self-signed TLS fails with failed to verify certificate: x509: certificate signed by unknown authority"

anpin commented 6 months ago

Hello, thank you for your effort in this project! I've been playing with portunus and tried to use SSL certificate signed with my own root CA, but it always fails even if I add my CA system-wide. Is there a way to use self-signed certificates?

Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07be8128 0x7f93900186c0 daemon: activity on 1 descriptor
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07bea50b 0x7f93900186c0 daemon: activity on:65941c57.07beaa3e 0x7f93900186c0
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07beaeaa 0x7f93900186c0 slap_listener_activate(8):
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07bef05a 0x7f93900186c0 daemon: epoll: listen=7 active_threads=0 tvp=NULL
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07befab5 0x7f93900186c0 daemon: epoll: listen=8 busy
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07bf6759 0x7f938f8176c0 >>> slap_listener(ldaps:///)
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07bf95a1 0x7f938f8176c0 daemon: accept() = 12
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07bfe8e0 0x7f938f8176c0 daemon: listen=8, new connection on 12
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c0137a 0x7f93900186c0 daemon: activity on 1 descriptor
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c022e4 0x7f93900186c0 daemon: activity on:65941c57.07c028f6 0x7f93900186c0
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c03ae6 0x7f93900186c0 daemon: epoll: listen=7 active_threads=0 tvp=NULL
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c041be 0x7f93900186c0 daemon: epoll: listen=8 active_threads=0 tvp=NULL
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c05c66 0x7f938f8176c0 daemon: added 12r (active) listener=(nil)
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c0ebfe 0x7f938f8176c0 conn=1008 fd=12 ACCEPT from IP=[::1]:39154 (IP=[::]:636)
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c1661d 0x7f93900186c0 daemon: activity on 2 descriptors
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c174f6 0x7f93900186c0 daemon: activity on:65941c57.07c17e2a 0x7f93900186c0  12r65941c57.07c184a3 0x7f93900186c0
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c18ec1 0x7f93900186c0 daemon: read active on 12
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c24656 0x7f93900186c0 daemon: epoll: listen=7 active_threads=0 tvp=NULL
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c256e0 0x7f93900186c0 daemon: epoll: listen=8 active_threads=0 tvp=NULL
Jan 02 14:23:19 infra slapd[1264]: conn=1008 fd=12 ACCEPT from IP=[::1]:39154 (IP=[::]:636)
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c31333 0x7f938f8176c0 connection_get(12)
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c3235b 0x7f938f8176c0 connection_get(12): got connid=1008
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c3280e 0x7f938f8176c0 connection_read(12): checking for input on id=1008
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c37d55 0x7f938f8176c0 TLS trace: SSL_accept:before SSL initialization
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c39635 0x7f938f8176c0 TLS trace: SSL_accept:before SSL initialization
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c4c54d 0x7f938f8176c0 TLS trace: SSL_accept:SSLv3/TLS read client hello
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c6621e 0x7f938f8176c0 TLS trace: SSL_accept:SSLv3/TLS write server hello
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c6cdba 0x7f938f8176c0 TLS trace: SSL_accept:SSLv3/TLS write change cipher spec
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c6e4e1 0x7f938f8176c0 TLS trace: SSL_accept:TLSv1.3 write encrypted extensions
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c9708e 0x7f938f8176c0 TLS trace: SSL_accept:SSLv3/TLS write certificate
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07c9fb64 0x7f938f8176c0 TLS trace: SSL_accept:TLSv1.3 write server certificate verify
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07cba2e6 0x7f938f8176c0 TLS trace: SSL_accept:SSLv3/TLS write finished
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07cbbca0 0x7f938f8176c0 TLS trace: SSL_accept:TLSv1.3 early data
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07cbcd31 0x7f938f8176c0 TLS trace: SSL_accept:error in TLSv1.3 early data
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07cbfc19 0x7f93900186c0 daemon: activity on 1 descriptor
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07cc037a 0x7f93900186c0 daemon: activity on:65941c57.07cc0a4e 0x7f93900186c0
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07cc1639 0x7f93900186c0 daemon: epoll: listen=7 active_threads=0 tvp=NULL
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07cc1c43 0x7f93900186c0 daemon: epoll: listen=8 active_threads=0 tvp=NULL
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07dbe23c 0x7f93900186c0 daemon: activity on 1 descriptor
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07dbfc13 0x7f93900186c0 daemon: activity on:65941c57.07dc0662 0x7f93900186c0  12r65941c57.07dc0bcf 0x7f93900186c0
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07dc11e8 0x7f93900186c0 daemon: read active on 12
Jan 02 14:23:19 infra slapd[1264]: conn=1008 fd=12 closed (TLS negotiation failure)
Jan 02 14:23:19 infra portunus-orchestrator[1262]: 2024/01/02 14:23:19 INFO: cannot connect to LDAP server (attempt 10/10): LDAP Result Code 200 "Network Error": tls: failed to verify certificate: x509: certifica>
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07dc267e 0x7f93900186c0 daemon: epoll: listen=7 active_threads=0 tvp=NULL
Jan 02 14:23:19 infra portunus-orchestrator[1262]: 2024/01/02 14:23:19 FATAL: giving up on LDAP server after 10 connection attempts
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07dc2e0b 0x7f93900186c0 daemon: epoll: listen=8 active_threads=0 tvp=NULL
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07dcc4d0 0x7f938f8176c0 connection_get(12)
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07dce33c 0x7f938f8176c0 connection_get(12): got connid=1008
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07dce933 0x7f938f8176c0 connection_read(12): checking for input on id=1008
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07dd19b4 0x7f938f8176c0 TLS trace: SSL3 alert read:fatal:bad certificate
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07dd2696 0x7f938f8176c0 TLS trace: SSL_accept:error in error
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07dd3a77 0x7f938f8176c0 TLS: can't accept: error:0A000412:SSL routines::sslv3 alert bad certificate.
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07dd9bdd 0x7f938f8176c0 connection_read(12): TLS accept failure error=-1 id=1008, closing
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07ddaa1c 0x7f938f8176c0 connection_closing: readying conn=1008 sd=12 for close
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07ddeaf1 0x7f938f8176c0 connection_close: conn=1008 sd=12
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07de067e 0x7f938f8176c0 daemon: removing 12
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07de888f 0x7f938f8176c0 conn=1008 fd=12 closed (TLS negotiation failure)
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07dec6c5 0x7f93900186c0 daemon: activity on 1 descriptor
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07deed34 0x7f93900186c0 daemon: activity on:65941c57.07def3ca 0x7f93900186c0
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07deffcd 0x7f93900186c0 daemon: epoll: listen=7 active_threads=0 tvp=NULL
Jan 02 14:23:19 infra portunus-orchestrator[1264]: 65941c57.07df042e 0x7f93900186c0 daemon: epoll: listen=8 active_threads=0 tvp=NULL
Jan 02 14:23:19 infra portunus-orchestrator[1251]: 2024/01/02 14:23:19 FATAL: error encountered while running portunus-server: exit status 1
Jan 02 14:23:19 infra systemd[1]: portunus.service: Main process exited, code=exited, status=1/FAILURE

