Postgres secure ldap authentication issues - postgresql
I cannot seem to get my CNPG postgres database to connect to LDAP via secured means; I've setup a bitnami openldap container with a user user01 and password password01 and can bind to it via ldapsearch fine:
❯ ldapsearch -H ldap://openldap-test.example.org -D "cn=user01,ou=users,dc=example,dc=org" -w 'password01' -b 'dc=example,dc=org'
❯ ldapsearch -H ldaps://openldap-test.example.org -D "cn=user01,ou=users,dc=example,dc=org" -w 'password01' -b 'dc=example,dc=org'
❯ ldapsearch -Z -H ldap://openldap-test.example.org -D "cn=user01,ou=users,dc=example,dc=org" -w 'password01' -b 'dc=example,dc=org'
All return results as expected - ie both ldap, ldaps and STARTTLS are functional.
In my Postgres database I've tried setting CNPN values to
postgresql:
ldap:
scheme: ldap[s]
server: openldap-test.example.org
tls: false
port: [389|636]
bindAsAuth:
prefix: 'cn='
suffix: ',ou=users,dc=example,dc=org'
depending upon:
clear-text: port=389, scheme=ldap, tls=false
ldaps: port=636, scheme=ldaps, tls=false
starttls: port=389, scheme=ldap, tls=true
which results in pg_hba.conf being populated as such:
host all all 0.0.0.0/0 ldap ldapserver=openldap-test.example.org ldapport=389 ldapscheme=ldap ldapprefix="cn=" ldapsuffix=",ou=users,dc=example,dc=org"
host all all 0.0.0.0/0 ldap ldapserver=openldap-test.example.org ldapport=636 ldapscheme=ldaps ldapprefix="cn=" ldapsuffix=",ou=users,dc=example,dc=org"
host all all 0.0.0.0/0 ldap ldapserver=openldap-test.example.org ldapport=389 ldapscheme=ldap ldaptls=1 ldapprefix="cn=" ldapsuffix=",ou=users,dc=example,dc=org"
respectively.
logging in with:
PGPASSWORD=password01 psql -h postgres-database -U user01 -d mydb
only works for the clear-text (port 389, no STARTTLS). When attempting to use the other two methods, I get this error:
psql: error: connection to server at "postgres-database", port 5432 failed: FATAL: LDAP authentication failed for user "user01"
The output from the postgres container with TLS
{"level":"info","ts":1663799766.7574096,"logger":"postgres","msg":"record","logging_pod":"usdf-butler-ldap-1","record":{"log_time":"2022-09-21 22:36:06.757 UTC","user_name":"user01","database_name":"lsstdb1","process_id":"37730","connection_from":"192.168.252.244:54054","session_id":"632b91d6.9362","session_line_num":"1","command_tag":"authentication","session_start_time":"2022-09-21 22:36:06 UTC","virtual_transaction_id":"3/63120","transaction_id":"0","error_severity":"LOG","sql_state_code":"00000","message":"LDAP login failed for user \"cn=user01,ou=users,dc=example,dc=org\" on server \"openldap-test.example.org\": Can't contact LDAP server","detail":"LDAP diagnostics: (unknown error code)","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":1663799766.7574224,"logger":"postgres","msg":"record","logging_pod":"usdf-butler-ldap-1","record":{"log_time":"2022-09-21 22:36:06.757 UTC","user_name":"user01","database_name":"lsstdb1","process_id":"37730","connection_from":"192.168.252.244:54054","session_id":"632b91d6.9362","session_line_num":"2","command_tag":"authentication","session_start_time":"2022-09-21 22:36:06 UTC","virtual_transaction_id":"3/63120","transaction_id":"0","error_severity":"FATAL","sql_state_code":"28000","message":"LDAP authentication failed for user \"user01\"","detail":"Connection matched pg_hba.conf line 14: \"host all all 0.0.0.0/0 ldap ldapserver=openldap-test.example.org ldapport=636 ldapscheme=ldaps ldapprefix=\"cn=\" ldapsuffix=\",ou=users,dc=example,dc=org\"\"","backend_type":"client backend","query_id":"0"}}
.. and with STARTTS:
