:X509_load_cert_crl_file:system lib:by_file.c:279:
>> CONNECTED(00000003)
>> 13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>> failure:s23_lib.c:188:
>
> Can't find sf_issuing.crt, well, from your CWD it appears that the
> certificate is not found in that path.
>
>> ldapsearch -h ldap.example.com -d -1 -ZZ "dc=example,dc=com"
>>
>> TLS certificate verification: depth: 0, err: 20, subject:
>> /O=LBSD2.summitnjhome.com/OU=Domain Control
>> Validated/CN=LBSD2.summitnjhome.com, issuer:
>> /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
>> Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
>> Certification Authority/serialNumber=07969287
>> TLS certificate verification: Error, unable to get local issuer
>> certificate
>> tls_write: want=7, written=7
>> 0000: 15 03 01 00 02 02 30 ......0
>> TLS trace: SSL3 alert write:fatal:unknown CA
>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>> TLS: can't connect.
>> ldap_perror
>> ldap_start_tls: Connect error (-11)
>> additional info: error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>
>> It seems to indicate that it can't talk to it's CA...
>>
>> does anyone have any suggestions on how to make this work?
>
> No. I assume that your hostname is the CN indicated above, so your -h is not
> the issue. When you do -ZZ then ldapsearch will fail if it cannot validate
> the certificate. You can try with a single -Z to see if it works.
>
> You have not included your ldap.conf above, the ldapsearch reads ldap.conf,
> including where to find any ca certificates. Either you have not installed
> the godaddy CA certificate or not updated our ldap.conf accordingly.
>
> BR, Erik
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
--
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3
-------------- next part --------------
[root at VIRCENT03:~]#ldapsearch -h ldap -b "dc=summitnjhome,dc=com" -d -1 -Z -D "cn=Manager,dc=summitnjhome,dc=com" "(objectclass=sudoRole)" -W
ldap_create
ldap_url_parse_ext(ldap://ldap)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.1.44:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0xa0312e8 ptr=0xa0312e8 end=0xa031307 len=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ber_scanf fmt ({) ber:
ber_dump: buf=0xa0312e8 ptr=0xa0312ed end=0xa031307 len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
ber_flush: 31 bytes to sd 3
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_result ld 0xa028530 msgid 1
wait4msg ld 0xa028530 msgid 1 (infinite timeout)
wait4msg continue ld 0xa028530 msgid 1 all 1
** ld 0xa028530 Connections:
* host: ldap port: 389 (default)
refcnt: 2 status: Connected
last used: Sun Nov 28 12:39:55 2010
** ld 0xa028530 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0xa028530 Response Queue:
Empty
ldap_chkResponseList ld 0xa028530 msgid 1 all 1
ldap_chkResponseList returns ld 0xa028530 NULL
ldap_int_select
read1msg: ld 0xa028530 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 0c 02 01 01 78 07 0a 0....x..
ldap_read: want=6, got=6
0000: 01 00 04 00 04 00 ......
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0xa032690 ptr=0xa032690 end=0xa03269c len=12
0000: 02 01 01 78 07 0a 01 00 04 00 04 00 ...x........
read1msg: ld 0xa028530 msgid 1 message type extended-result
ber_scanf fmt ({eaa) ber:
ber_dump: buf=0xa032690 ptr=0xa032693 end=0xa03269c len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
read1msg: ld 0xa028530 0 new referrals
read1msg: mark request completed, ld 0xa028530 msgid 1
request done: ld 0xa028530 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eaa) ber:
ber_dump: buf=0xa032690 ptr=0xa032693 end=0xa03269c len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0xa032690 ptr=0xa032693 end=0xa03269c len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
ber_scanf fmt (}) ber:
ber_dump: buf=0xa032690 ptr=0xa03269c end=0xa03269c len=0
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
tls_write: want=121, written=121
0000: 80 77 01 03 01 00 4e 00 00 00 20 00 00 39 00 00 .w....N... ..9..
0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 8..5............
0020: 00 00 33 00 00 32 00 00 2f 03 00 80 00 00 05 00 ..3..2../.......
0030: 00 04 01 00 80 00 00 15 00 00 12 00 00 09 06 00 ................
