NSS which stores the certificates requires a password for it's database. If you look
in /etc/dirsrv/admin-serv you'll see files like:
secmod.db
key3.db
key4.db
cert8.db
cert9.db
pkcs11.txt
These are the NSS database files. They store their material encrypted, which is why a
password is prompted for.
With Directory Server, we normally handle this by having a pin.txt in the same directory
that can unlock this automatically at startup. For example, from a demo instance:
-rw------- 1 dirsrv dirsrv 36864 Aug 14 14:28 key4.db
-rw------- 1 dirsrv dirsrv 91 Aug 14 14:28 pin.txt
-rw------- 1 dirsrv dirsrv 571 Aug 20 12:46 pkcs11.txt
The format is:
Internal (Software) Token:PASSWORD
When you were setting up the admin server, you may have been asked to import TLS keys, and
this would have asked for an NSS password. This is the password you want in pin.txt for
the startup. Alternately, I think you can use systemd-ask-pass to provide this (but
it's been a while since I did this so I'm hazy on the details).
As a simple guess of things to try, copy pin.txt from your directory server instance to
the admin-serv dir and try to start it.
Alternately, you can reset the nssdb and re-import the TLS keys and certs, this time
keeping the pw.
cd /etc/dirsrv/admin-serv
echo "password" > pwdfile.txt
echo "Internal (Software) Token:PASSWORD" > pin.txt
certutil -D -d .
certutil -N -d . -f pwdfile.txt
... other import actions here.
A good source of info is my blog where I maintain a TLS help guide:
https://fy.blackhats.net.au/blog/html/pages/nss_and_openssl_command_refer...
Thanks, and I hope this helps,
On 23 Aug 2019, at 11:17, Fernando Fuentes
<ffuentes(a)aasteel.com> wrote:
After getting everything working I was able to enable SSL on the console.
But now the console is unable to start with the error:
[Thu Aug 22 15:15:35.680397 2019] [:error] [pid 25091:tid 139708987033728] Password for
slot internal is incorrect.
[Thu Aug 22 15:15:35.680824 2019] [:error] [pid 25091:tid 139708987033728] NSS
initialization failed. Certificate database: /etc/dirsrv/admin-serv.
[Thu Aug 22 15:15:35.680841 2019] [:error] [pid 25091:tid 139708987033728] SSL Library
Error: -8177 The security password entered is incorrect
What password is this talking about? All of the password entered are correct... I am
confused... :(
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs