[389-users] dirsrv-admin startup issues with SSL/TLS configuration

Rich Megginson rmeggins at redhat.com
Wed Aug 1 16:17:19 UTC 2012 

On 08/01/2012 08:17 AM, Arnold Werschky wrote:
> Good morning,
>
> I'm trying to set up a new install LDAP server with self signed 
> TLS/SSL on CentOS 6.2
>
> My install using setup-ds-admin.pl <http://setup-ds-admin.pl/> was 
> typical, and I was able to login to the 389-Console after installation.
>
> At that point I downloaded the script from richm : 
> https://github.com/richm/scripts/blob/master/setupssl2.sh
>
> I received two errors during its run (full output is at the bottom).
>
>     pk12util: Failed to authenticate to PKCS11 slot: The security
>     password entered is incorrect.
>     pk12util: Failed to authenticate to "NSS User Private Key and
>     Certificate Services": The user pressed cancel.
>
>
> start-ds-admin now fails to start, with the following error messages 
> in /var/log/dirsrv/admin-serv/error
>
>     [Tue Jul 31 16:34:09 2012] [error] Password for slot internal is
>     incorrect.
>     [Tue Jul 31 16:34:09 2012] [error] NSS initialization failed.
>     Certificate database: /etc/dirsrv/admin-serv.
>     [Tue Jul 31 16:34:09 2012] [error] SSL Library Error: -8177 The
>     security password entered is incorrect:
>
>
> I've searched for the SSL Library error to no avail.  If anyone can 
> give me a starting point I'd appreciate it.
>
>
> ***************************************************************************
> setupssl2.sh output
> ***************************************************************************
>
> Using /etc/dirsrv/slapd-ldap-xxxxx as sec directory
> No CA certificate found - will create new one
> No Server Cert found - will create new one
> No Admin Server Cert found - will create new one
> Creating password file for security token
> Creating noise file
> Creating new key and cert db
> Creating encryption key for CA
>
>
> Generating key.  This may take a few moments...
>
> Creating self-signed CA certificate
>
>
> Generating key.  This may take a few moments...
>
> Is this a CA certificate [y/N]?
> Enter the path length constraint, enter to skip [<0 for unlimited 
> path]: > Is this a critical extension [y/N]?
> Exporting the CA certificate to cacert.asc
> Generating server certificate for 389 Directory Server on host 
> ldap.xxxxx.com <http://ldap.xxxxx.com/>
> Using fully qualified hostname ldap.xxxxx.com 
> <http://ldap.xxxxx.com/> for the server name in the server cert subject DN
> Note: If you do not want to use this hostname, edit this script to 
> change myhost to the
> real hostname you want to use
>
>
> Generating key.  This may take a few moments...
>
> Creating the admin server certificate
>
>
> Generating key.  This may take a few moments...
>
> Exporting the admin server certificate pk12 file
> pk12util: PKCS12 EXPORT SUCCESSFUL
> Creating pin file for directory server
> Importing the admin server key and cert (created above)
> Incorrect password/PIN entered.
> pk12util: Failed to authenticate to PKCS11 slot: The security password 
> entered is incorrect.
> pk12util: Failed to authenticate to "NSS User Private Key and 
> Certificate Services": The user pressed cancel.
Hmm - this is really strange.
ls -al /etc/dirsrv/slapd-*
ls -al /etc/dirsrv/admin-serv
> Importing the CA certificate from cacert.asc
> Enabling the use of a password file in admin server
> Turning on NSSEngine
> Use ldaps for config ds connections
> Enabling SSL in the directory server
> when prompted, provide the directory manager password
> Password:modifying entry "cn=encryption,cn=config"
>
> modifying entry "cn=config"
>
> adding new entry "cn=RSA,cn=encryption,cn=config"
>
> Enabling SSL in the admin server
> modifying entry "cn=slapd-ldap-xxxxx,cn=389 Directory Server,cn=Server 
> Group,cn=ldap.xxxxx.com <http://ldap.xxxxx.com/>,ou=xxxxx,o=NetscapeRoot"
>
> modifying entry "cn=configuration,cn=admin-serv-ldap,cn=389 
> Administration Server,cn=Server Group,cn=ldap.xxxxx.com 
> <http://ldap.xxxxx.com/>,ou=xxxxx,o=NetscapeRoot"
>
> Done.  You must restart the directory server and the admin server for 
> the changes to take effect.
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120801/d88c576b/attachment.html>

More information about the 389-users mailing list