0040: 40 00 00 14 00 00 11 00 00 08 00 00 06 04 00 80 @...............
0050: 00 00 03 02 00 80 00 00 ff d2 49 1a b8 a2 59 29 ..........I...Y)
0060: 8f 56 dd af 9e fb 9b f7 1a cd 7f fd f4 12 ed c2 .V..............
0070: c8 7c 9b 74 fb bf 22 10 3e .|.t..".>
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
0000: 16 03 01 00 4a 02 00 ....J..
tls_read: want=72, got=72
0000: 00 46 03 01 4c f2 cd 04 36 77 bc 36 fd a3 c6 bd .F..L...6w.6....
0010: 9d d4 2f 03 6a 9d e7 5a 92 fe 58 1a ab 98 7b 3a ../.j..Z..X...{:
0020: d1 09 8f 82 20 c4 84 9a 2b 22 6f 9b f7 92 4e 18 .... ...+"o...N.
0030: 96 86 0e 4a 0a 5d 14 0d a9 f7 17 db 94 21 4c 3f ...J.].......!L?
0040: cd e0 6f 41 f6 00 35 00 ..oA..5.
TLS trace: SSL_connect:SSLv3 read server hello A
tls_read: want=5, got=5
0000: 16 03 01 06 8b .....
tls_read: want=1675, got=1364
0000: 0b 00 06 87 00 06 84 00 06 81 30 82 06 7d 30 82 ..........0..}0.
0010: 05 65 a0 03 02 01 02 02 07 04 30 d7 a0 27 65 40 .e........0..'e@
0020: 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 0...*.H........0
0030: 81 ca 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 ..1.0...U....US1
0040: 10 30 0e 06 03 55 04 08 13 07 41 72 69 7a 6f 6e .0...U....Arizon
0050: 61 31 13 30 11 06 03 55 04 07 13 0a 53 63 6f 74 a1.0...U....Scot
0060: 74 73 64 61 6c 65 31 1a 30 18 06 03 55 04 0a 13 tsdale1.0...U...
0070: 11 47 6f 44 61 64 64 79 2e 63 6f 6d 2c 20 49 6e .GoDaddy.com, In
0080: 63 2e 31 33 30 31 06 03 55 04 0b 13 2a 68 74 74 c.1301..U...*htt
0090: 70 3a 2f 2f 63 65 72 74 69 66 69 63 61 74 65 73 p://certificates
00a0: 2e 67 6f 64 61 64 64 79 2e 63 6f 6d 2f 72 65 70 .godaddy.com/rep
00b0: 6f 73 69 74 6f 72 79 31 30 30 2e 06 03 55 04 03 ository100...U..
00c0: 13 27 47 6f 20 44 61 64 64 79 20 53 65 63 75 72 .'Go Daddy Secur
00d0: 65 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 e Certification
00e0: 41 75 74 68 6f 72 69 74 79 31 11 30 0f 06 03 55 Authority1.0...U
00f0: 04 05 13 08 30 37 39 36 39 32 38 37 30 1e 17 0d ....079692870...
0100: 31 30 31 31 32 36 31 39 33 35 31 37 5a 17 0d 31 101126193517Z..1
0110: 31 31 31 32 35 30 31 30 31 34 31 5a 30 65 31 1f 11125010141Z0e1.
0120: 30 1d 06 03 55 04 0a 13 16 4c 42 53 44 32 2e 73 0...U....LBSD2.s
0130: 75 6d 6d 69 74 6e 6a 68 6f 6d 65 2e 63 6f 6d 31 ummitnjhome.com1
0140: 21 30 1f 06 03 55 04 0b 13 18 44 6f 6d 61 69 6e !0...U....Domain
0150: 20 43 6f 6e 74 72 6f 6c 20 56 61 6c 69 64 61 74 Control Validat
0160: 65 64 31 1f 30 1d 06 03 55 04 03 13 16 4c 42 53 ed1.0...U....LBS
0170: 44 32 2e 73 75 6d 6d 69 74 6e 6a 68 6f 6d 65 2e D2.summitnjhome.
0180: 63 6f 6d 30 82 02 22 30 0d 06 09 2a 86 48 86 f7 com0.."0...*.H..