{"level":"info","ts":1663799655.9419446,"logger":"postgres","msg":"record","logging_pod":"usdf-butler-ldap-1","record":{"log_time":"2022-09-21 22:34:15.941 UTC","user_name":"user01","database_name":"lsstdb1","process_id":"37528","connection_from":"192.168.252.244:36380","session_id":"632b9167.9298","session_line_num":"1","command_tag":"authentication","session_start_time":"2022-09-21 22:34:15 UTC","virtual_transaction_id":"3/62785","transaction_id":"0","error_severity":"LOG","sql_state_code":"00000","message":"could not start LDAP TLS session: Connect error","detail":"LDAP diagnostics: (unknown error code)","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":1663799655.9419892,"logger":"postgres","msg":"record","logging_pod":"usdf-butler-ldap-1","record":{"log_time":"2022-09-21 22:34:15.941 UTC","user_name":"user01","database_name":"lsstdb1","process_id":"37528","connection_from":"192.168.252.244:36380","session_id":"632b9167.9298","session_line_num":"2","command_tag":"authentication","session_start_time":"2022-09-21 22:34:15 UTC","virtual_transaction_id":"3/62785","transaction_id":"0","error_severity":"FATAL","sql_state_code":"28000","message":"LDAP authentication failed for user \"user01\"","detail":"Connection matched pg_hba.conf line 14: \"host all all 0.0.0.0/0 ldap ldapserver=openldap-test.example.org ldapport=389 ldapscheme=ldap ldaptls=1 ldapprefix=\"cn=\" ldapsuffix=\",ou=users,dc=example,dc=org\"\"","backend_type":"client backend","query_id":"0"}}
the logs from openldap:
632b9167.376217e9 0x7f784ae33700 conn=1005 fd=14 ACCEPT from IP=172.24.4.42:25550 (IP=0.0.0.0:389)
632b9167.376345a0 0x7f784a632700 conn=1005 op=0 EXT oid=1.3.6.1.4.1.1466.20037
632b9167.376425eb 0x7f784a632700 conn=1005 op=0 STARTTLS
632b9167.3765614e 0x7f784a632700 conn=1005 op=0 RESULT oid= err=0 qtime=0.000012 etime=0.000153 text=
632b9167.3792906f 0x7f784a632700 conn=1005 fd=14 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
632b9167.379e8703 0x7f784ae33700 conn=1005 fd=14 closed (connection lost)
632b9167.37ef19fe 0x7f784a632700 conn=1006 fd=14 ACCEPT from IP=172.24.4.42:58264 (IP=0.0.0.0:389)
632b9167.37efd555 0x7f784ae33700 conn=1006 op=0 EXT oid=1.3.6.1.4.1.1466.20037
632b9167.37f01047 0x7f784ae33700 conn=1006 op=0 STARTTLS
632b9167.37f09797 0x7f784ae33700 conn=1006 op=0 RESULT oid= err=0 qtime=0.000006 etime=0.000055 text=
632b9167.381a6e2a 0x7f784ae33700 conn=1006 fd=14 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
632b9167.382591e3 0x7f784a632700 conn=1006 fd=14 closed (connection lost)
632b91d6.2c73ec6d 0x7f784ae33700 conn=1007 fd=14 ACCEPT from IP=172.24.4.42:27509 (IP=0.0.0.0:636)
632b91d6.2c9ede29 0x7f784ae33700 conn=1007 fd=14 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
632b91d6.2ca8d57f 0x7f784a632700 conn=1007 fd=14 closed (connection lost)
632b91d6.2cf610c8 0x7f784ae33700 conn=1008 fd=14 ACCEPT from IP=172.24.4.42:40216 (IP=0.0.0.0:636)
632b91d6.2d1b084d 0x7f784ae33700 conn=1008 fd=14 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
632b91d6.2d24bdaa 0x7f784a632700 conn=1008 fd=14 closed (connection lost)
what is interesting is that each single login attempt with postgres attempts to query ldap twice; each apparently succeeding with the TLS handshake, and then immediately closing. No binding is even attempted. both report sql_state_code of 28000 in postgres.
thinking that this might be a cert issue, from the postgres container i run:
$ openssl s_client -showcerts -verify 5 -connect openldap-test.examp:636 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/) {a++}; out="cert"a".pem"; print >out}'
$ for cert in *.pem; do openssl verify -show_chain $cert ; done
C = US, ST = **redacted**, O = **redacted**, CN = openldap-test.example.org
error 20 at 0 depth lookup: unable to get local issuer certificate
error cert1.pem: verification failed
cert2.pem: OK
Chain:
depth=0: C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA (untrusted)
depth=1: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
cert3.pem: OK
Chain:
depth=0: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority (untrusted)
depth=1: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
cert4.pem: OK
Chain:
depth=0: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
any ideas upon why postgres is disconnecting and not even attempting to bind?
