Alfresco discussion and collaboration. Stick around a few hours after asking a question.
Official support for Enterprise subscribers: support.alfresco.com.
Join in the conversation by getting an IRC client and connecting to #alfresco at Freenode. Our you can use the IRC web chat.
More information about the channel is in the wiki.
More help is available in this list of resources.
2018-07-28 00:04:20 GMT <mark_____> so when running the openssl command I get: depth=1 DC = local, DC = yyy, CN = xxx-CA verify return:1 depth=0 CN = zzz.yyy.local verify return:1 read:errno=104
2018-07-28 00:04:42 GMT <mark_____> Is this because the CA is different from the AD DC?
2018-07-28 00:11:43 GMT <mark_____> alfresco-discord: when opening the crt file it includes "No client certificate CA names sent"
2018-07-28 00:19:32 GMT <mark_____> ldap.authentication.truststore.path, does the CA cert go in the truststore?
2018-07-28 05:02:03 GMT <alfresco-discord> <digcat> @Sanjay if this is Sanjay who did the TTL on docker, then love your work !! touch base when your next on if you can, cheers
2018-07-28 10:10:35 GMT <alfresco-discord> <Mark> I don't think it's required to include the ca in a trust store, but it can't hurt.
2018-07-28 14:08:19 GMT <mark_____> @alfresco-discord I'm still getting lots of these "unable to find valid certification path to requested target" "PKIX path building failed" "simple bind failed" "Failed to communicate with ldaps://xxx.xxx.xxx:636". The Certs for the AD server are in the alf_data/keystore/keystore & ssl.keystore and I've put the CA cert in the ssl.truststore. I'm also getting the "The SSL configuration for LDAPS is not full, the default configura
2018-07-28 14:09:06 GMT <mark_____> In the global.properties I have included "encryption.keystore.location=/opt/alfresco-community/alf_data/keystore/ssl.keystore" "encryption.keystore.type=JCEKS" "encryption.keystore.keyMetaData.location=/opt/alfresco-community/alf_data/keystore/ssl-keystore-passwords.properties"
2018-07-28 18:27:53 GMT <alfresco-discord> <Mark> So when using SDK 3.0.1 AIO project, running works fine, but when I add hotswap agent args it throws a filenotfoundexception on my platform-jar bootstrap-context.xml. This file definitaly exists, and running without hotswap agent again works just fine.. Anyone else seen something like this?
2018-07-28 18:29:21 GMT <alfresco-discord> <Mark> @Mark_ as long as you get PKIX path building failed errors, you don't have the right certificate chain in the truststore you use for LDAP.
2018-07-28 19:21:21 GMT <alfresco-discord> <Mark> It's super weird; my custom jar contains all necessary files with the right paths, and the module-context xml is found, but loading the bootstrap-context.xml from classpath doesn't work (they're in the same jar!). This smells like a bug in the use of hotswap-agent.
2018-07-28 20:57:01 GMT <mark_____> I've got the CA cert in the truststore and the LDAPS server cert in the ssl.keystore, is this incorrect? Am I missing something or have I bungled the certs?
2018-07-28 21:02:11 GMT <mark_____> would this course help me solve the issue or is it overkill? https://university.alfresco.com/series/recommended-for-you/foundation-for-administrators
2018-07-28 21:02:13 GMT <alfbot> Title:Foundation for ACS Administrators (at university.alfresco.com)
2018-07-28 21:04:18 GMT <alfresco-discord> <Mark> You want to use these props: ldap.authentication.truststore.path The path to the truststore file on the file system. ldap.authentication.truststore.passphrase The password for the truststore. ldap.authentication.truststore.type The type of the truststore.
2018-07-28 21:04:44 GMT <alfresco-discord> <Mark> the truststore.path points to a java keystore which contains the LDAP server's certificate, and optionally the CA certificate.
2018-07-28 21:05:10 GMT <alfresco-discord> <Mark> the store will be of a type (usually JCEKS, JKS or PCKS12) which you set as ldap.authentication.truststore.type
2018-07-28 21:06:49 GMT <mark_____> so the LDAP servers cert shouldn't be .cer or .p7b?
2018-07-28 21:07:14 GMT <mark_____> and I don't really need the CA cert
2018-07-28 21:07:28 GMT <alfresco-discord> <Mark> it can be cer. You import it into your store.
2018-07-28 21:07:55 GMT <alfresco-discord> <Mark> Read the page I linked earlier. This has the exact required steps. Instructions start at "ldap.authentication.java.naming.security.protocol" on this page: https://docs.alfresco.com/5.1/concepts/auth-ldap-props.html
2018-07-28 21:07:57 GMT <alfbot> Title:LDAP configuration properties | Alfresco Documentation (at docs.alfresco.com)
2018-07-28 21:13:29 GMT <mark_____> with that I get "[root@xxx-yyy ~]# openssl s_client -connect xxx-zzz.aaa.local:636 > my-ldap.crt" "depth=1 DC = local, DC = aaa, CN = xxx-bbb-CA" "verify return:1" "depth=0 CN = xxx-zzz.aaa.local" "verify return:1" "read:errno=104"
2018-07-28 21:14:44 GMT <mark_____> is the LDAP server presenting the CA (xxx-bbb-CA) certificate?
2018-07-28 21:15:46 GMT <mark_____> the LDAP server is xxx-zzz.aaa.local
2018-07-28 22:23:54 GMT <mark_____> just looking at the cert request, it's for PKCS10 not PKCS12, could it be that?
The other logs are at http://esplins.org/hash_alfresco