[389-users] Problems with SSL
Rob Crittenden
rcritten at redhat.com
Wed Mar 3 18:11:25 UTC 2010
Ski Kacoroski wrote:
> Rich,
>
> Thanks very much for your replies. I tried again with no luck. I had
> it working with the self-signed cert using setupssl2.sh. I changed the
> password on the database to one I could type and verified that it worked
> ok. I then added in my star cert, removed the self-signed certs, and
> stopped the services. When I tried to restart I get this error:
>
> [root at ldaptest slapd-nsd-org]# service dirsrv start
> Starting dirsrv:
> nsd-org...[03/Mar/2010:09:09:25 -0800] - SSL alert: Security
> Initialization: Can't find certificate (CA certificate) for family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
> security library: bad database.)
> [03/Mar/2010:09:09:25 -0800] - SSL alert: Security Initialization:
> Unable to retrieve private key for cert CA certificate of family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
> security library: bad database.)
> [03/Mar/2010:09:09:25 -0800] - SSL failure: None of the cipher are valid
> [03/Mar/2010:09:09:25 -0800] - ERROR: SSL Initialization phase 2 Failed.
> [FAILED]
> *** Warning: 1 instance(s) failed to start
>
> I use digicert as my authority. They have options for the certs when I
> get them (e.g. Apache, Tomcat, Java, etc.). I have been choosing Apache
> and it seems to install just fine. Perhaps I need to choose a different
> type?
>
> It looks like by adding in my cert and removing my old certs, it trashed
> the database somehow.
>
> certutil -P ldaptest -d . -L
> certutil: function failed: security library: bad database.
>
> I am going to do another reinstall and try again. Do you know of any
> documentation for using non-self-signed certs with 389 directory server
> all the docs I find are for self-signed certs.
The problem is in the error message: Unable to retrieve private key for
cert.
You need the private key for this certificate. The easiest way to load
it into NSS using the PKCS#12 format, as Rich suggested. If you have the
key and cert stored as PEM files, common with openssl, see the openssl
pkcs12 man page.
rob
More information about the 389-users
mailing list