0190: 0d 01 01 01 05 00 03 82 02 0f 00 30 82 02 0a 02 ...........0....
01a0: 82 02 01 00 d3 f5 ce 7a 83 37 67 f1 87 ed 61 25 .......z.7g...a%
01b0: 08 52 6e a2 89 11 92 95 94 55 37 26 7b 1b 36 f0 .Rn......U7&{.6.
01c0: 96 d8 77 66 b3 fe d1 3d dc d8 2c df b6 04 2b 2a ..wf...=..,...+*
01d0: 55 ce 46 29 5b 10 66 c9 88 aa 14 9c db 75 dd d2 U.F)[.f......u..
01e0: 08 28 9f ce f5 b3 bb bc 87 a0 2f 82 34 18 44 d2 .(......../.4.D.
01f0: b9 49 fd 81 e1 f2 96 c2 32 4f 74 61 c8 ae ca 04 .I......2Ota....
0200: 60 5f 97 02 04 bc ee 2d 81 53 9c 82 66 77 5c ae `_.....-.S..fw\.
0210: 3d 18 c3 42 98 3e 0d 42 97 84 68 9f ea 3f fc 99 =..B.>.B..h..?..
0220: 7a b4 68 5f fa 0e 99 a7 76 a5 5c c5 a9 4f 4f b5 z.h_....v.\..OO.
0230: 88 64 b2 f0 e3 37 21 c0 83 c1 2b b5 ba 90 68 63 .d...7!...+...hc
0240: c4 9b fe 8d ce 7d da d4 f8 e1 55 0b 25 14 24 10 .....}....U.%.$.
0250: fc 16 50 ec 3d b5 1f d8 4a c7 12 3f 32 0d 91 c0 ..P.=...J..?2...
0260: ae ae a0 17 d5 89 3c 81 3f d0 31 e1 c7 86 78 90 ......<.?.1...x.
0270: ca 80 82 03 80 bb dc 1b fa 60 5c 55 a3 41 e5 50 .........`\U.A.P
0280: 10 b5 c0 80 08 2f 1e 60 fe 8a 7f 5a 53 9c 8b 48 ...../.`...ZS..H
0290: f6 f6 be 41 da 78 bf 7d 97 87 75 05 53 cb bd 53 ...A.x.}..u.S..S
02a0: ad 9c 12 db ab d8 91 31 8a 58 93 cc 64 80 6f 3c .......1.X..d.o<
02b0: 0a a1 74 9e 34 91 65 c7 5f e3 61 a6 7a cd 7a ab ..t.4.e._.a.z.z.
02c0: f5 f4 d6 4c 40 f2 f0 45 33 89 36 59 33 54 fc 5c ...L at ..E3.6Y3T.\
02d0: 28 b2 78 19 17 ac f2 d1 93 4b b7 2c f6 95 c7 86 (.x......K.,....
02e0: 44 4b cf 8f bd 6c 99 1c 0e 94 a7 00 46 af 86 e7 DK...l......F...
02f0: 95 83 83 77 4c 80 b1 c6 f0 0e 81 2a 02 12 98 12 ...wL......*....
0300: ff f5 3f 17 e0 c1 b2 84 7b 53 7e 8e f9 53 73 8a ..?.....{S~..Ss.
0310: de f2 19 65 b7 fe 56 45 d0 05 a2 03 04 84 11 2d ...e..VE.......-
0320: 0d 0b 5f 52 34 c1 22 4a 40 c2 e7 d1 b7 95 cc a7 .._R4."J at .......
0330: 59 38 cf 0f 79 d1 ad 14 14 65 c1 27 60 36 b8 84 Y8..y....e.'`6..
0340: e8 37 96 ea cd 61 8e 9a 71 b0 c0 2c 68 e3 a7 b4 .7...a..q..,h...
0350: 0b 7a cc 71 44 65 14 ac 9d bc 54 f6 01 8e 16 61 .z.qDe....T....a
0360: fb 88 ab ae f7 80 cc 1f 40 87 ab 5e 9b d8 d6 37 ........ at ..^...7
0370: 3a c5 2f 5b 5f 80 cf 62 b6 93 80 5f 7b 5f ef 6d :./[_..b..._{_.m
0380: cb 8e ef 67 c9 c2 78 37 bb 3e b0 ee a3 07 8a ab ...g..x7.>......
