Solved

How can I get LDAPS to connect on anything other than the server the SSL certificates live on?

Posted on 2014-09-17
12
470 Views
Last Modified: 2014-11-12
I've started the long and painful process of turning up a public facing domain controller for DR and third party authentication use. We have and Amazon AWS EC2 instance running Server 2008 R2 with a VPN tunnel back to our primary datacenter. The AWS firewall is set to allow any and all inbound traffic from our primary datacenter IP, as well as a few ports on specific IP ranges for our vendors that need to pull down ADUC info.
I set up a domain with Network Solutions, and purchased a UCC SSL certificate from GoDaddy. The reason we need a UCC certificate is due to our corporate domain being a *.local domain. The primary for the SSL certificate is the network solutions domain, with our alternatives being the DN of the AWS DC and the DN of our .local domain.
After correctly formatting all the stuff with NS and GD (which took literally all day), I am now able to finally connect to LDAPS from the AWS server to the AWS sever. This doesn't prove much since it's only talking to itself. I can't connect to LDAP on the AWS server from any of our data centers, but for some reason the third party vendors can. When any of the vendors or myself attempt to connect to LDAPS over port 636, it returns this message from ldp.exe:

ld = ldap_sslinit("dvdccloud", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to dvdccloud.

I have searched around for days trying to find out what the issue might be. I suspect it's either something network related with improper routing, or there might actually be an issue with the fact the alternative record on file with GD is a *.local domain. I am aware that *.local domains will no longer be supported by SSL come November 1st, 2015, but getting this working would give me a year to plan out a total domain reconfiguration.

Can anyone lend a hand and help me figure out what's wrong here? Thanks.
0
Comment
Question by:carmodyk
  • 7
  • 5
12 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40329847
local domains are still going to be fine for self-issued certs, but near impossible to find a CA to issue a commercial cert for.

however, I would treat the above as a straight networking issue, and check the usual.

1) does bare hostname "dvdccloud" resolve on the client machine? does adding it to the local hosts file resolve this?
2) is port 636 on "dvdccloud" connectable from the host machine? does it present an ssl certificate if so (you can use the command line version of openssl and the "s_client" mode to do this)
0
 
LVL 6

Author Comment

by:carmodyk
ID: 40331034
The hostname "dvdccloud" does resolve on all machines in the datacenter. All ports are wide open for my WAN IP, so I imagine that 636 is accessible. How would I go about checking that? I'm not familiar with openssl or s_client.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40331145
openssl is available for most platforms - you would check the cert by running the cmd

openssl s_client -connect dvdccloud:636 -showcerts

which should attempt to connect and display the cert

you can also check this with a web browser, but most will refuse to attempt to connect on 636. you can however override this behavior with many - for example, if you want to test with firefox, you can visit "about:config" and set network.security.ports.banned.override equal to 636 - then visiting https://dvdccloud:636/ with firefox should attempt to load the certificate.

from the server side, you can also check the listener. if you run a cmd.exe as administrator, you can run the command "netstat -nab" and look for a line with LISTEN - if the listener is on (say) 127.0.0.1 rather than a real IP or the universal listener (0.0.0.0) that would also explain why you can't connect externally.
0
 
LVL 6

Author Comment

by:carmodyk
ID: 40331415
open ssl cmd failure
Am I doing something wrong?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40331686
did you download the software first, from the link above marked "available for most platforms"? It is native only on non-windows platforms (all of them, actually, including mac osx) and bundled with apache on windows, but otherwise is uncommon.
0
 
LVL 6

Author Comment

by:carmodyk
ID: 40333182
Yep, I downloaded and installed the one listed as "most common for most people".

the one i installed
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 33

Expert Comment

by:Dave Howe
ID: 40333208
Ah - needs to be in the same folder as the command prompt or on the search path then :)
0
 
LVL 6

Author Comment

by:carmodyk
ID: 40333323
It shows me 3 certs, one of which states: Verify return code: 20 (unable to get local issuer certificate)

We have a UCC SSL cert, so the first that "works" is our primary domain, and the second that "works" is our ALT domains. The way GoDaddy issues certificates is by including an additional cert that is a "chain" cert? Forgive me if that terminology is incorrect. That's the cert that it is unable to get a local issuer certificate for, I assume because it's GoDaddy's cert, not technically mine?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40334721
probably.  however, the fact you are able to obtain the certificate SHOULD mean that you are able to contact the ldaps server. odds are good that you are unable to obtain the intermediate certificate as openssl doesn't do the required fetches.  While you can save the delivered cert using openssl, that isn't going to get you anything you don't already have.

I could suggest you try the browser method, or better yet, the Apache ldap/ldaps tool.
0
 
LVL 6

Author Comment

by:carmodyk
ID: 40336989
GoDaddy had me rekey the certificate this past weekend, and now I am able to bind to LDAP from my local datacenter. I'm not sure what the return it gives me infers about the SSL activity though; maybe you can clarify?

I see in the logs that it's still connecting over port 389 though. While it's good to get a solid bind, I need it over port 636. Also, it's odd that I can bind, but can not "connect" with ldp.exe......

ldap bind success?
0
 
LVL 6

Accepted Solution

by:
carmodyk earned 0 total points
ID: 40342120
Finally got this thing working! It must have been a certificate key issue, because once I rekeyed the cert with GoDaddy, everything started working.
0
 
LVL 6

Author Closing Comment

by:carmodyk
ID: 40349504
I figured it out with GoDaddy.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Steps to create a PostgreSQL RDS instance in the Amazon cloud. We will cover some of the default settings and show how to connect to the instance once it is up and running.
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now