Here is how I'm configuring it on nixos:

services.portunus = {
        enable = true;
        domain = config.networking.domain;
        port = 8080;
        seedPath = seedFile;
        ldap = {
            suffix = "dc=domain,dc=local";
            searchUserName = "search";
        };
    };
    systemd.services.portunus.environment = {
        PORTUNUS_SLAPD_TLS_CA_CERTIFICATE = ./.ssl/ca-chain.pem;
        PORTUNUS_SLAPD_TLS_CERTIFICATE = ./.ssl/ldap.pem;
        PORTUNUS_SLAPD_TLS_DOMAIN_NAME = ldapDomain;
        PORTUNUS_SLAPD_TLS_PRIVATE_KEY = config.sops.secrets.ldaps-key.path;
        PORTUNUS_DEBUG = "true";
    };

    networking.extraHosts = ''
    127.0.0.1 ${ldapDomain}
    '';

majewsky commented 6 months ago

Just as a quick guess: Do you have the complete chain in .ssl/ca-chain.pem, i.e. including the leaf cert and the root CA? I remember OpenLDAP insisting on having absolutely everything in there, see e.g. https://github.com/majewsky/nixos-modules/blob/54303357d576d1f40e76723fc82b44ac5a49ed6b/ldap-server.nix#L117-L129.

anpin commented 6 months ago

I do have the full chain under .ssl/ca-chain.pem (root + intermediate) as per the openldap docs and I can validate the cert via openssl

majewsky commented 6 months ago

I understand what's going on. We are not telling portunus-server about the custom CA, so it will only use the system CA bundle. More specifically, in

https://github.com/majewsky/portunus/blob/31ee83d547016d21893ff1cc92bc39ce8bb1f5c9/internal/ldap/connection.go#L67

The nil must be replaced by a tls.Config containing the additional CA. The tls.Config can be constructed like over here.
Furthermore, portunus-orchestrator must be instructed to forward the respective environment variable to portunus-server here.

Since my year-end vacation is over, I may not have the time to work on this right away. I put the above description here in case you are able to and interested in contributing the fix.

anpin commented 6 months ago

Before opening the issue I tried adding my root CA to the system bundle by overriding nixos cacert package as such

( final: prev:  {
         cacert = prev.cacert.override {
           extraCertificateFiles = [ ./.ssl/ca-chain.pem ];
        };
})

Which didn't affect this issue with portunus.

Thank you for pointing out possible solutions. I'm currently experimenting with other solutions to my problem and in case I would decide to use portunus I will look more into it.

majewsky commented 6 months ago

Since overriding pkgs.cacert did not work, did you try setting config.security.pki.certificateFiles? That looks like the standard way to extend the system trust store.

majewsky / portunus

self-signed TLS fails with failed to verify certificate: x509: certificate signed by unknown authority" #30