...我从来没有在实现安全通信方面遇到过如此大的困难。
我相信这是 Let's Encrypt 的有效 CA 证书链
/etc/ssl/le/ca-chain.pem 的内容
-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
我可以运行其他成功的 LDAP 命令,因此服务器已启动并做出响应。
CA 证书链文件归 openldap:openldap 所有,并具有 r-xr--r-- 权限。该目录具有类似的所有权和权限,但所有人都可以访问,即 r-xr-xr-x。
/root/tmp/secureldap.conf 的内容:
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/le/ca-chain.pem
我尝试执行的命令:
ldapmodify -H ldapi:/// -Y EXTERNAL -f /root/tmp/secureldap.conf -d "-1"
啊,失败了。
ldap_url_parse_ext(ldapi:///)
ldap_create
ldap_url_parse_ext(ldapi:///??base)
ldap_sasl_interactive_bind: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_path
ldap_new_socket: 4
ldap_connect_to_path: Trying /var/run/slapd/ldapi
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_ndelay_off: 4
ldap_int_sasl_open: host=auth.example.net
SASL/EXTERNAL authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x5621fef74de0 ptr=0x5621fef74de0 end=0x5621fef74dfa len=26
0000: 30 18 02 01 01 60 13 02 01 03 04 00 a3 0c 04 08 0....`..........
0010: 45 58 54 45 52 4e 41 4c 04 00 EXTERNAL..
ber_scanf fmt ({i) ber:
ber_dump: buf=0x5621fef74de0 ptr=0x5621fef74de5 end=0x5621fef74dfa len=21
0000: 60 13 02 01 03 04 00 a3 0c 04 08 45 58 54 45 52 `..........EXTER
0010: 4e 41 4c 04 00 NAL..
ber_flush2: 26 bytes to sd 4
0000: 30 18 02 01 01 60 13 02 01 03 04 00 a3 0c 04 08 0....`..........
0010: 45 58 54 45 52 4e 41 4c 04 00 EXTERNAL..
ldap_write: want=26, written=26
0000: 30 18 02 01 01 60 13 02 01 03 04 00 a3 0c 04 08 0....`..........
0010: 45 58 54 45 52 4e 41 4c 04 00 EXTERNAL..
ldap_msgfree
ldap_result ld 0x5621fef72c50 msgid 1
wait4msg ld 0x5621fef72c50 msgid 1 (infinite timeout)
wait4msg continue ld 0x5621fef72c50 msgid 1 all 1
** ld 0x5621fef72c50 Connections:
* host: (null) port: 0 (default)
refcnt: 2 status: Connected
last used: Thu Apr 29 17:51:59 2021
** ld 0x5621fef72c50 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x5621fef72c50 request count 1 (abandoned 0)
** ld 0x5621fef72c50 Response Queue:
Empty
ld 0x5621fef72c50 response count 0
ldap_chkResponseList ld 0x5621fef72c50 msgid 1 all 1
ldap_chkResponseList returns ld 0x5621fef72c50 NULL
ldap_int_select
read1msg: ld 0x5621fef72c50 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 0c 02 01 01 61 07 0a 0....a..
ldap_read: want=6, got=6
0000: 01 00 04 00 04 00 ......
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x5621fef5c100 ptr=0x5621fef5c100 end=0x5621fef5c10c len=12
0000: 02 01 01 61 07 0a 01 00 04 00 04 00 ...a........
read1msg: ld 0x5621fef72c50 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x5621fef5c100 ptr=0x5621fef5c103 end=0x5621fef5c10c len=9
0000: 61 07 0a 01 00 04 00 04 00 a........
read1msg: ld 0x5621fef72c50 0 new referrals
read1msg: mark request completed, ld 0x5621fef72c50 msgid 1
request done: ld 0x5621fef72c50 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: EXTERNAL
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x5621fef5c100 ptr=0x5621fef5c103 end=0x5621fef5c10c len=9
0000: 61 07 0a 01 00 04 00 04 00 a........
