[389-users] Problems with SSL

Rob Crittenden rcritten at redhat.com
Wed Mar 3 18:11:25 UTC 2010 

Ski Kacoroski wrote:
> Rich,
> 
> Thanks very much for your replies.  I tried again with no luck.  I had 
> it working with the self-signed cert using setupssl2.sh.  I changed the 
> password on the database to one I could type and verified that it worked 
> ok.  I then added in my star cert, removed the self-signed certs, and 
> stopped the services.  When I tried to restart I get this error:
> 
> [root at ldaptest slapd-nsd-org]# service dirsrv start
> Starting dirsrv:
>      nsd-org...[03/Mar/2010:09:09:25 -0800] - SSL alert: Security 
> Initialization: Can't find certificate (CA certificate) for family 
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - 
> security library: bad database.)
> [03/Mar/2010:09:09:25 -0800] - SSL alert: Security Initialization: 
> Unable to retrieve private key for cert CA certificate of family 
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - 
> security library: bad database.)
> [03/Mar/2010:09:09:25 -0800] - SSL failure: None of the cipher are valid
> [03/Mar/2010:09:09:25 -0800] - ERROR: SSL Initialization phase 2 Failed.
>                                                             [FAILED]
>    *** Warning: 1 instance(s) failed to start
> 
> I use digicert as my authority.  They have options for the certs when I 
> get them (e.g. Apache, Tomcat, Java, etc.).  I have been choosing Apache 
> and it seems to install just fine.  Perhaps I need to choose a different 
> type?
> 
> It looks like by adding in my cert and removing my old certs, it trashed 
> the database somehow.
> 
> certutil -P ldaptest -d . -L
> certutil: function failed: security library: bad database.
> 
> I am going to do another reinstall and try again.  Do you know of any 
> documentation for using non-self-signed certs with 389 directory server 
> all the docs I find are for self-signed certs.

The problem is in the error message: Unable to retrieve private key for 
cert.

You need the private key for this certificate. The easiest way to load 
it into NSS using the PKCS#12 format, as Rich suggested. If you have the 
key and cert stored as PEM files, common with openssl, see the openssl 
pkcs12 man page.

rob

More information about the 389-users mailing list