I think you have a certificate verification problem. The certificate presented by your LDAP server is not trusted by your postgres server. There are various ways of addressing this problem.
The right way: Install the correct CA certificate
Place the appropriate CA certificate (the one that signed your ldap server certiticate) somewhere on your postgres server (e.g, /etc/ssl/certs/my-ca-certificate.crt).
Configure libldap to trust certificates signed by that CA. Add the following to /etc/ldap/ldap.conf (create the file if it does not exist):
TLS_CACERT /etc/ssl/certs/my-ca-certificate.crt
The wrong way: disable certificate verification
Add the following to /etc/ldap/ldap.conf:
TLS_REQCERT never
If you are unable to write to /etc/ldap/ldap.conf, you can place your configuration in a different file and set the LDAPCONF environment variable to point to that file.
If you're interested, I've set up a simple docker-compose stack for testing this; you can find it here.
Related
Authentication Issues (KRB5\GSS)
We are looking to migrate some systems away from MSSQL. We have our first few environments built and currently using LDAP, which is OK but has a good number of flaws. I followed this link to setup Kreberos\GSS for the most part: https://info.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication Off the bat I got the below error when trying to connect: psql: error: SSPI continuation error: The specified target is unknown or unreachable I believe the SPN is setup properly: setspn -S POSTGRES/server.domain.local domain\service_account I suspect something is wrong in the keytab file, as there is an extra "" between the server FQDN and domain: Keytab name: FILE:/opt/pgsql/server.keytab KVNO Principal ---- -------------------------------------------------------------------------- 5 postgres#server.domain.local\#DOMAIN.LOCAL Server side error: 2020-12-28 18:37:43.820 EST [64534] user#DOMAIN.LOCAL#postgres FATAL: GSSAPI authentication failed for user "user#DOMAIN.LOCAL" 2020-12-28 18:37:43.820 EST [64534] user#DOMAIN.LOCAL#postgres DETAIL: Connection matched pg_hba.conf line 95: "host all all 0.0.0.0/0 gss" I'd appreciate any feedback and thank you!
Gmail is blocking to send email via SMTP? [duplicate]
This question already has answers here: smtp error: 535 5.7.8 Username and Password not accepted for gmail in go (4 answers) Closed 2 years ago. I have tried to set up msmtp server from this question PHP+Ubuntu Send email using gmail form localhost. So I have set the default (account) to send from: /etc/msmtprc: defaults tls on tls_starttls on tls_trust_file /etc/ssl/certs/ca-certificates.crt account default host smtp.gmail.com port 587 auth on user autak987#gmail.com password PASSWORD #not real password from autak987#gmail.com logfile /var/log/msmtp.log And now when I try to send a test email (executed as root): echo -e "Subject: Test Mail\r\n\r\nThis is my first test email." | msmtp --debug --from=default -t autak987#gmail.com gives: loaded system configuration file /etc/msmtprc ignoring user configuration file /root/.msmtprc: No such file or directory falling back to default account using account default from /etc/msmtprc host = smtp.gmail.com port = 587 source ip = (not set) proxy host = (not set) proxy port = 0 timeout = off protocol = smtp domain = localhost auth = choose user = autak987#gmail.com password = * passwordeval = (not set) ntlmdomain = (not set) tls = on tls_starttls = on tls_trust_file = /etc/ssl/certs/ca-certificates.crt tls_crl_file = (not set) tls_fingerprint = (not set) tls_key_file = (not set) tls_cert_file = (not set) tls_certcheck = on tls_min_dh_prime_bits = (not set) tls_priorities = (not set) auto_from = off maildomain = (not set) from = default add_missing_from_header = on add_missing_date_header = on remove_bcc_headers = on dsn_notify = (not set) dsn_return = (not set) logfile = /var/log/msmtp.log logfile_time_format = (not set) syslog = (not set) aliases = (not set) reading recipients from the command line and the mail <-- 220 smtp.gmail.com ESMTP o60sm9122564eda.30 - gsmtp --> EHLO localhost <-- 250-smtp.gmail.com at your service, [2a00:1028:8d1b:f32a:baac:e4e8:de4:df3c] <-- 250-SIZE 35882577 <-- 250-8BITMIME <-- 250-STARTTLS <-- 250-ENHANCEDSTATUSCODES <-- 250-PIPELINING <-- 250-CHUNKING <-- 250 SMTPUTF8 --> STARTTLS <-- 220 2.0.0 Ready to start TLS TLS session parameters: (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM) TLS certificate information: Owner: Common Name: smtp.gmail.com Organization: Google LLC Locality: Mountain View State or Province: California Country: US Issuer: Common Name: GTS CA 1O1 Organization: Google Trust Services Country: US Validity: Activation time: Tue 11 Aug 2020 10:57:38 AM CEST Expiration time: Tue 03 Nov 2020 09:57:38 AM CET Fingerprints: SHA256: 8A:D6:DC:62:1D:6B:BB:B9:45:03:38:E8:40:AC:8C:A8:60:75:CF:B6:95:93:83:4C:ED:AD:BA:CA:71:47:44:E7 SHA1 (deprecated): 84:5D:7F:E9:0E:7C:6A:C0:70:F6:04:09:4A:1C:AA:5D:6C:BF:11:E2 --> EHLO localhost <-- 250-smtp.gmail.com at your service, [2a00:1028:8d1b:f32a:baac:e4e8:de4:df3c] <-- 250-SIZE 35882577 <-- 250-8BITMIME <-- 250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH <-- 250-ENHANCEDSTATUSCODES <-- 250-PIPELINING <-- 250-CHUNKING <-- 250 SMTPUTF8 --> AUTH PLAIN AGF1dGFrOTg3QGdtYWlsLmNvbQBNaWxhbmJhcm9zMTIz <-- 535-5.7.8 Username and Password not accepted. Learn more at <-- 535 5.7.8 https://support.google.com/mail/?p=BadCredentials o60sm9122564eda.30 - gsmtp msmtp: authentication failed (method PLAIN) msmtp: server message: 535-5.7.8 Username and Password not accepted. Learn more at msmtp: server message: 535 5.7.8 https://support.google.com/mail/?p=BadCredentials o60sm9122564eda.30 - gsmtp msmtp: could not send mail (account default from /etc/msmtprc) msmtp: cannot log to /var/log/msmtp.log: cannot open: Permission denied msmtp: log info was: host=smtp.gmail.com tls=on auth=on user=autak987#gmail.com from=default recipients=autak987#gmail.com smtpstatus=535 smtpmsg='535-5.7.8 Username and Password not accepted. Learn more at\n535 5.7.8 https://support.google.com/mail/?p=BadCredentials o60sm9122564eda.30 - gsmtp' errormsg='authentication failed (method PLAIN)' exitcode=EX_NOPERM So the log says <-- 535-5.7.8 Username and Password not accepted. Learn more at, but I got an warning email someone has tried to log in your account Which I confirm was me. Then it says The application you have tried to use, Google blocked, because it does not fulfil our security standards. So the msmtp does not fulfil security standard? I have donwloaded all the certificate needed (and credentials were correct either login or password). So if msmtp does not fulfil security standard, how can I send email from php form?
You probably need to enable Less Secure Apps in your google account to allow the use of smtp https://support.google.com/accounts/answer/6010255?hl=en If you use 2 factor authentication you will need to generate an app specific password https://support.google.com/accounts/answer/185833?hl=en
With SSL setup on MongoDB, https requests don't work, but http does
I've set up self-signed certs and SSL on my mongo database, according to several articles, the mongodb.org manual, some dba.stackexchange.com questions, and various tutorials.
So, I run an instance of mongodb with the following command (or the config file):
mongod --sslMode requireSSL --sslPEMKeyFile ./selfsignsec/mongodb.pem --sslCAFile ./selfsignsec/ca.pem
And it looks like everything is fine:
[datetime].129-0700 I CONTROL [initandlisten] MongoDB starting : pid=42188 port=27017 dbpath=/data/db
...
[datetime].129-0700 I CONTROL [initandlisten] OpenSSL version: OpenSSL 1.0.2 22 Jan 2015
...
