[389-users] Problems with SSL
Ski Kacoroski
ckacoroski at nsd.org
Wed Mar 3 17:27:00 UTC 2010
Rich,
Thanks very much for your replies. I tried again with no luck. I had
it working with the self-signed cert using setupssl2.sh. I changed the
password on the database to one I could type and verified that it worked
ok. I then added in my star cert, removed the self-signed certs, and
stopped the services. When I tried to restart I get this error:
[root at ldaptest slapd-nsd-org]# service dirsrv start
Starting dirsrv:
nsd-org...[03/Mar/2010:09:09:25 -0800] - SSL alert: Security
Initialization: Can't find certificate (CA certificate) for family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
security library: bad database.)
[03/Mar/2010:09:09:25 -0800] - SSL alert: Security Initialization:
Unable to retrieve private key for cert CA certificate of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
security library: bad database.)
[03/Mar/2010:09:09:25 -0800] - SSL failure: None of the cipher are valid
[03/Mar/2010:09:09:25 -0800] - ERROR: SSL Initialization phase 2 Failed.
[FAILED]
*** Warning: 1 instance(s) failed to start
I use digicert as my authority. They have options for the certs when I
get them (e.g. Apache, Tomcat, Java, etc.). I have been choosing Apache
and it seems to install just fine. Perhaps I need to choose a different
type?
It looks like by adding in my cert and removing my old certs, it trashed
the database somehow.
certutil -P ldaptest -d . -L
certutil: function failed: security library: bad database.
I am going to do another reinstall and try again. Do you know of any
documentation for using non-self-signed certs with 389 directory server
all the docs I find are for self-signed certs.
cheers
ski
On 03/03/2010 08:46 AM, Rich Megginson wrote:
> Ski Kacoroski wrote:
>> Ok, looks like I need to reboot the entire server to get the admin
>> console stop server functionality to work.
> You probably could have just restarted the directory server and admin
> server:
> service dirsrv restart
> service dirsrv-admin restart
>> Now, has anyone had any luck
>> using a * cert with the 389 server?
>>
> What problems are you having still?
>> cheers,
>>
>> ski
>>
>> On 03/02/2010 03:24 PM, Ski Kacoroski wrote:
>>
>>> Hi,
>>>
>>> I am having problems with SSL setup. First I tried via the admin
>>> console to use our company's star cert, but no matter what [in/password
>>> I picked for the keystore, when I tried to restart the server it would
>>> not accept my pin/password that I had just entered. I then gave up and
>>> ran the setupssl2.sh script and this worked except that it threw an
>>> error when trying to modify the directory to turn on ssl. So I went in
>>> via the admin console and was able to turn on ssl for the admin console
>>> and my directory. The problem now is that I cannot stop the server from
>>> the admin console (I can start it ok). I just get a dialog with
>>> "Directory Server nsd-org could not be stopped". Any ideas on why when
>>> I can start the server ok? Also has any one else made this work with a
>>> star cert?
>>>
>>> cheers,
>>>
>>> ski
>>>
>>>
>>
>>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
"When we try to pick out anything by itself, we find it
connected to the entire universe" John Muir
Chris "Ski" Kacoroski, ckacoroski at nsd.org, 206-501-9803
or ski98033 on most IM services
More information about the 389-users
mailing list