0390: b7 02 76 b6 a0 18 7d 37 cc 54 44 e4 e5 ad 3e f0 ..v...}7.TD...>.
03a0: 97 34 76 c7 02 03 01 00 01 a3 82 01 ca 30 82 01 .4v..........0..
03b0: c6 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 .0...U.......0..
03c0: 01 00 30 1d 06 03 55 1d 25 04 16 30 14 06 08 2b ..0...U.%..0...+
03d0: 06 01 05 05 07 03 01 06 08 2b 06 01 05 05 07 03 .........+......
03e0: 02 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 05 .0...U..........
03f0: a0 30 33 06 03 55 1d 1f 04 2c 30 2a 30 28 a0 26 .03..U...,0*0(.&
0400: a0 24 86 22 68 74 74 70 3a 2f 2f 63 72 6c 2e 67 .$."http://crl.g
0410: 6f 64 61 64 64 79 2e 63 6f 6d 2f 67 64 73 31 2d odaddy.com/gds1-
0420: 32 36 2e 63 72 6c 30 4d 06 03 55 1d 20 04 46 30 26.crl0M..U. .F0
0430: 44 30 42 06 0b 60 86 48 01 86 fd 6d 01 07 17 01 D0B..`.H...m....
0440: 30 33 30 31 06 08 2b 06 01 05 05 07 02 01 16 25 0301..+........%
0450: 68 74 74 70 73 3a 2f 2f 63 65 72 74 73 2e 67 6f https://certs.go
0460: 64 61 64 64 79 2e 63 6f 6d 2f 72 65 70 6f 73 69 daddy.com/reposi
0470: 74 6f 72 79 2f 30 81 80 06 08 2b 06 01 05 05 07 tory/0....+.....
0480: 01 01 04 74 30 72 30 24 06 08 2b 06 01 05 05 07 ...t0r0$..+.....
0490: 30 01 86 18 68 74 74 70 3a 2f 2f 6f 63 73 70 2e 0...http://ocsp.
04a0: 67 6f 64 61 64 64 79 2e 63 6f 6d 2f 30 4a 06 08 godaddy.com/0J..
04b0: 2b 06 01 05 05 07 30 02 86 3e 68 74 74 70 3a 2f +.....0..>http:/
04c0: 2f 63 65 72 74 69 66 69 63 61 74 65 73 2e 67 6f /certificates.go
04d0: 64 61 64 64 79 2e 63 6f 6d 2f 72 65 70 6f 73 69 daddy.com/reposi
04e0: 74 6f 72 79 2f 67 64 5f 69 6e 74 65 72 6d 65 64 tory/gd_intermed
04f0: 69 61 74 65 2e 63 72 74 30 1f 06 03 55 1d 23 04 iate.crt0...U.#.
0500: 18 30 16 80 14 fd ac 61 32 93 6c 45 d6 e2 ee 85 .0.....a2.lE....
0510: 5f 9a ba e7 76 99 68 cc e7 30 3d 06 03 55 1d 11 _...v.h..0=..U..
0520: 04 36 30 34 82 16 4c 42 53 44 32 2e 73 75 6d 6d .604..LBSD2.summ
0530: 69 74 6e 6a 68 6f 6d 65 2e 63 6f 6d 82 1a 77 77 itnjhome.com..ww
0540: 77 2e 4c 42 53 44 32 2e 73 75 6d 6d 69 74 6e 6a w.LBSD2.summitnj
0550: 68 6f 6d 65 home
tls_read: want=311, got=311
0000: 2e 63 6f 6d 30 1d 06 03 55 1d 0e 04 16 04 14 f4 .com0...U.......
0010: 53 6d 01 69 29 86 69 fc ee 4e d5 94 0c 9a 0e 2c Sm.i).i..N.....,
0020: 00 76 32 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 .v20...*.H......
0030: 05 00 03 82 01 01 00 a8 e3 1c ea 53 86 41 70 63 ...........S.Apc
0040: 45 93 45 e2 fc 60 6b 46 e3 c9 a5 52 d3 78 d0 da E.E..`kF...R.x..