[datetime].129-0700 I CONTROL [initandlisten] options: { net: { ssl: { CAFile: "./selfsignsec/dbclient.pem", PEMKeyFile: "./selfsignsec/mongodb.pem", mode: "requireSSL" } } }
...
[datetime].178-0700 I NETWORK [initandlisten] waiting for connections on port 27017 ssl
Then, I've connected to that instance with a client certificate using this code:
...
var https = require('https'),
fs = require('fs');
...
app.use(methodOverride('X-HTTP-Method-Override')); //ability to use put, etc.
...
// For the moment, allow just about everything for CORS origin, methods, and headers
...
// http://docs.mongodb.org/manual/core/authentication/
var config = {
mongo: {
host: "localhost",
port: 27017,
db: "test",
ssl: true
}
};
var dbstring = "mongodb://" + config.mongo.host + ":" + config.mongo.port +
"/" + config.mongo.db;
var dboptions = {
server: {
ssl: true,
sslCert: fs.readFileSync('./selfsignsec/my-client.crt.pem'),
sslKey: fs.readFileSync('./selfsignsec/my-client.key.pem')
}
};
mongoose.connect(dbstring, dboptions);
mongoose.connection.once('open', function() {
app.models = require('./models/index');
var routes = require('./routes');
_.each(routes, function(controller, route) {
// declaring controllers & pass in the app & route
app.use(route, controller(app, route));
});
console.log('Secure Express server listening on port 27017...');
app.listen(27017);
});
And the server log looks good:
[datetime].166-0700 I NETWORK [initandlisten] connection accepted from 127.0.0.1:57591 #1 (1 connection now open)
...
But, in the browser, when I go to https://localhost:27017/somecollection, the GET fails. I don't get a connection (ERR_CONNECTION_CLOSED).
When I just use http, I get the json collection back!
Another time, I used an admin username & password, and got:
[datetime].347-0700 I ACCESS [conn43] Successfully authenticated as principal adminrole on test
But the browser requests & responses were the same: no response on https and full collection on http request.
If ssl is set on mongod and mongo client, how come http is returning results?
TL;DR:
BTW, if I don't pass any ssl values in the client code, I do get what I expected from the server:
AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
And if I pass in a bad cert, I do get expected:
no SSL certificate provided by peer; connection rejected
end connection 127.0.0.1:55829 (0 connections now open)
Result of incognito requests were the same as above.
Result of netstat -a | grep 27017:
tcp46 0 0 *.27017 *.* LISTEN
tcp4 0 0 localhost.27017 localhost.56297 ESTABLISHED
tcp4 0 0 localhost.56297 localhost.27017 ESTABLISHED
tcp4 0 0 localhost.27017 localhost.56296 ESTABLISHED
tcp4 0 0 localhost.56296 localhost.27017 ESTABLISHED
tcp4 0 0 localhost.27017 localhost.56295 ESTABLISHED
tcp4 0 0 localhost.56295 localhost.27017 ESTABLISHED
tcp4 0 0 localhost.27017 localhost.56294 ESTABLISHED
tcp4 0 0 localhost.56294 localhost.27017 ESTABLISHED
tcp4 0 0 localhost.27017 localhost.56293 ESTABLISHED
tcp4 0 0 localhost.56293 localhost.27017 ESTABLISHED
tcp4 0 0 *.27017 *.* LISTEN
704e9db9a444912b stream 0 0 704e9db9b79bb6c3 0 0 0 /tmp/mongodb-27017.sock
Result of openssl s_client -connect localhost:27017 -tls1 -servername localhost | openssl x509 -text -noout:
depth=1 C = US, ST = CA, L = SanFran, O = Local Signing Authority, CN = localhost
verify error:num=19:self signed certificate in certificate chain
read:errno=0
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 13550121380367150794 (0xbc0bb39a9435aeca)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=CA, L=SanFran, O=Local Signing Authority, CN=localhost
