We are trying to put in place a high availability instance of openLDAP
using a 3-node n-way multi master setup. I can telnet to our instance and
each individual node through ports 389 and 636. I can use the showcerts
command on port 636 and see the certs but wheh I try to do this on port
389 to use TLS I get the following error.
root@tntest-batch:~# openssl s_client -msg -showcerts -connect
tntest-ldap.oreillyauto.com:389
CONNECTED(00000003)
>>> TLS 1.1 [length 00dd]
01 00 00 d9 03 02 52 40 41 bf 23 2b ad 2b 86 42
69 20 4d 27 0c f0 77 98 33 d5 f5 62 c9 fd d3 e9
6d c5 23 b4 62 73 00 00 66 c0 14 c0 0a c0 22 c0
21 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00
84 c0 12 c0 08 c0 1c c0 1b 00 16 00 13 c0 0d c0
03 00 0a c0 13 c0 09 c0 1f c0 1e 00 33 00 32 00
9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00
41 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00
12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 02
01 00 00 49 00 0b 00 04 03 00 01 02 00 0a 00 34
00 32 00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09
00 0a 00 16 00 17 00 08 00 06 00 07 00 14 00 15
00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f
00 10 00 11 00 23 00 00 00 0f 00 01 01
140330975884960:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 226 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
We have a server that that runs rebuilds and when it fails due to the TLS
hand shake failure this is what is in the logs for it.
[java] Exception in thread "main"
org.springframework.dao.DataAccessResourceFailureException: Failed to
borrow DirContext from pool.; nested exception is
org.springframework.ldap.UncategorizedLdapException: Failed to negotiate
TLS session; nested exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
[java] at
org.springframework.ldap.pool.factory.PoolingContextSource.getContext
(PoolingContextSource.java:425)
[java] at
org.springframework.ldap.pool.factory.PoolingContextSource.getReadOnlyContext
(PoolingContextSource.java:401)
[java] at org.springframework.ldap.core.LdapTemplate.search
(LdapTemplate.java:287)
[java] at org.springframework.ldap.core.LdapTemplate.search
(LdapTemplate.java:259)
[java] at org.springframework.ldap.core.LdapTemplate.search
(LdapTemplate.java:606)
[java] at org.springframework.ldap.core.LdapTemplate.search
(LdapTemplate.java:524)
[java] at org.springframework.ldap.core.LdapTemplate.search
(LdapTemplate.java:473)
[java] at org.springframework.ldap.core.LdapTemplate.search
(LdapTemplate.java:493)
[java] at org.springframework.ldap.core.LdapTemplate.search
(LdapTemplate.java:513)
[java] at
com.oreillyauto.security.dataaccessor.AdminDao.getNewTerritories
(AdminDao.java:515)
[java] at
com.oreillyauto.security.util.TeamNetAuthenticationNightlyJob.updateLocations
(TeamNetAuthenticationNightlyJob.java:341)
[java] at
com.oreillyauto.security.util.TeamNetAuthenticationNightlyJob.nightlyJobNewHireMaintenanceRunDateRange
(TeamNetAuthenticationNightlyJob.java:191)
[java] at
com.oreillyauto.security.util.TeamNetAuthenticationNightlyJob.main
(TeamNetAuthenticationNightlyJob.java:146)
[java] Caused by: org.springframework.ldap.UncategorizedLdapException:
Failed to negotiate TLS session; nested exception is
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
[java] at
org.springframework.ldap.core.support.AbstractTlsDirContextAuthenticationStrategy.processContextAfterCreation
(AbstractTlsDirContextAuthenticationStrategy.java:126)
[java] at
org.springframework.ldap.core.support.AbstractContextSource.getContext
(AbstractContextSource.java:109)
[java] at
org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext
(AbstractContextSource.java:125)
[java] at
org.springframework.ldap.pool.factory.DirContextPoolableObjectFactory.makeObject
(DirContextPoolableObjectFactory.java:138)
[java] at
org.apache.commons.pool.impl.GenericKeyedObjectPool.borrowObject
(GenericKeyedObjectPool.java:1179)
[java] at
org.springframework.ldap.pool.factory.PoolingContextSource.getContext
(PoolingContextSource.java:422)
[java] ... 12 more
[java] Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
[java] at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
[java] at sun.security.ssl.SSLSocketImpl.fatal
(SSLSocketImpl.java:1697)
[java] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:257)
[java] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:251)
[java] at sun.security.ssl.ClientHandshaker.serverCertificate
(ClientHandshaker.java:1165)
[java] at sun.security.ssl.ClientHandshaker.processMessage
(ClientHandshaker.java:154)
[java] at sun.security.ssl.Handshaker.processLoop
(Handshaker.java:609)
[java] at sun.security.ssl.Handshaker.process_record
(Handshaker.java:545)
[java] at sun.security.ssl.SSLSocketImpl.readRecord
(SSLSocketImpl.java:945)
[java] at sun.security.ssl.SSLSocketImpl.performInitialHandshake
(SSLSocketImpl.java:1190)
[java] at sun.security.ssl.SSLSocketImpl.startHandshake
(SSLSocketImpl.java:1217)
[java] at sun.security.ssl.SSLSocketImpl.startHandshake
(SSLSocketImpl.java:1201)
[java] at
com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake
(StartTlsResponseImpl.java:362)
[java] at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate
(StartTlsResponseImpl.java:226)
[java] at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate
(StartTlsResponseImpl.java:179)
[java] at
org.springframework.ldap.core.support.AbstractTlsDirContextAuthenticationStrategy.processContextAfterCreation
(AbstractTlsDirContextAuthenticationStrategy.java:109)
[java] ... 17 more
[java] Caused by: sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
[java] at sun.security.validator.PKIXValidator.doBuild
(PKIXValidator.java:324)
[java] at sun.security.validator.PKIXValidator.engineValidate
(PKIXValidator.java:224)
[java] at sun.security.validator.Validator.validate
(Validator.java:235)
[java] at sun.security.ssl.X509TrustManagerImpl.validate
(X509TrustManagerImpl.java:147)
[java] at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted
(X509TrustManagerImpl.java:230)
[java] at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted
(X509TrustManagerImpl.java:270)
[java] at sun.security.ssl.ClientHandshaker.serverCertificate
(ClientHandshaker.java:1144)
[java] ... 28 more
[java] Caused by:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
[java] at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild
(SunCertPathBuilder.java:197)
[java] at java.security.cert.CertPathBuilder.build
(CertPathBuilder.java:255)
[java] at sun.security.validator.PKIXValidator.doBuild
(PKIXValidator.java:319)
I have head a dead end researching on the internet and I appreciate any
help that could be provided. I'm sure this is something simple to solve,
but I am not seeing it and may be to a point that I just keep looking past
it after seeing it too many times.
Thank you,
Eric Speake
Web Systems Administrator
O'Reilly Auto Parts
This communication and any attachments are confidential, protected by
Communications Privacy Act 18 USCS § 2510, solely for the use of the intended
recipient, and may contain legally privileged material. If you are not the
intended recipient, please return or destroy it immediately. Thank you.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
