Mailserver down, help needed

planet_jeroen · 2018-02-27 12:59:34 UTC

Hey all,

I just updated the certificate of my SAMBA AD server, and as a result my SOGo and Alfresco LDAP authentication doesnt work any longer.

FTP works fine, also authenticated by SAMBA AD.
The logs gives me:

Feb 27 13:53:32 sogod [2739]: <0x0x558c84a1bbe0[LDAPSource]> <NSException: 0x558c84e8af60> NAME:LDAPException REASON:operation bind failed: Can’t contact LDAP server (0xFFFFFFFF) INFO:{“error_code” = “-1”;

Nothing changed in that regard … am I missing somehting here ?

My production system is down atm, any hints are very much appreciated!

Ctek · 2018-02-27 13:03:11 UTC

Hi Jeroen,
You mean that you updated the certificate in the container?
Can you check that when you updated the cert, the CN is corect ? and that the queries are done with that CN ?

If i’m not mistaking the CN contain the name of the host. and as such if that differs now there could be some issues.

planet_jeroen · 2018-02-27 13:09:19 UTC

I updated the certificate on the host, using the webinterfacem, and then copied the resulting localhost.cert and .key to the conatiner. Since that moment, my AD authentication doesnt work any longer

mrmarkuz · 2018-02-27 13:25:34 UTC

Is it a letsencrypt cert or did you upload another cert?

I had a problem with a bought cert recently because the chainfile was wrong. Chrome showed it as ok but https://www.sslshopper.com/ssl-checker.html showed me what was wrong…just an idea.

planet_jeroen · 2018-02-27 13:27:00 UTC

I can not even connect to the LDAP at the moment …

planet_jeroen · 2018-02-27 13:31:08 UTC

openssl s_client -showcerts -connect nsdc-gr105.domain.com:636

yields an error about an expired certificate … it shows the complete chain tho … could it be that this is a chain issue as @mrmarkuz suggests, and if so, any clue on how to proceed ?

Ctek · 2018-02-27 15:03:01 UTC

basically the certificate has to be checked against the issues.
Maybe there is no trust certificate to check against?
Or if the issuer is outside like Verisign etc, you need to have a way to contact them, check that the FW is not blocking something…
Just my opinion, I’ve never done a change of cert in NS

planet_jeroen · 2018-02-27 15:29:27 UTC

Kill me. localhost.key needs to be copied to key.pem and localhost.crt to cert.pem

Will update with more details. Long stories short, I forgot to document a step and retrieved that through my bash command history.

Update: in order to use the letsencrypt certificate from the NethServer host for the container as well, start by getting a letsencrypt certificate.

Next step is to simply copy the created certificate and key to the expected locations. Defaults are:

cp /etc/pki/tls/certs/localhost.crt  /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
cp /etc/pki/tls/private/localhost.key  /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
shutdown -r now

The last step can probably be done more elegant, but I am of the ‘reboot to make sure’-school (aka, not entirely sure, lets use a big gun) No other configuration was needed to get this working. Just some documentation to not miss the copy step

planet_jeroen · 2018-02-27 18:32:13 UTC

previous post edited to have a proper solution to my self-created-and-not-well-documented-issue.