Author Topic: [SOLVED] Zentyal 5 - CA - LDAPS SSL Certificate  (Read 4064 times)

RAB

  • Zen Apprentice
  • *
  • Posts: 42
  • Karma: +2/-0
    • View Profile
[SOLVED] Zentyal 5 - CA - LDAPS SSL Certificate
« on: March 12, 2018, 12:08:21 pm »
Hi,

LDAPS is working but the certificate used does not seem to be issued by the CA (which is working fine for other services/servers) ... With LDAPS I am getting messages that the certificate is not valid.

Two questions:

1. Can I replace the certificate myself, and how can I make it persistent?
2. Is it possible to have LDAPS listed as a service in the Certification Authority under Services Certificates?

Thanks!
RAB

« Last Edit: March 14, 2018, 01:05:10 pm by RAB »

RAB

  • Zen Apprentice
  • *
  • Posts: 42
  • Karma: +2/-0
    • View Profile
Re: Zentyal 5 - CA - LDAPS SSL Certificate
« Reply #1 on: March 12, 2018, 04:37:10 pm »
This post:
https://forum.zentyal.org/index.php/topic,32039.0.html

suggests that the certificates are located here on the Zentyal server:
/var/lib/samba/private/tls


Is this correct?
Can I just replace these by a certificate generated by the Zentyal CA or will this generate issues with the existing AD functionality?

The LDAP conf file also contains a reference to a certificate.
/etc/ldap/ldap.conf


What is the role of this certificate? Does it require changing as well? Should it rather point to a certificate in
/var/lib/samba/private/tls
?
« Last Edit: March 14, 2018, 08:52:25 am by RAB »

RAB

  • Zen Apprentice
  • *
  • Posts: 42
  • Karma: +2/-0
    • View Profile
Re: Zentyal 5 - CA - LDAPS SSL Certificate
« Reply #2 on: March 12, 2018, 05:19:53 pm »
This: https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC

Suggests that the certificates in
/var/lib/samba/private/tls
would only e used for LDAP.

Correct?

RAB

  • Zen Apprentice
  • *
  • Posts: 42
  • Karma: +2/-0
    • View Profile
Re: Zentyal 5 - CA - LDAPS SSL Certificate
« Reply #3 on: March 14, 2018, 09:31:44 am »
Ok - figured it out for the most part.

Just cannot find where Zentyal configures the samba certificates (the settings below from a plain samba config):


tls enabled  = yes
tls keyfile  = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile   = tls/myIntermediate .pem  # if not required, set empty


The certificates used (default setup) for LDAPS on port 636 is the one found in
/var/lib/samba/private/tls

per https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html this is the default location and tls is enabled per default.
« Last Edit: March 14, 2018, 10:51:53 am by RAB »

RAB

  • Zen Apprentice
  • *
  • Posts: 42
  • Karma: +2/-0
    • View Profile
Re: Zentyal 5 - CA - LDAPS SSL Certificate
« Reply #4 on: March 14, 2018, 01:01:05 pm »
OK - solved

Changed the content of:

/var/lib/samba/private/tls/cert.pem to contain the content of the *-cert.crt file in the key-certificate package form the zentyal CA
/var/lib/samba/private/tls/key.pem to contain the content of the *-private-key.pem file in the key-certificatepackage form the zentyal CA
/var/lib/samba/private/tls/ca.pem to empty (no content). The file somehow needs to exist otherwise the start of the zentyal samba service fails.

Edited
/usr/share/zentyal/stubs/samba/smb.conf.mas to include at the end:

tls enabled  = yes
tls keyfile  = tls/key.pem
tls certfile = tls/cert.pem
tls cafile   =


Restart the zentyal samba service:

sudo zs samba stop
sudo zs samba stop


NOTE: Despite the empty setting for tls cafile in smb.config.mas, the start of the zentyal samba service fails if no tls/ca.pem file exists. Having an empty tls/ca.pem resolved this for me.
« Last Edit: March 14, 2018, 01:47:40 pm by RAB »

branislav.kopun

  • Zen Apprentice
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: [SOLVED] Zentyal 5 - CA - LDAPS SSL Certificate
« Reply #5 on: June 12, 2018, 07:54:35 am »
Hello, I try to repeat your guide but without success.

Can you explain this:
Code: [Select]
/var/lib/samba/private/tls/cert.pem to contain the content of the *-cert.crt file in the key-certificate package form the zentyal CA
/var/lib/samba/private/tls/key.pem to contain the content of the *-private-key.pem file in the key-certificatepackage form the zentyal CA
/var/lib/samba/private/tls/ca.pem to empty (no content). The file somehow needs to exist otherwise the start of the zentyal samba service fails.

I have Zentyal 5.1 but I don't understand which files you mean " *-cert.crt file in the key-certificate package form the zentyal CA"
and "*-private-key.pem file in the key-certificatepackage form the zentyal CA"

thanks