The mailing list for listmasters using Sympa

[Etan Weintraub <address@concealed>]

Ikeda- 

 Thank you so much! I missed the c_rehash step, and that fixed it all. 
Interesting that the older version didn't need it, but I'm glad the community 
helped us get this working. 

-Etan E. Weintraub
Information Security Architect
IT@Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Davis Building Suite 3110B
Baltimore, MD 21209
Phone: 667-208-6309
E-mail: address@concealed

-----Original Message-----
From: address@concealed 
[mailto:address@concealed] On Behalf Of IKEDA Soji
Sent: Wednesday, July 22, 2015 11:13 PM
To: address@concealed
Subject: Re: [sympa-users] Encountered Error after 6.2.2 Upgrade

Hi,

On Wed, 22 Jul 2015 18:17:28 +0000
Etan Weintraub <address@concealed> wrote:

> We added the root certificate (and all the intermediate ones) to 
> /etc/openldap/cacerts (individual files), and still get the same error. I 
> also tried editing LDAPSource.pm and tried setting verify to none, and 
> still got the same issue, so I don't believe this has to do with validating 
> the SSL certificates. I can also state that prior to upgrade, and on our 
> production boxes, this all works fine.
> 
> Any other ideas?

Please check if:

- All certificates of root and intermediate CAs are valid CA
  certificates, i.e. they are not expired and so on.

  You may check it by using "openssl x509" etc. to extract each
  certificate.

- Server certificate of LDAP server is valid, too.

- Certificates under capath (/etc/openldap/cacerts above) are linked
  to their subject_hash.

  cf. https://mta.openssl.org/pipermail/openssl-users/2015-July/001687.html

- Certificate chain is established and recognized by client-side.

  You may check it by using "openssl s_client" etc. to connect to
  LDAP server.

- The value of "host" parameter in include_ldap_query setting is the
  same as Common Name (CN) in Subject of server certificate.

  This looks required at least on my machine.
  (It will not be the case, if you patched LDAP.pm to force
  ca_verify being "none".)

