[Samba] Problem with intermediate certificate (tls cafile)

Nick Howitt nick at howitts.co.uk
Thu Aug 6 15:43:29 UTC 2020 

If I were guessing, based on some experience with certificate usage in 
other apps, concatenate your certificate and intermediate certificates 
into a single file which is then your "tls certfile" then point "tls 
cafile" to your issuers proper CA or just to your distro's CA bundle, 
e.g /etc/pki/tls/certs/ca-bundle.crt.

Nick

On 06/08/2020 16:36, MAS Jean-Louis via samba wrote:
> Nobody has any clues about the tls cafile ?
>
> Regards
>
> Le 04/08/2020 à 15:18, MAS Jean-Louis via samba a écrit :
>> I have several samba servers on Debian 10 all using :
>>
>> samba          2:4.9.5+dfsg-5+deb10u1 amd64
>>
>> I use tls cafile, tls certfile and tls keyfile with certificates from
>> Sectigo (https://cert-manager.com)
>>
>> And when checking my connexion from the samba server, or from outside,
>> I've got "unable to verify the first certificate" even if tls_cafile is
>> provided in smb.conf.
>>
>> What is wrong ?
>>
>> # checking my connexion
>>
>> openssl s_client -showcerts -connect localhost:636
>>
>> CONNECTED(00000003)
>> Can't use SSL_get_servername
>> depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =
>> XXX, CN = ad-rep2.example.com
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =
>> XXX, CN = ad-rep2.example.com
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>> ...
>> Server certificate
>> subject=C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX,
>> CN = ad-rep2.example.com
>>
>> issuer=C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
>>
>> ---
>> Acceptable client certificate CA names
>> C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
>> C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN
>> = USERTrust RSA Certification Authority
>> C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN
>> = AAA Certificate Services
>> Requested Signature Algorithms:
>> RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
>> Shared Requested Signature Algorithms:
>> RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512
>> Peer signing digest: SHA256
>> Peer signature type: RSA-PSS
>> Server Temp Key: X25519, 253 bits
>> ---
>> SSL handshake has read 3041 bytes and written 393 bytes
>> Verification error: unable to verify the first certificate
>> ---
>> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
>> Server public key is 2048 bit
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> Early data was not sent
>> Verify return code: 21 (unable to verify the first certificate)
>>
>> # checking my connexion with intermediate certificate
>>
>> openssl s_client -showcerts -connect localhost:636 -CAfile
>> /etc/ssl/certs/ad-rep2.example.com-2020-intermediate.pem
>>
>> CONNECTED(00000003)
>> Can't use SSL_get_servername
>> depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA
>> Limited, CN = AAA Certificate Services
>> verify return:1
>> depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
>> Network, CN = USERTrust RSA Certification Authority
>> verify return:1
>> depth=1 C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
>> verify return:1
>> depth=0 C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX,
>> CN = ad-rep2.example.com
>> verify return:1
>> ---
>> Certificate chain
>>   0 s:C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX, CN
>> = ad-rep2.example.com
>>     i:C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
>> ---
>> Server certificate
>> subject=C = FR, postalCode = 00000, ST = XXX, L = XXX, O = XXX, OU =XXX,
>> CN = ad-rep2.example.com
>>
>> issuer=C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
>>
>> ---
>> Acceptable client certificate CA names
>> C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
>> C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN
>> = USERTrust RSA Certification Authority
>> C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN
>> = AAA Certificate Services
>> Requested Signature Algorithms:
>> RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
>> Shared Requested Signature Algorithms:
>> RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512
>> Peer signing digest: SHA256
>> Peer signature type: RSA-PSS
>> Server Temp Key: X25519, 253 bits
>> ---
>> SSL handshake has read 3041 bytes and written 393 bytes
>> Verification: OK
>> ---
>> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
>> Server public key is 2048 bit
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> Early data was not sent
>> Verify return code: 0 (ok)
>> ---
>> closed
>>
>> # My smb.conf
>>
>> [global]
>>          allow dns updates = nonsecure and secure
>>          disable spoolss = Yes
>>          dns forwarder = w.x.y.z a.b.c.d
>>          load printers = No
>>          log file = /var/log/samba/samba-ad.log
>>          netbios name = AD-REP2
>>          passdb backend = samba_dsdb
>>          printcap cache time = 0
>>          printcap name = /dev/null
>>          realm = EXAMPLE.COM
>>          server role = active directory domain controller
>>          server string = Samba Server Version %v
>>          template homedir = /home/%ACCOUNTNAME%
>>          template shell = /bin/bash
>>          tls cafile = tls/ad-rep2.example.com-2020-intermediate.pem
>>          tls certfile = tls/ad-rep2.example.com-2020-certonly.pem
>>          tls keyfile = tls/ad-rep2.example.com-2020.key
>>          tls verify peer = ca_and_name
>>          workgroup = EXAMPLE
>>          winbindd:use external pipes = true
>>          smbd:backgroundqueue = no
>>          rpc_daemon:spoolssd = embedded
>>          rpc_server:tcpip = no
>>          rpc_server:spoolss = embedded
>>          rpc_server:winreg = embedded
>>          rpc_server:ntsvcs = embedded
>>          rpc_server:eventlog = embedded
>>          rpc_server:srvsvc = embedded
>>          rpc_server:svcctl = embedded
>>          rpc_server:default = external
>>          idmap_ldb:use rfc2307 = yes
>>          idmap config * : backend = tdb
>>          lpq command = lpq -P'%p'
>>          lprm command = lprm -P'%p' %j
>>          map archive = No
>>          print command = lpr -r -P'%p' %s
>>          printing = bsd
>>
>> Intermediate certificates
>> (tls/ad-rep2.example.com-2020-intermediate.pem) are ordered as mentioned
>> in sectigo's documentation :
>>
>> "SSLCertificateChainFile: Intermediate(s)/Root only,  PEM encoded (it
>> contains the certificates from the leaf, without the certificate itself,
>> to the root)"
>>
>> Thanks
>>
>

More information about the samba mailing list