I double checked my key and cert files and they are of the correct
format. Incidentally, those then correspond to the nsCertfile and
nsKeyfile attributes that are made in the config changes? It's not
real clear in the wiki. The wiki suggests that the nsKeyfile and
nsCertfile attrs include 'slapd-directory'.
I ask because I originally made the config changes by just copying and
pasting the ldif and I went back and changed them afterwards to be
'slapd-<instance name>'.
Regardless of that I'm still not able to get the directory to start
up. I'm still seeing the same error in the log ...
[03/Aug/2005:16:21:44 -0400] - Fedora-Directory/7.1 B2005.201.2115 starting up
[03/Aug/2005:16:21:44 -0400] - SSL failure: None of the cipher are valid
I'm going to continue playing with it and research it online, but any
further advice or suggestions would be appreciated. Thanks.
- Kevin
On 8/3/05, Rich Megginson <rmeggins(a)redhat.com> wrote:
Kevin Kovach wrote:
>Adam,
>
>My entry looks the same. I'm pretty certain I have the ciphers correct now.
>
>I am curious about one thing though. In following the wiki, I did as
>suggested and converted the cert db to pkcs12 with the following
>command ...
>
>pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert
>
>However, I don't see anywhere where we make FDS aware of
>servercert.pfx? I'd assume that we need to configure FDS for this
>pkcs12 db somewhere?
>
>
If you followed the other steps up until this one, then you already have
the required certs for slapd to use. You only need to export the cert
to the .pfx file if you need to import that key and cert into another
program (e.g. use openssl to convert the .pfx file to other formats).
>Also, the wiki mentions the trailing - on the -P option but does not
>go into depth on it. I'm pretty sure I executed this command
>correctly but am unsure how to double check it?
>
>
Look in your /opt/fedora-ds/alias directory. You should have files
called slapd-serverID-cert8.db and slapd-serverID-key3.db, not
slapd-serverIDcert8.db and slapd-serverIDkey3.db.
>Thanks again.
>
>- Kevin
>
>On 8/3/05, Adam Stokes <astokes(a)redhat.com> wrote:
>
>
>>dn: cn=encryption,cn=config
>>objectClass: top
>>objectClass: nsEncryptionConfig
>>cn: encryption
>>nsSSLSessionTimeout: 0
>>nsSSLClientAuth: allowed
>>nsSSL2: off
>>nsSSL3: on
>>creatorsName: cn=server,cn=plugins,cn=config
>>modifiersName: cn=directory manager
>>createTimestamp: 20050701182744Z
>>modifyTimestamp: 20050720192820Z
>>nsSSL3Ciphers:
>>-rsa_null_md5,rsa_rc4_128_md5,rsa_rc4_40_md5,rsa_rc2_40_md5,rsa_des_sha,rsa_fips_des_sha,rsa_3des_sha,rsa_fips_3des_sha,fortezza,fortezza_rc4_128_sha,fortezza_null,tls_rsa_export1024_with_rc4_56_sha,tls_rsa_export1024_with_des_cbc_sha
>>nsKeyfile: alias/slapd-directory-key3.db
>>nsCertfile: alias/slapd-directory-cert8.db
>>numSubordinates: 1
>>
>>Above is my entry for reference
>>
>>On Wed, 2005-08-03 at 13:57 -0400, Kevin Kovach wrote:
>>
>>
>>>Thanks Nathan. I've made this change and again got farther than I have
before.
>>>
>>>FYI, I got that cipher list from the Wiki. That will need to be
>>>updated to contain the complete list.
>>>
>>>Although I got farther the server is still not starting up. Now it's
>>>complaining that none of the ciphers are valid? How to I ensure that
>>>I'm using a valid cypher? Here's the error I'm seeing in the
error
>>>log ...
>>>
>>>[03/Aug/2005:13:56:23 -0400] - Fedora-Directory/7.1 B2005.201.2115 starting
up
>>>[03/Aug/2005:13:56:23 -0400] - SSL failure: None of the cipher are valid
>>>
>>>Thanks again for the help.
>>>
>>>- Kevin
>>>
>>>
>>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users(a)redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>
>
>
>
--
Take back the web,
http://www.switch2firefox.com/