On 01/04/2016 10:22 AM, Phil Daws wrote:
----- On 4 Jan, 2016, at 16:45, Rich Megginson rmeggins(a)redhat.com
wrote:
> On 01/04/2016 09:23 AM, Phil Daws wrote:
>> Hello Rich,
>>
>> Have ran in debug mode and connected to the admin interface which has been
>> secured with a cert:
>>
>> {SUBJECT_DN=CN=ads01-admin.lab, SUBJECT={CN=ads01-admin},
>> SERIAL=8741097289627376099, AFTERDATE=Tue Dec 19 14:05:35 2017,
>> ISSUER={CN=LAB-CA, O=LAB, C=GB}, SIGNATURE=SHA256withRSA, BEFOREDATE=Sun Dec 20
>> 14:05:35 2015, KEYTYPE=RSA, REASONS={}, VERSION=3, ISSUER_DN=C=GB, O=LAB,
>> CN=LAB-CA}
>> JButtonFactory: button width = 54
>> JButtonFactory: button height = 20
>> JButtonFactory: button width = 54
>> JButtonFactory: button height = 20
>> JButtonFactory: button width = 72
>> JButtonFactory: button height = 20
>> JButtonFactory: button width = 72
>> JButtonFactory: button height = 20
>> JButtonFactory: button width = 54
>> JButtonFactory: button height = 20
>> JButtonFactory: button width = 72
>> HttpsChannel::select(...) - SELECT CERTIFICATE
>> Unable to create ssl socket
>> org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8186)
>> security library: invalid algorithm.
>> at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method)
>> at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source)
>> at com.netscape.management.client.comm.CommManager.send(Unknown Source)
>> at com.netscape.management.client.comm.HttpManager.get(Unknown Source)
>> at com.netscape.management.client.console.Console.invoke_task(Unknown Source)
>> at com.netscape.management.client.console.Console.authenticate_user(Unknown
>> Source)
>> at com.netscape.management.client.console.Console.<init>(Unknown Source)
>> at com.netscape.management.client.console.Console.main(Unknown Source)
>>
>> So it accepts the admin certificate fine but then shows an empty selection box
>> for a certificate ?
> Not sure what it means by "invalid algorithm" but it looks as though
> that is the root cause. The console doesn't know what to do with that
> error, so it asks you to select another cert, which is just a
> distraction at that point. Please open a ticket.
Hmm, but that "invalid algorithm" message only appeared when I clicked on
continue with no certificate showing in the selection dropdown list. The admin
certificate was accepted fine and then it showed the empty selection list.
Ok. I'm not sure what's going on. Please open a ticket.
>
>
>> Thanks, Phil
>>
>> ----- On 4 Jan, 2016, at 15:50, Rich Megginson rmeggins(a)redhat.com wrote:
>>
>>> On 01/04/2016 01:11 AM, Phil Daws wrote:
>>>> Any thoughts on this please ?
>>>>
>>>> ----- On 20 Dec, 2015, at 16:02, Phil Daws uxbod(a)splatnix.net wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> Have now got to the point where it says "Select a certificate to
authenticate"
>>>>> yet the drop down box is empty.
>>> Can you run the console with -D 9 -f console.log, then check console.log
>>> to remove any sensitive information, then post that to this list? The
>>> easiest way to do this is to make a copy of the .bat file that runs the
>>> console, then add those arguments to the command line in the copy of the
>>> .bat file.
>>>
>>> I'm assuming you have not configured the admin server/directory server
>>> to require client cert authentication. If you don't know, then you
>>> probably haven't.
>>>
>>>>> If I check the NSS database it looks okay ?