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x5621fef5c100 ptr=0x5621fef5c103 end=0x5621fef5c10c len=9
0000: 61 07 0a 01 00 04 00 04 00 a........
ber_scanf fmt (}) ber:
ber_dump: buf=0x5621fef5c100 ptr=0x5621fef5c10c end=0x5621fef5c10c len=0
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_msgfree
modifying entry "cn=config"
ldap_modify_ext
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x5621fef77220 ptr=0x5621fef77220 end=0x5621fef7727d len=93
0000: 30 5b 02 01 02 66 56 04 09 63 6e 3d 63 6f 6e 66 0[...fV..cn=conf
0010: 69 67 30 49 30 47 0a 01 00 30 42 04 17 6f 6c 63 ig0I0G...0B..olc
0020: 54 4c 53 43 41 43 65 72 74 69 66 69 63 61 74 65 TLSCACertificate
0030: 46 69 6c 65 31 27 04 25 2f 65 74 63 2f 73 73 6c File1'.%/etc/ssl
0040: 2f 32 30 32 31 2d 77 69 6c 64 63 61 72 64 2d 63 /etc/ssl/le/ca-c
0050: 65 72 74 2f 63 68 61 69 6e 2e 70 65 6d hain.pem
ber_scanf fmt ({) ber:
ber_dump: buf=0x5621fef77220 ptr=0x5621fef77225 end=0x5621fef7727d len=88
0000: 66 56 04 09 63 6e 3d 63 6f 6e 66 69 67 30 49 30 fV..cn=config0I0
0010: 47 0a 01 00 30 42 04 17 6f 6c 63 54 4c 53 43 41 G...0B..olcTLSCA
0020: 43 65 72 74 69 66 69 63 61 74 65 46 69 6c 65 31 CertificateFile1
0030: 27 04 25 2f 65 74 63 2f 73 73 6c 2f 32 30 32 31 '.%/etc/ssl/le/c
0040: 2d 77 69 6c 64 63 61 72 64 2d 63 65 72 74 2f 63 a-chain.pem
0050: 68 61 69 6e 2e 70 65 6d
ber_flush2: 93 bytes to sd 4
0000: 30 5b 02 01 02 66 56 04 09 63 6e 3d 63 6f 6e 66 0[...fV..cn=conf
0010: 69 67 30 49 30 47 0a 01 00 30 42 04 17 6f 6c 63 ig0I0G...0B..olc
0020: 54 4c 53 43 41 43 65 72 74 69 66 69 63 61 74 65 TLSCACertificate
0030: 46 69 6c 65 31 27 04 25 2f 65 74 63 2f 73 73 6c File1'.%/etc/ssl
0040: 2f 32 30 32 31 2d 77 69 6c 64 63 61 72 64 2d 63 /le/ca-chain.pem
0050: 65 72 74 2f 63 68 61 69 6e 2e 70 65 6d
ldap_write: want=93, written=93
0000: 30 5b 02 01 02 66 56 04 09 63 6e 3d 63 6f 6e 66 0[...fV..cn=conf
0010: 69 67 30 49 30 47 0a 01 00 30 42 04 17 6f 6c 63 ig0I0G...0B..olc
0020: 54 4c 53 43 41 43 65 72 74 69 66 69 63 61 74 65 TLSCACertificate
0030: 46 69 6c 65 31 27 04 25 2f 65 74 63 2f 73 73 6c File1'.%/etc/ssl
0040: 2f 32 30 32 31 2d 77 69 6c 64 63 61 72 64 2d 63 /le/ca-chain.pem
0050: 65 72 74 2f 63 68 61 69 6e 2e 70 65 6d
ldap_result ld 0x5621fef72c50 msgid 2
wait4msg ld 0x5621fef72c50 msgid 2 (timeout 100000 usec)
wait4msg continue ld 0x5621fef72c50 msgid 2 all 1
** ld 0x5621fef72c50 Connections:
* host: (null) port: 0 (default)
refcnt: 2 status: Connected
last used: Thu Apr 29 17:51:59 2021
** ld 0x5621fef72c50 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x5621fef72c50 request count 1 (abandoned 0)
** ld 0x5621fef72c50 Response Queue:
Empty
ld 0x5621fef72c50 response count 0
ldap_chkResponseList ld 0x5621fef72c50 msgid 2 all 1
ldap_chkResponseList returns ld 0x5621fef72c50 NULL
ldap_int_select
read1msg: ld 0x5621fef72c50 msgid 2 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 0c 02 01 02 67 07 0a 0....g..
ldap_read: want=6, got=6
0000: 01 50 04 00 04 00 .P....
