Daily Log for #alfresco IRC Channel

Alfresco discussion and collaboration. Stick around a few hours after asking a question.

Official support for Enterprise subscribers: support.alfresco.com.

Joining the Channel:

Join in the conversation by getting an IRC client and connecting to #alfresco at Freenode. Our you can use the IRC web chat.

More information about the channel is in the wiki.

Getting Help

More help is available in this list of resources.

Daily Log for #alfresco

2018-07-28 00:04:20 GMT <mark_____> so when running the openssl command I get: depth=1 DC = local, DC = yyy, CN = xxx-CA verify return:1 depth=0 CN = zzz.yyy.local verify return:1 read:errno=104

2018-07-28 00:04:42 GMT <mark_____> Is this because the CA is different from the AD DC?

2018-07-28 00:11:43 GMT <mark_____> alfresco-discord: when opening the crt file it includes "No client certificate CA names sent"

2018-07-28 00:19:32 GMT <mark_____> ldap.authentication.truststore.path, does the CA cert go in the truststore?

2018-07-28 05:02:03 GMT <alfresco-discord> <digcat> @Sanjay if this is Sanjay who did the TTL on docker, then love your work !! touch base when your next on if you can, cheers

2018-07-28 10:10:35 GMT <alfresco-discord> <Mark> I don't think it's required to include the ca in a trust store, but it can't hurt.

2018-07-28 14:08:19 GMT <mark_____> @alfresco-discord I'm still getting lots of these "unable to find valid certification path to requested target" "PKIX path building failed" "simple bind failed" "Failed to communicate with ldaps://xxx.xxx.xxx:636". The Certs for the AD server are in the alf_data/keystore/keystore & ssl.keystore and I've put the CA cert in the ssl.truststore. I'm also getting the "The SSL configuration for LDAPS is not full, the default configura

2018-07-28 14:09:06 GMT <mark_____> In the global.properties I have included "encryption.keystore.location=/opt/alfresco-community/alf_data/keystore/ssl.keystore" "encryption.keystore.type=JCEKS" "encryption.keystore.keyMetaData.location=/opt/alfresco-community/alf_data/keystore/ssl-keystore-passwords.properties"

2018-07-28 18:27:53 GMT <alfresco-discord> <Mark> So when using SDK 3.0.1 AIO project, running works fine, but when I add hotswap agent args it throws a filenotfoundexception on my platform-jar bootstrap-context.xml. This file definitaly exists, and running without hotswap agent again works just fine.. Anyone else seen something like this?

2018-07-28 18:29:21 GMT <alfresco-discord> <Mark> @Mark_ as long as you get PKIX path building failed errors, you don't have the right certificate chain in the truststore you use for LDAP.

2018-07-28 19:21:21 GMT <alfresco-discord> <Mark> It's super weird; my custom jar contains all necessary files with the right paths, and the module-context xml is found, but loading the bootstrap-context.xml from classpath doesn't work (they're in the same jar!). This smells like a bug in the use of hotswap-agent.

2018-07-28 20:57:01 GMT <mark_____> I've got the CA cert in the truststore and the LDAPS server cert in the ssl.keystore, is this incorrect? Am I missing something or have I bungled the certs?

2018-07-28 21:02:11 GMT <mark_____> would this course help me solve the issue or is it overkill? https://university.alfresco.com/series/recommended-for-you/foundation-for-administrators

2018-07-28 21:02:13 GMT <alfbot> Title:Foundation for ACS Administrators (at university.alfresco.com)

2018-07-28 21:04:18 GMT <alfresco-discord> <Mark> You want to use these props: ldap.authentication.truststore.path The path to the truststore file on the file system. ldap.authentication.truststore.passphrase The password for the truststore. ldap.authentication.truststore.type The type of the truststore.

2018-07-28 21:04:44 GMT <alfresco-discord> <Mark> the truststore.path points to a java keystore which contains the LDAP server's certificate, and optionally the CA certificate.

2018-07-28 21:05:10 GMT <alfresco-discord> <Mark> the store will be of a type (usually JCEKS, JKS or PCKS12) which you set as ldap.authentication.truststore.type

2018-07-28 21:06:49 GMT <mark_____> so the LDAP servers cert shouldn't be .cer or .p7b?

2018-07-28 21:07:14 GMT <mark_____> and I don't really need the CA cert

2018-07-28 21:07:28 GMT <alfresco-discord> <Mark> it can be cer. You import it into your store.

2018-07-28 21:07:55 GMT <alfresco-discord> <Mark> Read the page I linked earlier. This has the exact required steps. Instructions start at "ldap.authentication.java.naming.security.protocol" on this page: https://docs.alfresco.com/5.1/concepts/auth-ldap-props.html

2018-07-28 21:07:57 GMT <alfbot> Title:LDAP configuration properties | Alfresco Documentation (at docs.alfresco.com)

2018-07-28 21:13:29 GMT <mark_____> with that I get "[root@xxx-yyy ~]# openssl s_client -connect xxx-zzz.aaa.local:636 > my-ldap.crt" "depth=1 DC = local, DC = aaa, CN = xxx-bbb-CA" "verify return:1" "depth=0 CN = xxx-zzz.aaa.local" "verify return:1" "read:errno=104"

2018-07-28 21:14:44 GMT <mark_____> is the LDAP server presenting the CA (xxx-bbb-CA) certificate?

2018-07-28 21:15:46 GMT <mark_____> the LDAP server is xxx-zzz.aaa.local

2018-07-28 22:23:54 GMT <mark_____> just looking at the cert request, it's for PKCS10 not PKCS12, could it be that?

End of Daily Log

The other logs are at http://esplins.org/hash_alfresco