[389-users] 389 DS 1.2.6. and certificates
Reinhard Nappert
rnappert at juniper.net
Tue Sep 28 18:55:27 UTC 2010
I have the same permissions.
CTu,u,u works with my previous servers. Since I did a certutil -L -d .... before the restart, I know that the database was fine before I restarted the server.
-Reinhard
-----Original Message-----
From: 389-users-bounces at lists.fedoraproject.org [mailto:389-users-bounces at lists.fedoraproject.org] On Behalf Of Gerrard Geldenhuis
Sent: Tuesday, September 28, 2010 2:47 PM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] 389 DS 1.2.6. and certificates
Hi
I have seen similar problems... in my case the database became corrupt if I changed it while dirsrv were running.
Also check permissions:
-rw------- 1 nobody root 65536 Aug 12 12:18 cert8.db
-rw------- 1 nobody root 16384 Aug 12 12:18 key3.db
-rw------- 1 nobody root 16384 Sep 28 17:08 secmod.db
and my CA only have CT,,
Not sure that would make a difference but worth checking.
Regards
________________________________________
From: 389-users-bounces at lists.fedoraproject.org [389-users-bounces at lists.fedoraproject.org] on behalf of Reinhard Nappert [rnappert at juniper.net]
Sent: 28 September 2010 16:24
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] 389 DS 1.2.6. and certificates
Yes, I built it myself on 4.4.
No, it does not make a difference when I change the files to read only, before I restart the server
-----Original Message-----
From: 389-users-bounces at lists.fedoraproject.org [mailto:389-users-bounces at lists.fedoraproject.org] On Behalf Of Rich Megginson
Sent: Tuesday, September 28, 2010 11:05 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] 389 DS 1.2.6. and certificates
Reinhard Nappert wrote:
> Hi,
> I built and installed the 389 Directory Server 1.2.6 on CentOS 4.4.
Do you mean 5.5? Or did you build it yourself?
> The server works fine.
> Then, I generated the certs (using certutil) and imported them in the
> cert-store. The certs are generated basically generated by the
> setupssl2.sh script. When I list the certs afterwards, everything
> looks fine:
>
> certutil -L -d /etc/dirsrv/<dir-instance>
> CA certificate CTu,u,u
> <hostname> u,u,u
> However, when I restart the server, I get the following error and the
> server does not come up anymore:
> [28/Sep/2010:10:45:40 -0400] - SSL alert: Security Initialization: NSS
> initialization failed (Netscape Portable Runtime error -8174 -
> security library: bad database.): certdir: /etc/dirsrv/<dir-instance>
>
> Not surprisingly, the certutil -L -d .... comes up with the same error:
> certutil: function failed: security library: bad database.
>
> Any idea, what goes wrong there?
Not sure. After running the script to generate the certs, can you change the cert8.db, key3.db, and secmod.db files to be read only (mode 0400), before starting the directory server? Does that help?
>
> Thanks,
> -Reinhard
>
> ----------------------------------------------------------------------
> --
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
--
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
More information about the 389-users
mailing list