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x5621fef5b440 ptr=0x5621fef5b440 end=0x5621fef5b44c len=12
0000: 02 01 02 67 07 0a 01 50 04 00 04 00 ...g...P....
read1msg: ld 0x5621fef72c50 msgid 2 message type modify
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x5621fef5b440 ptr=0x5621fef5b443 end=0x5621fef5b44c len=9
0000: 67 07 0a 01 50 04 00 04 00 g...P....
read1msg: ld 0x5621fef72c50 0 new referrals
read1msg: mark request completed, ld 0x5621fef72c50 msgid 2
request done: ld 0x5621fef72c50 msgid 2
res_errno: 80, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x5621fef5b440 ptr=0x5621fef5b443 end=0x5621fef5b44c len=9
0000: 67 07 0a 01 50 04 00 04 00 g...P....
ber_scanf fmt (}) ber:
ber_dump: buf=0x5621fef5b440 ptr=0x5621fef5b44c end=0x5621fef5b44c len=0
ldap_msgfree
ldap_err2string
ldap_modify: Other (e.g., implementation specific) error (80)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 4
0000: 30 05 02 01 03 42 00 0....B.
ldap_write: want=7, written=7
0000: 30 05 02 01 03 42 00 0....B.
ldap_free_connection: actually freed
我试图让它保持小巧——仅添加 TLS 证书 CA 链应该是一个非常具体的原子操作,需要添加并正确执行。
nmap 说 slapd/LDAP 正在监听端口 636。
root@auth:/etc/ssl/le/# grep -rn "ldaps" /etc
/etc/services:186:ldaps 636/tcp # LDAP over SSL
/etc/services:187:ldaps 636/udp
/etc/default/slapd:20:# service requests on TCP-port 636 (ldaps) and requests via unix
/etc/default/slapd:24:SLAPD_SERVICES="ldaps:/// ldapi:/// ldap:///"
root@auth:/etc/ssl/le/# nmap auth.example.net
Starting Nmap 7.70 ( https://nmap.org ) at 2021-04-29 18:26 UTC
Nmap scan report for auth.example.net (10.0.1.100)
Host is up (0.000029s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
389/tcp open ldap
636/tcp open ldapssl
Nmap done: 1 IP address (1 host up) scanned in 1.73 seconds
在 /root/tmp/secureldap.conf 中的 changetype 行之后尝试“添加”之前,我确实尝试过“替换”。
我做了 apparmor 的事情。
root@auth:/etc/apparmor.d# grep -rn ldap /etc/apparmor.d
/etc/apparmor.d/abstractions/nameservice:75: # ldap
/etc/apparmor.d/abstractions/nameservice:76: #include <abstractions/ldapclient>
/etc/apparmor.d/abstractions/nis:13: # portmapper may ask root processes to do nis/ldap at low ports
/etc/apparmor.d/abstractions/ldapclient:11: # files required by LDAP clients (e.g. nss_ldap/pam_ldap)
/etc/apparmor.d/abstractions/ldapclient:12: /etc/ldap.conf r,
/etc/apparmor.d/abstractions/ldapclient:13: /etc/ldap.secret r,
/etc/apparmor.d/abstractions/ldapclient:14: /etc/openldap/* r,
/etc/apparmor.d/abstractions/ldapclient:15: /etc/openldap/cacerts/* r,
root@auth:/etc/apparmor.d# tail /etc/apparmor.d/local/usr.sbin.slapd
/etc/ssl/le/ r,
/etc/ssl/le/* r
卡在这个地方真的很令人失望。更糟糕的是——我不知道如何阅读错误消息。除了错误 80 之外,其他的对我来说几乎毫无用处。
答案1
我清理了机器,并使用新的特定 auth.example.com SSL 证书(而不是通配符 *.example.com 证书)重试了我的步骤,并且它被所有三个必需的配置(链、密钥和证书)接受。在发布上述问题之前,我想分享一下哪些步骤出了问题——但是,我没有任何可以让我满意的东西可以给你。
我知道的唯一不同之处在于使用 FQDN 证书(auth.example.com)而不是通配符证书(*.example.com)。
这可能不是问题! 可能是其他原因!