TLS SSL Fehler

german

#1

Hallo zusammen!

Nachdem ich eine VM (KVM) neben der schon laufenden anlegen wollte, wurde mir das Abschliessen der Konfig mit folgender Meldung quittiert:

[quote]Die Anfrage konnte nicht bearbeitet werden.
Fehlernachricht des Servers:
Fehler: {‘info’: ‘error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)’, ‘desc’: ‘Connect error’}[/quote]

/var/log/univention/virtual-machine-manager-daemon.log :

2015-10-25 14:42:29,551 - uvmmd.node - ERROR - ('qemu://assvhl03.as10/system',): Exception in timer_callbck Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/uvmm/node.py", line 547, in run self.update_autoreconnect() File "/usr/lib/pymodules/python2.7/univention/uvmm/node.py", line 566, in update_autoreconnect self.update() File "/usr/lib/pymodules/python2.7/univention/uvmm/node.py", line 699, in update domStat = Domain(dom, node=self) File "/usr/lib/pymodules/python2.7/univention/uvmm/node.py", line 198, in __init__ self.update_ldap() File "/usr/lib/pymodules/python2.7/univention/uvmm/node.py", line 305, in update_ldap self.pd.annotations = ldap_annotation(self.pd.uuid) File "/usr/lib/pymodules/python2.7/univention/uvmm/uvmm_ldap.py", line 165, in ldap_annotation lo, position = univention.admin.uldap.getMachineConnection(ldap_master=False) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 75, in getMachineConnection lo=univention.uldap.getMachineConnection(start_tls, decode_ignorelist=decode_ignorelist, ldap_master=ldap_master) File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 106, in getMachineConnection lo=access(host=ucr['ldap/server/name'], port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect) File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 177, in __init__ self.__open(ca_certfile) File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 215, in __open self.lo.start_tls_s() File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 884, in start_tls_s res = self._apply_method_s(SimpleLDAPObject.start_tls_s,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 860, in _apply_method_s return func(self,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 571, in start_tls_s return self._ldap_call(self._l.start_tls_s) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) CONNECT_ERROR: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)', 'desc': 'Connect error'}

/var/lib/libvirt/images# ldapsearch -x -ZZ -s base -d 1 -h as10

ldap_create
ldap_url_parse_ext(ldap://as10)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP as10:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.10.10.10:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x16981c0 msgid 1
wait4msg ld 0x16981c0 msgid 1 (infinite timeout)
wait4msg continue ld 0x16981c0 msgid 1 all 1
** ld 0x16981c0 Connections:
* host: as10  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Sun Oct 25 14:01:57 2015

** ld 0x16981c0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x16981c0 request count 1 (abandoned 0)
** ld 0x16981c0 Response Queue:
   Empty
  ld 0x16981c0 response count 0
ldap_chkResponseList ld 0x16981c0 msgid 1 all 1
ldap_chkResponseList returns ld 0x16981c0 NULL
ldap_int_select
read1msg: ld 0x16981c0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 36 contents:
read1msg: ld 0x16981c0 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x16981c0 0 new referrals
read1msg:  mark request completed, ld 0x16981c0 msgid 1
request done: ld 0x16981c0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:unknown state
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject: /C=DE/ST=DE/L=DE/O=as10 GmbH/OU=Univention Corporate Server/CN=assvhl03.as10/emailAddress=ssl@as10, issuer: /C=DE/ST=DE/L=DE/O=as10 GmbH/OU=Univention Corporate Server/CN=Univention Corporate Server Root CA (ID=4zS17UQd)/emailAddress=ssl@as10
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
ldap_start_tls: Connect error (-11)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed

Wie kann ich das reparieren?
Der UCS laeuft momentan noch “stand alone”, also ohne Clients oder Anbindung an eine AD.

Die CA habe ich lt. der Anleitung hier im Forum auch schon neu erzeugt.
Was aber nicht hilfreich war.

any suggetions?

Vielen Dank!
winke und Gruss
Thomas


#2

Hallo,

sind denn nach der Erneuerung der Zertifikatskette alle Dienste neu gestartet worden?
[bug]38603[/bug].

Viele Grüße,
Dirk Ahrnke


#3

Nein… nicht alle, nur LDAP und Netzwerkrelevanten.
Somit habe ich dann den Server neu gestartet.
Jetzt kann ich die VMs wieder anlegen und die Fehlermeldungen tauchen nicht mehr auf.

Danke!
[SOLVED]