Regards,

-- Soji

> -Etan E. Weintraub
> Information Security Architect
> IT@Johns Hopkins
> Johns Hopkins at Mt. Washington
> 5801 Smith Ave.
> Davis Building Suite 3110B
> Baltimore, MD 21209
> Phone: 667-208-6309
> E-mail: address@concealed
> 
> -----Original Message-----
> From: address@concealed 
> [mailto:address@concealed] On Behalf Of IKEDA Soji
> Sent: Wednesday, July 22, 2015 1:41 AM
> To: address@concealed
> Subject: Re: [sympa-users] Encountered Error after 6.2.2 Upgrade
> 
> Hi,
> 
> On Tue, 21 Jul 2015 17:40:32 +0000
> Ray Mathis <address@concealed> wrote:
> 
> > Hi David,
> > 
> > We did the update and the problem still exists.  Is there anything else 
> > we can try?
> <<snip>>
> 
> Directory or file specified by "capath" or "cafile" should contain
> the certificate of CA that issued the certificate of LDAP server.
> I suppose ca-bundle.crt does not contain certificate of private CA.
> 
> Regards,
> 
> --- Soji
> 
> > Raymond Mathis
> > Systems Engineer
> > Perimeter Email Security
> > Enterprise Directory and Messaging Services
> > Johns Hopkins University
> > 667.208.6235
> > 
> > From: address@concealed 
> > [mailto:address@concealed] On Behalf Of David Verdin
> > Sent: Friday, July 17, 2015 4:23 AM
> > To: Etan Weintraub <address@concealed>; address@concealed
> > Subject: Re: [sympa-users] Encountered Error after 6.2.2 Upgrade
> > 
> > Hi Etan,
> > 
> > OK, We fixed this problem. The fix is in the 6.2.3 that was just released 
> > yesterday. Just upgrade to 6.2.3 and it will be alright.
> > 
> > Regards,
> > 
> > David
> > Le 15/07/15 15:29, Etan Weintraub a écrit :
> > Hi-
> > I'm Ray's co-admin on the system. In the sympa.conf we have the following:
> > 
> > ## The directory path use by OpenSSL for trusted CA certificates
> > # was capath
> > capath  /etc/openldap/cacerts
> > 
> > ##  This parameter sets the all-in-one file where you can assemble the 
> > Certificates of Certification Authorities (CA)
> > cafile  /usr/local/sympa/default/ca-bundle.crt
> > 
> > 
> > If we try to add a ca_file or ca_path line to the sympa.conf file, we get 
> > an error about those being undefined options.
> > 
> > -Etan E. Weintraub
> > Information Security Architect
> > IT@Johns Hopkins
> > Johns Hopkins at Mt. Washington
> > 5801 Smith Ave.<x-apple-data-detectors://4/>
> > Davis Building Suite<x-apple-data-detectors://4/> 3110B
> > Baltimore, MD 21209<x-apple-data-detectors://5/0>
> > Phone: 667-208-6309<tel:667-208-6309>
> > E-mail: address@concealed<mailto:address@concealed>
> > 
> > From: 
> > address@concealed<mailto:address@concealed>
> >  [mailto:address@concealed] On Behalf Of David Verdin
> > Sent: Wednesday, July 15, 2015 5:20 AM
> > To: address@concealed<mailto:address@concealed>
> > Subject: Re: [sympa-users] Encountered Error after 6.2.2 Upgrade
> > 
> > Hi,
> > 
> > Theese two parameters are specified in sympa.conf.
> > 
> > You probably use LDAPS to reach your data sources. So it want to check 
> > the the SSL connection.
> > 
> > Just set you ca_file parameter to the path to a valid AC file, somwhere 
> > on the server. There is always one shipped with the distribution.
> > 
> > Regards,
> > 
> > David
> > Le 14/07/15 21:29, Ray Mathis a écrit :
> > Hey All,
> > 
> > After upgrading to 6.2.2 I ran into the following error when I went to 
> > one of my list's subscriber page:
> > 
> > Jul  7 10:39:31 esgsympadev wwsympa[24418]: err main::#1629 > 
> > main::do_sync_include#23312 > Sympa::List::sync_include#8059 > 
> > Sympa::List::_load_list_members_from_include#7343 > 
> > Sympa::List::_include_users_ldap#6632 > Sympa::Database::connect#148 > 
> > (eval)#148 > Sympa::DatabaseDriver::LDAP::_connect#88 Neither ca_file nor 
> > ca_path parameter is specified
> > 
> > The question is:  Where is the ca_file and ca_path parameters specified?
> > 
> > Any help provided would be greatly appreciated.
> > 
> > Thanks
> > 
> > Raymond Mathis
> > Systems Engineer
> > Perimeter Email Security
> > Enterprise Directory and Messaging Services
> > Johns Hopkins University
> > 667.208.6235
> > 
> > 
> > --
> > A bug in Sympa? Quick! To the bug 
> > tracker!<https://sourcesup.renater.fr/tracker/?group_id=23>
> > [RENATER logo]
> > 
> > 
> > David Verdin
> > Études et projets applicatifs
> > 
> > 
> > Tél : +33 2 23 23 69 71
> > Fax : +33 2 23 23 71 21
> > 
> > www.renater.fr<http://www.renater.fr>
> > 
> > RENATER
> > 263 Avenue du Gal Leclerc
> > 35042 Rennes Cedex
> > 
> > 
> > 
> > --
> > A bug in Sympa? Quick! To the bug 
> > tracker!<https://sourcesup.renater.fr/tracker/?group_id=23>
> > [RENATER logo]
> > 
> > 
> > David Verdin
> > Études et projets applicatifs
> > 
> > 
> > Tél : +33 2 23 23 69 71
> > Fax : +33 2 23 23 71 21
> > 
> > www.renater.fr<http://www.renater.fr>
> > 
> > RENATER
> > 263 Avenue du Gal Leclerc
> > 35042 Rennes Cedex
> > 
> > 
> 
> -- 
> 株式会社 コンバージョン  セキュリティ&OSSソリューション部   池田荘児
> 〒140-0014 東京都品川区大井1-49-15 アクセス大井町ビル4F
> e-mail address@concealed  TEL 03-6429-2880
> http://www.conversion.co.jp/


-- 
株式会社 コンバージョン  セキュリティ&OSSソリューション部   池田荘児
〒140-0014 東京都品川区大井1-49-15 アクセス大井町ビル4F
e-mail address@concealed  TEL 03-6429-2880
http://www.conversion.co.jp/

Attachment: smime.p7s
Description: S/MIME cryptographic signature