[389-users] dirsrv-admin startup issues with SSL/TLS configuration
Arnold Werschky
ag+389 at amergint.com
Wed Aug 1 14:17:10 UTC 2012
Good morning,
I'm trying to set up a new install LDAP server with self signed TLS/SSL on
CentOS 6.2
My install using setup-ds-admin.pl was typical, and I was able to login to
the 389-Console after installation.
At that point I downloaded the script from richm :
https://github.com/richm/scripts/blob/master/setupssl2.sh
I received two errors during its run (full output is at the bottom).
pk12util: Failed to authenticate to PKCS11 slot: The security password
entered is incorrect.
pk12util: Failed to authenticate to "NSS User Private Key and Certificate
Services": The user pressed cancel.
start-ds-admin now fails to start, with the following error messages in
/var/log/dirsrv/admin-serv/error
[Tue Jul 31 16:34:09 2012] [error] Password for slot internal is incorrect.
[Tue Jul 31 16:34:09 2012] [error] NSS initialization failed. Certificate
database: /etc/dirsrv/admin-serv.
[Tue Jul 31 16:34:09 2012] [error] SSL Library Error: -8177 The security
password entered is incorrect:
I've searched for the SSL Library error to no avail. If anyone can give me
a starting point I'd appreciate it.
***************************************************************************
setupssl2.sh output
***************************************************************************
Using /etc/dirsrv/slapd-ldap-xxxxx as sec directory
No CA certificate found - will create new one
No Server Cert found - will create new one
No Admin Server Cert found - will create new one
Creating password file for security token
Creating noise file
Creating new key and cert db
Creating encryption key for CA
Generating key. This may take a few moments...
Creating self-signed CA certificate
Generating key. This may take a few moments...
Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: >
Is this a critical extension [y/N]?
Exporting the CA certificate to cacert.asc
Generating server certificate for 389 Directory Server on host
ldap.xxxxx.com
Using fully qualified hostname ldap.xxxxx.com for the server name in the
server cert subject DN
Note: If you do not want to use this hostname, edit this script to change
myhost to the
real hostname you want to use
Generating key. This may take a few moments...
Creating the admin server certificate
Generating key. This may take a few moments...
Exporting the admin server certificate pk12 file
pk12util: PKCS12 EXPORT SUCCESSFUL
Creating pin file for directory server
Importing the admin server key and cert (created above)
Incorrect password/PIN entered.
pk12util: Failed to authenticate to PKCS11 slot: The security password
entered is incorrect.
pk12util: Failed to authenticate to "NSS User Private Key and Certificate
Services": The user pressed cancel.
Importing the CA certificate from cacert.asc
Enabling the use of a password file in admin server
Turning on NSSEngine
Use ldaps for config ds connections
Enabling SSL in the directory server
when prompted, provide the directory manager password
Password:modifying entry "cn=encryption,cn=config"
modifying entry "cn=config"
adding new entry "cn=RSA,cn=encryption,cn=config"
Enabling SSL in the admin server
modifying entry "cn=slapd-ldap-xxxxx,cn=389 Directory Server,cn=Server
Group,cn=ldap.xxxxx.com,ou=xxxxx,o=NetscapeRoot"
modifying entry "cn=configuration,cn=admin-serv-ldap,cn=389 Administration
Server,cn=Server Group,cn=ldap.xxxxx.com,ou=xxxxx,o=NetscapeRoot"
Done. You must restart the directory server and the admin server for the
changes to take effect.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120801/8dbdbaba/attachment.html>
More information about the 389-users
mailing list