Validity
Not Before: May 21 19:42:47 2015 GMT
Not After : Oct 2 19:42:47 2016 GMT
Subject: C=US, ST=CA, L=SanFran, O=Local Signing Authority, CN=127.0.0.1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ba:0e:a4:0d:23:6c:a7:01:a9:e7:92:0e:9e:15:
1c:83:5d:91:32:7a:fb:6e:6f:da:ad:70:24:ef:a0:
4d:83:24:a1:f0:d0:6a:40:81:12:aa:f9:40:6d:53:
b3:d6:c1:24:b4:c9:07:a2:e9:5a:80:7a:51:30:71:
9c:e2:ee:fc:ce:d7:b1:2c:e2:91:40:94:9d:43:50:
08:33:67:cb:58:66:0d:c7:13:cc:45:20:e7:ef:70:
c4:8a:26:64:b5:af:4e:f8:c4:70:d8:7e:17:21:40:
4f:12:5b:35:71:b0:51:87:6f:12:4e:06:99:12:ac:
0e:4e:8e:7d:9c:6e:41:6f:d8:ca:93:77:9a:ee:60:
7e:9d:86:c1:6d:df:7c:a6:3a:71:cd:73:d8:8e:d1:
d8:61:f9:48:e5:02:44:10:31:94:58:1a:d2:75:a7:
14:83:b5:ad:b9:2e:ae:7a:65:af:8d:5d:31:65:fd:
c5:1f:e1:4f:f2:fb:80:df:08:25:64:5b:a6:c2:9d:
aa:10:8b:25:2e:fc:75:65:82:ea:4f:5c:18:68:21:
2b:0e:00:b8:57:e9:fb:14:67:18:14:ae:e0:c5:e6:
d9:5d:a1:df:6e:9d:27:0b:72:bd:33:e2:e8:a6:b3:
e8:a1:94:cc:ec:78:15:1b:37:b2:23:57:7c:d6:65:
c8:71
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
56:f6:ca:05:be:4a:ab:8d:94:8b:4e:7a:51:e2:8c:ed:d3:0e:
16:ac:68:61:eb:5b:d0:c3:e5:96:f2:50:12:f3:a8:10:14:c8:
9f:63:cc:f3:d3:b9:c2:71:8b:ac:7a:9c:9e:61:8d:09:26:4c:
6f:0d:30:2d:87:e2:e8:aa:77:f0:33:25:51:cb:67:d9:99:a5:
3c:cf:3a:3d:27:63:cd:3e:42:50:da:d6:68:a0:0a:c4:78:ad:
aa:a5:b1:93:8f:01:d0:70:72:5e:c0:19:5a:43:94:ba:65:35:
aa:0d:8b:da:b5:16:50:f5:bc:8f:cf:80:c9:f9:53:67:eb:68:
a2:0b:60:11:a0:c0:04:ef:47:5c:8b:e6:28:09:37:b9:43:bb:
0f:8f:1d:28:2a:d7:aa:46:6e:7d:32:64:44:70:74:c0:84:bd:
3e:82:87:85:68:51:c1:ba:44:d1:b3:29:bd:78:d8:80:63:59:
40:a5:dd:97:a1:a5:35:7c:5d:cb:11:1d:39:63:08:15:f5:00:
7c:6f:85:a8:df:9b:26:aa:66:a4:8a:81:f9:7a:ea:65:f5:03:
89:0b:ef:49:67:60:79:c5:82:39:eb:b3:88:9e:7b:b9:f9:6e:
c1:2c:30:19:23:d5:c8:3a:4e:c6:2a:33:c0:5a:5f:74:04:90:
91:07:b3:f2
You have two problems. First is the self-signed server certificate; and second is the DNS names in the CN. You have a third related problem that will go away once you fix the first two problems. For the first problem, self-signed certificate, see How do you sign Certificate Signing Request with your Certification Authority?. Browser have actively moved against self-signed certificates. For the second problem, DNS names in the CN, see How to create a self-signed certificate with openssl?. This is another browser requirement. DNS names must be put in the Subject Alternate Name (SAN), and not the Common Name (CN). But, in the browser, when I go to https://localhost:27017/somecollection, the GET fails. A related problem is the Subject's CN is CN=127.0.0.1. 127.0.0.1 is not localhost, so the browser thinks its a different origin. Even other user agents (non-browsers) will fail for this one. Non-browsers include cURL and GNU's Wget. This problem will go away once you place all the DNS names in the SAN. The DNS names include 127.0.0.1, localhost, john-dev-machine, and john-dev-machine.example.com. You can see if the server is actually serving over HTTPS with: echo -e "GET /somecollection HTTP/1.1\r\nHost:localhost\r\n\r\n" | \ openssl s_client -connect localhost:27017 -tls1 -servername localhost -ign_eof You should see raw HTML returned. You can then press CTRL+C to exit. OpenSSL does not perform the host name checks (the programmer must do it manually) or enforce DNS name policy (in the CN or SAN). So it will work if the server is serving pages on that port over HTTPS.