0050: 08 b3 2a 97 ef 76 e4 0a 56 f1 8e e5 56 92 35 04 ..*..v..V...V.5.
0060: cb 7b d8 c9 01 bf b4 b9 7d 1a cf 61 68 b0 80 5e .{......}..ah..^
0070: 54 f4 30 f3 e5 1a 26 22 a9 c3 72 64 b6 b9 2c 6f T.0...&"..rd..,o
0080: 1c 55 16 14 fe eb 71 d9 69 ae 6f 89 5b 7d 33 24 .U....q.i.o.[}3$
0090: 33 a3 33 54 63 e0 79 c5 bb c5 94 a6 2d 0b 4e f8 3.3Tc.y.....-.N.
00a0: 2c e9 b0 59 b3 b3 b4 18 c7 6d ff 13 c3 5a 3e 0e ,..Y.....m...Z>.
00b0: 0e 34 6b 40 73 6d bf e6 9c 70 30 95 7b e2 ac 6d .4k at sm...p0.{..m
00c0: c8 58 92 e4 ca 26 be 65 a7 db 61 b3 41 8f 0e c9 .X...&.e..a.A...
00d0: 5d 0a c8 8d 5d 3a 1b b1 5e e9 0a 3f d8 a9 58 ab ]...]:..^..?..X.
00e0: af 65 41 aa d7 47 47 34 96 f2 13 6d a3 db 9d e2 .eA..GG4...m....
00f0: 72 96 d3 87 34 25 92 eb 96 38 5f 7c f8 2d e1 e4 r...4%...8_|.-..
0100: 26 ce f3 ba f4 fb 89 65 06 50 8c 2e ee 28 e4 c7 &......e.P...(..
0110: e3 2a b1 50 44 b8 91 ed f5 c4 5f 9c dd c6 55 f7 .*.PD....._...U.
0120: 0f 7f e5 5d f2 ae 10 ef f4 ef c5 38 e7 c7 dc 85 ...].......8....
0130: 1e 01 a3 1b f6 d4 f6 .......
TLS certificate verification: depth: 0, err: 20, subject: /O=LBSD2.summitnjhome.com/OU=Domain Control Validated/CN=LBSD2.summitnjhome.com, issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
TLS certificate verification: Error, unable to get local issuer certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Enter LDAP Password:
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS:
supportedSASLMechanisms
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0xa099bc8 ptr=0xa099bc8 end=0xa099c08 len=64
0000: 30 3e 02 01 02 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9.........
0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object
0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support
0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms
ber_scanf fmt ({) ber:
ber_dump: buf=0xa099bc8 ptr=0xa099bcd end=0xa099c08 len=59
0000: 63 39 04 00 0a 01 00 0a 01 00 02 01 00 02 01 00 c9..............
0010: 01 01 00 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 .....objectclass
0020: 30 19 04 17 73 75 70 70 6f 72 74 65 64 53 41 53 0...supportedSAS
0030: 4c 4d 65 63 68 61 6e 69 73 6d 73 LMechanisms
ber_flush: 64 bytes to sd 3
0000: 30 3e 02 01 02 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9.........
0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object
0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support
0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms
ldap_write: want=64, written=64
0000: 30 3e 02 01 02 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9.........
0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object
0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support
0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms
ldap_result ld 0xa028530 msgid 2
wait4msg ld 0xa028530 msgid 2 (infinite timeout)
wait4msg continue ld 0xa028530 msgid 2 all 1
** ld 0xa028530 Connections:
* host: ldap port: 389 (default)
refcnt: 2 status: Connected
last used: Sun Nov 28 12:40:00 2010
** ld 0xa028530 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
** ld 0xa028530 Response Queue:
Empty
ldap_chkResponseList ld 0xa028530 msgid 2 all 1
ldap_chkResponseList returns ld 0xa028530 NULL
ldap_int_select
read1msg: ld 0xa028530 msgid 2 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 16 03 01 00 04 0e 00 00 ........
ber_get_next failed.
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More information about the freebsd-questions
mailing list