Solved

How can I get LDAPS to connect on anything other than the server the SSL certificates live on?

Posted on 2014-09-17
12
479 Views
Last Modified: 2014-11-12
I've started the long and painful process of turning up a public facing domain controller for DR and third party authentication use. We have and Amazon AWS EC2 instance running Server 2008 R2 with a VPN tunnel back to our primary datacenter. The AWS firewall is set to allow any and all inbound traffic from our primary datacenter IP, as well as a few ports on specific IP ranges for our vendors that need to pull down ADUC info.
I set up a domain with Network Solutions, and purchased a UCC SSL certificate from GoDaddy. The reason we need a UCC certificate is due to our corporate domain being a *.local domain. The primary for the SSL certificate is the network solutions domain, with our alternatives being the DN of the AWS DC and the DN of our .local domain.
After correctly formatting all the stuff with NS and GD (which took literally all day), I am now able to finally connect to LDAPS from the AWS server to the AWS sever. This doesn't prove much since it's only talking to itself. I can't connect to LDAP on the AWS server from any of our data centers, but for some reason the third party vendors can. When any of the vendors or myself attempt to connect to LDAPS over port 636, it returns this message from ldp.exe:

ld = ldap_sslinit("dvdccloud", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to dvdccloud.

I have searched around for days trying to find out what the issue might be. I suspect it's either something network related with improper routing, or there might actually be an issue with the fact the alternative record on file with GD is a *.local domain. I am aware that *.local domains will no longer be supported by SSL come November 1st, 2015, but getting this working would give me a year to plan out a total domain reconfiguration.

Can anyone lend a hand and help me figure out what's wrong here? Thanks.
0
Comment
Question by:carmodyk
  • 7
  • 5
12 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40329847
local domains are still going to be fine for self-issued certs, but near impossible to find a CA to issue a commercial cert for.

however, I would treat the above as a straight networking issue, and check the usual.

1) does bare hostname "dvdccloud" resolve on the client machine? does adding it to the local hosts file resolve this?
2) is port 636 on "dvdccloud" connectable from the host machine? does it present an ssl certificate if so (you can use the command line version of openssl and the "s_client" mode to do this)
0
 
LVL 6

Author Comment

by:carmodyk
ID: 40331034
The hostname "dvdccloud" does resolve on all machines in the datacenter. All ports are wide open for my WAN IP, so I imagine that 636 is accessible. How would I go about checking that? I'm not familiar with openssl or s_client.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40331145
openssl is available for most platforms - you would check the cert by running the cmd

openssl s_client -connect dvdccloud:636 -showcerts

which should attempt to connect and display the cert

you can also check this with a web browser, but most will refuse to attempt to connect on 636. you can however override this behavior with many - for example, if you want to test with firefox, you can visit "about:config" and set network.security.ports.banned.override equal to 636 - then visiting https://dvdccloud:636/ with firefox should attempt to load the certificate.

from the server side, you can also check the listener. if you run a cmd.exe as administrator, you can run the command "netstat -nab" and look for a line with LISTEN - if the listener is on (say) 127.0.0.1 rather than a real IP or the universal listener (0.0.0.0) that would also explain why you can't connect externally.
0
 
LVL 6

Author Comment

by:carmodyk
ID: 40331415
open ssl cmd failure
Am I doing something wrong?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40331686
did you download the software first, from the link above marked "available for most platforms"? It is native only on non-windows platforms (all of them, actually, including mac osx) and bundled with apache on windows, but otherwise is uncommon.
0
 
LVL 6

Author Comment

by:carmodyk
ID: 40333182
Yep, I downloaded and installed the one listed as "most common for most people".

the one i installed
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 33

Expert Comment

by:Dave Howe
ID: 40333208
Ah - needs to be in the same folder as the command prompt or on the search path then :)
0
 
LVL 6

Author Comment

by:carmodyk
ID: 40333323
It shows me 3 certs, one of which states: Verify return code: 20 (unable to get local issuer certificate)

We have a UCC SSL cert, so the first that "works" is our primary domain, and the second that "works" is our ALT domains. The way GoDaddy issues certificates is by including an additional cert that is a "chain" cert? Forgive me if that terminology is incorrect. That's the cert that it is unable to get a local issuer certificate for, I assume because it's GoDaddy's cert, not technically mine?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40334721
probably.  however, the fact you are able to obtain the certificate SHOULD mean that you are able to contact the ldaps server. odds are good that you are unable to obtain the intermediate certificate as openssl doesn't do the required fetches.  While you can save the delivered cert using openssl, that isn't going to get you anything you don't already have.

I could suggest you try the browser method, or better yet, the Apache ldap/ldaps tool.
0
 
LVL 6

Author Comment

by:carmodyk
ID: 40336989
GoDaddy had me rekey the certificate this past weekend, and now I am able to bind to LDAP from my local datacenter. I'm not sure what the return it gives me infers about the SSL activity though; maybe you can clarify?

I see in the logs that it's still connecting over port 389 though. While it's good to get a solid bind, I need it over port 636. Also, it's odd that I can bind, but can not "connect" with ldp.exe......

ldap bind success?
0
 
LVL 6

Accepted Solution

by:
carmodyk earned 0 total points
ID: 40342120
Finally got this thing working! It must have been a certificate key issue, because once I rekeyed the cert with GoDaddy, everything started working.
0
 
LVL 6

Author Closing Comment

by:carmodyk
ID: 40349504
I figured it out with GoDaddy.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IP address incorrect 8 64
SSL checker internal 4 61
AWS CLI issues with Tags 3 65
Amazon AWS EC2 t2.medium (EBS-Only) - how can I increase storage from 30 GB? 2 60
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
Steps to create a PostgreSQL RDS instance in the Amazon cloud. We will cover some of the default settings and show how to connect to the instance once it is up and running.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now