Hello, I’ve run into a wall trying to get privacyidea-ldap-proxy to listen on port 1636 using certificates on a Redhat 9 IDM system with FIPS mode enabled. It doesn’t matter whether I generate them with IDM’s CA or make self-signed certs. The system is not blocking the usage of the certificates that it made, as they pass command-line tests and work in apache(out of desperation I even tried proxypassing it while the ldap proxy listens via LDAP.) The proxy definitely has perms to access the certificate files, as confirmed by the fact that it complains when it doesn’t.
The ldap proxy works when I just tell it to listen via tcp:port=1389 with no certificates.
All I ever get is this:
Aug 6 22:09:16 idm01 systemd[1]: Started privacyIDEA LDAP proxy.
Aug 6 22:09:16 idm01 twistd[133659]: Traceback (most recent call last):
Aug 6 22:09:16 idm01 twistd[133659]: File "/opt/privacyidea-ldap-proxy/bin/twistd", line 8, in <module>
Aug 6 22:09:16 idm01 twistd[133659]: sys.exit(run())
Aug 6 22:09:16 idm01 twistd[133659]: File "/opt/privacyidea-ldap-proxy/lib64/python3.9/site-packages/twisted/scripts/twistd.py", line 36, in run
Aug 6 22:09:16 idm01 twistd[133659]: app.run(runApp, ServerOptions)
Aug 6 22:09:16 idm01 twistd[133659]: File "/opt/privacyidea-ldap-proxy/lib64/python3.9/site-packages/twisted/application/app.py", line 676, in run
Aug 6 22:09:16 idm01 twistd[133659]: runApp(config)
Aug 6 22:09:16 idm01 twistd[133659]: File "/opt/privacyidea-ldap-proxy/lib64/python3.9/site-packages/twisted/scripts/twistd.py", line 30, in runApp
Aug 6 22:09:16 idm01 twistd[133659]: runner.run()
Aug 6 22:09:16 idm01 twistd[133659]: File "/opt/privacyidea-ldap-proxy/lib64/python3.9/site-packages/twisted/application/app.py", line 372, in run
Aug 6 22:09:16 idm01 twistd[133659]: self.application = self.createOrGetApplication()
Aug 6 22:09:16 idm01 twistd[133659]: File "/opt/privacyidea-ldap-proxy/lib64/python3.9/site-packages/twisted/application/app.py", line 434, in createOrGetApplication
Aug 6 22:09:16 idm01 twistd[133659]: ser = plg.makeService(self.config.subOptions)
Aug 6 22:09:16 idm01 twistd[133659]: File "/opt/privacyidea-ldap-proxy/lib64/python3.9/site-packages/twisted/plugins/ldapproxy_plugin.py", line 42, in makeService
Aug 6 22:09:16 idm01 twistd[133659]: endpoint_string = serverFromString(reactor, config['ldap-proxy']['endpoint'])
Aug 6 22:09:16 idm01 twistd[133659]: File "/opt/privacyidea-ldap-proxy/lib64/python3.9/site-packages/twisted/internet/endpoints.py", line 1781, in serverFromString
Aug 6 22:09:16 idm01 twistd[133659]: nameOrPlugin, args, kw = _parseServer(description, None)
Aug 6 22:09:16 idm01 twistd[133659]: File "/opt/privacyidea-ldap-proxy/lib64/python3.9/site-packages/twisted/internet/endpoints.py", line 1705, in _parseServer
Aug 6 22:09:16 idm01 twistd[133659]: return (endpointType.upper(),) + parser(factory, *args[1:], **kw)
Aug 6 22:09:16 idm01 twistd[133659]: File "/opt/privacyidea-ldap-proxy/lib64/python3.9/site-packages/twisted/internet/endpoints.py", line 1438, in _parseSSL
Aug 6 22:09:16 idm01 twistd[133659]: privateCertificate = ssl.PrivateCertificate.loadPEM(certPEM + b"\n" + keyPEM)
Aug 6 22:09:16 idm01 twistd[133659]: File "/opt/privacyidea-ldap-proxy/lib64/python3.9/site-packages/twisted/internet/_sslverify.py", line 632, in loadPEM
Aug 6 22:09:16 idm01 twistd[133659]: return Class.load(
Aug 6 22:09:16 idm01 twistd[133659]: File "/opt/privacyidea-ldap-proxy/lib64/python3.9/site-packages/twisted/internet/_sslverify.py", line 612, in load
Aug 6 22:09:16 idm01 twistd[133659]: return Class._load(data, format)._setPrivateKey(privateKey)
Aug 6 22:09:16 idm01 twistd[133659]: File "/opt/privacyidea-ldap-proxy/lib64/python3.9/site-packages/twisted/internet/_sslverify.py", line 598, in _setPrivateKey
Aug 6 22:09:16 idm01 twistd[133659]: if not privateKey.matches(self.getPublicKey()):
Aug 6 22:09:16 idm01 twistd[133659]: File "/opt/privacyidea-ldap-proxy/lib64/python3.9/site-packages/twisted/internet/_sslverify.py", line 731, in matches
Aug 6 22:09:16 idm01 twistd[133659]: return self.keyHash() == otherKey.keyHash()
Aug 6 22:09:16 idm01 twistd[133659]: File "/opt/privacyidea-ldap-proxy/lib64/python3.9/site-packages/twisted/internet/_sslverify.py", line 753, in keyHash
Aug 6 22:09:16 idm01 twistd[133659]: h = md5()
Aug 6 22:09:16 idm01 twistd[133659]: ValueError: [digital envelope routines] unsupported
Aug 6 22:09:16 idm01 systemd[1]: privacyidea-ldap-proxy.service: Main process exited, code=exited, status=1/FAILURE
Aug 6 22:09:16 idm01 systemd[1]: privacyidea-ldap-proxy.service: Failed with result 'exit-code'.
More proof that the server is happy with the certificate files:
# openssl rsa -in /path/to/privacyidea-ldap-proxy.key -check -noout
RSA key ok
# openssl x509 -in /path/to/privacyidea-ldap-proxy.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13 (0xd)
Signature Algorithm: sha256WithRSAEncryption
The signatures match when I run the commands to check them, but as I mentioned the certificates work in Apache as well so that’s a pretty convincing test.
The relevant line in proxy.ini is:
endpoint = ssl:port=1636:privateKey=/path/to/privacyidea-ldap-proxy.key:certKey=/path/to/privacyidea-ldap-proxy.crt
I do plan on paying for enterprise once out of the POC stage(actually trying to build prod out now), and any help would be greatly appreciated.
Thanks!
Edit: I forgot to mention that this is a virtualenv install, and I have tried running “pip install --upgrade cryptography pyopenssl paramiko” within the virtualenv, which gave some pretty large version upgrades, and while the proxy still worked, it didn’t help with the certificates so I used requirements.txt again to revert it.