>>>>>
>>>>> D:\Scratch\firefox_add-certs\bin>certutil.exe -d
"c:\Documents and
>>>>> Settings\pmdaws\.389-console" -L
>>>>>
>>>>> Certificate Nickname Trust
Attributes
>>>>>
SSL,S/MIME,JAR/XPI
>>>>>
>>>>> LAB CA Certificate CT,,
>>>>> Phil Daws p,p,p
>>>>>
>>>>> Seems as though the console is not picking them up :(
>>>>>
>>>>> Thanks, Phil
>>>>> ----- On 15 Dec, 2015, at 20:35, Noriko Hosoi nhosoi(a)redhat.com
wrote:
>>>>>
>>>>>> On 12/15/2015 11:40 AM, Phil Daws wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> Unfortunately I do not have a console under Fedora/RHEL.
>>>>>>>
>>>>>>> I can log into the Administration console fine, but when I
click on Server
>>>>>>> Group, and then double click on the Directory Server it
prompts me for the
>>>>>>> Distinguished name and password. The status is showing as:
>>>>>>>
>>>>>>> Server status: Stopped
>>>>>>> Port: 636
>>>>>>>
>>>>>>> The ports are listening fine:
>>>>>>>
>>>>>>> Active Internet connections (only servers)
>>>>>>> Proto Recv-Q Send-Q Local Address Foreign Address
State
>>>>>>> PID/Program name
>>>>>>> tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN
>>>>>>> 301/sshd
>>>>>>> tcp 0 0 0.0.0.0:9830 0.0.0.0:*
LISTEN
>>>>>>> 1261/httpd
>>>>>>> tcp6 0 0 :::22 :::*
LISTEN
>>>>>>> 301/sshd
>>>>>>> tcp6 0 0 :::636 :::*
LISTEN
>>>>>>> 1196/ns-slapd
>>>>>>> tcp6 0 0 :::389 :::*
LISTEN
>>>>>>> 1196/ns-slapd
>>>>>>>
>>>>>>> So am guessing it's probably due to when I enabled
"Secure Connection" in the
>>>>>>> console :(
>>>>>>>
>>>>>>> Any thoughts please ?
>>>>>> Not sure yet, but did you have a chance to see this section?
>>>>>>
http://www.port389.org/docs/389ds/howto/howto-ssl.html#admin-server-tlsss...
>>>>>>> Thanks, Phil
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ----- On 15 Dec, 2015, at 19:01, Noriko Hosoi
nhosoi(a)redhat.com wrote:
>>>>>>>
>>>>>>>> On 12/15/2015 09:51 AM, Phil Daws wrote:
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I have 389 up and running in my lab, with encryption
enabled, but when I connect
>>>>>>>>> too the Administration panel and double click on the
Directory Server it just
>>>>>>>>> hangs. The CA certificate has been imported using:
>>>>>>>>>
>>>>>>>>> d:\Scratch\firefox_add-certs\bin>certutil -A -d
"C:\Documents and
>>>>>>>>> Settings\phild\.389-console" -n "CA
Certificate" -t CT,, -i
>>>>>>>>> d:\Downloads\CA-chain.pem -a
>>>>>>>>>
>>>>>>>>> Am I missing something obvious please ?
>>>>>>>>>
>>>>>>>>> Thanks, Phil
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> 389 users mailing list
>>>>>>>>> 389-users@%(host_name)s
>>>>>>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>>>>>>> Administration URL starts with https?
>>>>>>>>
>>>>>>>> If you use Console on Fedora/RHEL, you have no problem?
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>> --
>>>>>>>> 389 users mailing list
>>>>>>>> 389-users@%(host_name)s
>>>>>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>>>>>> --
>>>>>>> 389 users mailing list
>>>>>>> 389-users@%(host_name)s
>>>>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>>>>> --
>>>>>> 389 users mailing list
>>>>>> 389-users@%(host_name)s
>>>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>>>> --
>>>>> 389 users mailing list
>>>>> 389-users@%(host_name)s
>>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>>> --
>>>> 389 users mailing list
>>>> 389-users@%(host_name)s
>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>> --
>>> 389 users mailing list
>>> 389-users@%(host_name)s
>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>> --
>> 389 users mailing list
>> 389-users@%(host_name)s
>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
> --
> 389 users mailing list
> 389-users@%(host_name)s
>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org