Postfix SMTP relay: client does not offer TLS client certificate to the server?
I have two machines, one running Ubuntu and one runing Debian, both running Postfix. The intent is that machine#2 becomes a SMTP relay/smarthost for machine#1. I have created a CA and issued certificates for both of the machines: a server certificate for #2 and a client certificate for #1.
When sending e-mail from #1 (by having the MUA talk to Postfix on localhost:25 with the intent that it relays e-mail to #2), the basic things work fine: the machines can talk to each other and an attempt to relay is actually made. The idea is to allow relaying on #2 if a valid client-side SSL/TLS certificate is presented from #1.
The relevant configuration for #2 is:
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 2
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/private/cert2.pem
smtpd_tls_key_file = /etc/ssl/private/key2-d.pem
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination permit_tls_all_clientcerts
The configuration on #1 is:
smtp_tls_CAfile = /etc/ssl/certs/cacert.pem
smtp_tls_cert_file = /etc/ssl/private/cert1.pem
smtp_tls_key_file = /etc/ssl/private/key1-d.pem
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = verify
smtp_tls_loglevel = 2
Machine#1 connects to #2, enables STARTTLS, the log files show that it successfuly verifies the certificate from #2, and attempts to relay the message. However, it appears not to send the client certificate to #2, and #2 refuses to relay the message.
Log entries from #1:
Apr 17 01:18:14 mail1 postfix/smtp[30250]: Verified TLS connection established to mail2[x.x.x.x]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 17 01:18:14 mail1 postfix/smtp[30244]: 8A2328BDB4: to=<addr#gmail.com>, relay=mail2[x.x.x.x]:25, delay=3488, delays=3486/0.41/0.85/0.19, dsn=4.7.1, status=deferred (host mail2[x.x.x.x] said: 454 4.7.1 <addr#gmail.com>: Relay access denied (in reply to RCPT TO command))
Log entries from #2:
Apr 17 01:18:13 mail2 postfix/smtpd[28798]: Anonymous TLS connection established from unknown[y.y.y.y]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 17 01:18:13 mail2 postfix/smtpd[28798]: NOQUEUE: reject: RCPT from unknown[y.y.y.y]: 454 4.7.1 <addr#gmail.com>: Relay access denied; from=<addr#mail1> to=<addr#gmail.com> proto=ESMTP helo=<mail1>
Any ideas? I'm basing my assumption that #1 didn't send its client cert on the "Anonymous TLS connection established" part in the logs from mail2.
A TLS server must request a certificate from the client, the client will not send it by its own. Try to add smtpd_tls_ask_ccert=yes on the server side
add your server adress ( server1.domaine.com ) in the postfix conf file main.cf mynetworks = 127.0.0.1/8
AWS SES certificate verify failed
I have set up SES successfully on one AWS instance. Now I am trying to use it on a second (not cloned) instance and when I run any of the SES scripts, I get an error: ses-get-stats.pl -k aws-credentials -q I get: Can't connect to email.us-east-1.amazonaws.com:443 (certificate verify failed) LWP::Protocol::https::Socket: SSL connect attempt failed with unknown errorerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at /usr/local/share/perl/5.8.8/LWP/Protocol/http.pm line 51. Getting the Perl stuff working was a challenge and it is possible I did it differently on the instance. Any place I should be looking to fix this? When I run: openssl s_client -CAfile .../cacert.pem -connect email.us-east-1.amazonaws.com:443 < /dev/null I get: CONNECTED(00000003) depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=email.us-east-1.amazonaws.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network --- Server certificate -----BEGIN CERTIFICATE----- MIIFRDCCBCygAwIBAgIQGcGV1HNHcHHJGun1oi7qbTANBgkqhkiG9w0BAQUFADCB tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMm VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwHhcNMTAxMDA4 MDAwMDAwWhcNMTMxMDA3MjM1OTU5WjB2MQswCQYDVQQGEwJVUzETMBEGA1UECBMK V2FzaGluZ3RvbjEQMA4GA1UEBxQHU2VhdHRsZTEYMBYGA1UEChQPQW1hem9uLmNv bSBJbmMuMSYwJAYDVQQDFB1lbWFpbC51cy1lYXN0LTEuYW1hem9uYXdzLmNvbTCB nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuDbIrCnMbnltwoXJfQrV6UgtYTza VdjQw+ylHg9pmNRUAeI8kIEkJYK6wIUy8MdJL/NAJdw5H9WFouNyDKi6T2FFGOns JU0Qf3Cbsf3XymLxPsMPZ0xgqFYS5QfpuXSwjegkaerABHCOdp0bGnYbpXGFfRzv VYO3ej48ku4XAH0CAwEAAaOCAhAwggIMMD0GA1UdEQQ2MDSCHWVtYWlsLnVzLWVh c3QtMS5hbWF6b25hd3MuY29tghNlbWFpbC5hbWF6b25hd3MuY29tMAkGA1UdEwQC MAAwCwYDVR0PBAQDAgWgMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9TVlJTZWN1 cmUtRzItY3JsLnZlcmlzaWduLmNvbS9TVlJTZWN1cmVHMi5jcmwwRAYDVR0gBD0w OzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJp c2lnbi5jb20vcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNV HSMEGDAWgBSl7wsRzsBBA6NKZZBIshzgVy19RzB2BggrBgEFBQcBAQRqMGgwJAYI KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTBABggrBgEFBQcwAoY0 aHR0cDovL1NWUlNlY3VyZS1HMi1haWEudmVyaXNpZ24uY29tL1NWUlNlY3VyZUcy LmNlcjBuBggrBgEFBQcBDARiMGChXqBcMFowWDBWFglpbWFnZS9naWYwITAfMAcG BSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRwOi8vbG9nby52ZXJp c2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQADggEBAF/FIwfH4c0X iIPmF6yKfyiAWp+YuxSteMQzlPluZdxRVdXmukJMABKMbKLyroTV8g9G28aMFIIR YLdCZUHci0mlbeTXmfjpMVIvhWlxYFsE+ZHpC3i77fQMtalv8bmlThjMy9aVMB8x fUzMSvxRJbSdHIATqHx7CI8ogT5xEYrflbPk0J4ba380Vw3VArmNUKv9pYtgStv8 YikXMK5ufw0sSBFSo2GAumkvH/DJi8d3AnronpD5WWLs24N6uZCvWqWtKK/FiUhV JUMXrDohrbX+88P5fbVymeOShUiE1bU6sGPbhiHzXH7VvSYHmeaTGUNtjG1aV/py wHMrnJ7V7Xs= -----END CERTIFICATE----- subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=email.us-east-1.amazonaws.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 --- No client certificate CA names sent --- SSL handshake has read 3075 bytes and written 300 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: EA1C64EA86BFBE11BE8395F15DBF6B21228719EB215857257CD71AB2EFC3AE9E Session-ID-ctx: Master-Key: 9BFE26D5AFD9C1D222DF73A607CD491F617CD87BC7DCD15904954F198692E22ACACBFAA03A6F10B9F87073DA162B4EB3 Key-Arg : None Start Time: 1302693748 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- DONE This is the same response as on the instance where ses-get-stats.pl works. After creating a certificate file as suggested by daxim, running: openssl s_client -CAfile test.cer -connect email.us-east-1.amazonaws.com:443 < /dev/null Returns: CONNECTED(00000003) depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network verify return:1 depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 verify return:1 depth=0 /C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=email.us-east-1.amazonaws.com verify return:1 --- Certificate chain 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=email.us-east-1.amazonaws.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network followed by additional information including the certificate.
For some reason, your OpenSSL does not get the intermediate certificate. (Outdated software?) Install the intermediate certificate with the subject hash 0xeb99629b, available at https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR1513. You can use it with the -CAfile parameter in OpenSSL tools and with the environment variable HTTPS_CA_FILE for the Perl HTTPS stack. To use it system-wide, place it in the appropriate ca-certificates directory, e.g. /etc/ssl/certs, and c_rehash the directory.
Take a look at https://bugzilla.redhat.com/show_bug.cgi?id=705044 This might have something to do with it.
Disable verification of SSL peers and retry. export PERL_LWP_SSL_VERIFY_HOSTNAME=0
try to remove (or rename) this directory: /usr/local/share/perl