[389-users] dirsrv-admin startup issues with SSL/TLS configuration

Rich Megginson rmeggins at redhat.com
Wed Aug 1 19:12:52 UTC 2012 

On 08/01/2012 10:27 AM, Arnold Werschky wrote:
> As an aside, I can get rid of the errors on the setupssl2.sh script by 
> making the following change...but I don't know if its a change I 
> should be making.
Yes, that looks correct.  Not sure when/how that was broken.
>
> [root at ldap ~]# diff setupssl2.sh setupssl2.sh.orig
> 185c185
> <     pk12util -d $secdir -n server-cert -i $secdir/adminserver.p12 -w 
> $secdir/pwdfile.txt -k $secdir/pwdfile.txt
> ---
> >     pk12util -d $assecdir -n server-cert -i $secdir/adminserver.p12 
> -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
>
> *********************************************************************
> results of commands requested:
> *********************************************************************
> root at ldap ~]# ls -al /etc/dirsrv/slapd-*
> total 472
> drwxrwx--- 3 ldap ldap  4096 Jul 31 15:01 .
> drwxrwxr-x 7 root ldap  4096 Jul 31 14:03 ..
> -r-------- 1 ldap ldap  2114 Jul 31 14:36 adminserver.p12
> -rw-r--r-- 1 ldap root   647 Jul 31 14:36 cacert.asc
> -rw------- 1 ldap ldap 65536 Jul 31 16:23 cert8.db
> -r--r----- 1 ldap ldap  3595 Jul 31 13:19 certmap.conf
> -rw------- 1 ldap ldap 71692 Jul 31 15:01 dse.ldif
> -rw------- 1 ldap ldap 71174 Jul 31 15:01 dse.ldif.bak
> -rw------- 1 ldap ldap 71917 Jul 31 15:00 dse.ldif.startOK
> -r--r----- 1 ldap ldap 32836 Jul 31 13:19 dse_original.ldif
> -rw------- 1 ldap ldap 16384 Jul 31 16:23 key3.db
> -r-------- 1 ldap ldap    41 Jul 31 14:36 noise.txt
> -rw-rw---- 1 ldap ldap 65536 Jul 31 15:00 orig-cert8.db
> -rw-rw---- 1 ldap ldap 16384 Jul 31 15:00 orig-key3.db
> -r-------- 1 ldap ldap    67 Jul 31 14:36 pin.txt
> -r-------- 1 ldap ldap    41 Jul 31 14:36 pwdfile.txt
> drwxrwx--- 2 ldap ldap  4096 Jul 31 15:01 schema
> -rw-rw---- 1 ldap ldap 16384 Jul 31 15:01 secmod.db
> -r--r----- 1 ldap ldap  5366 Jul 31 13:19 slapd-collations.conf
> [root at ldap ~]# ls -al /etc/dirsrv/admin-serv
> total 196
> drwx------ 2 ldap root  4096 Jul 31 15:27 .
> drwxrwxr-x 7 root ldap  4096 Jul 31 14:03 ..
> -rw------- 1 ldap ldap   498 Jul 31 14:36 adm.conf
> -rw------- 1 ldap root    40 Jul 31 13:19 admpw
> -rw-r--r-- 1 root root  3936 Mar 27 08:33 admserv.conf
> -rw------- 1 ldap root 65536 Jul 31 16:05 cert8.db
> -rw------- 1 ldap ldap  4467 Jul 31 14:36 console.conf
> -rw------- 1 ldap root  4467 Jul 27 18:42 console.conf.rpmsave
> -rw-r--r-- 1 root root 26302 Mar 27 08:33 httpd.conf
> -rw------- 1 ldap root 16384 Jul 31 16:05 key3.db
> -rw------- 1 ldap root 13343 Jul 31 13:19 local.conf
> -r-------- 1 ldap ldap  4535 Jul 31 14:36 nss.conf
> -rw------- 1 ldap root  4535 Jul 27 16:20 nss.conf.rpmsave
> -rw------- 1 ldap root    50 Jul 31 15:27 password.conf
> -rw------- 1 ldap root 16384 Jul 27 14:21 secmod.db
>
> On Wed, Aug 1, 2012 at 10:17 AM, Rich Megginson <rmeggins at redhat.com 
> <mailto:rmeggins at redhat.com>> wrote:
>
>     On 08/01/2012 08:17 AM, Arnold Werschky wrote:
>>     Good morning,
>>
>>     I'm trying to set up a new install LDAP server with self signed
>>     TLS/SSL on CentOS 6.2
>>
>>     My install using setup-ds-admin.pl
>>     <http://setup-ds-admin.pl/> was typical, and I was able to login
>>     to the 389-Console after installation.
>>
>>     At that point I downloaded the script from richm :
>>     https://github.com/richm/scripts/blob/master/setupssl2.sh
>>
>>     I received two errors during its run (full output is at the bottom).
>>
>>         pk12util: Failed to authenticate to PKCS11 slot: The security
>>         password entered is incorrect.
>>         pk12util: Failed to authenticate to "NSS User Private Key and
>>         Certificate Services": The user pressed cancel.
>>
>>
>>     start-ds-admin now fails to start, with the following error
>>     messages in /var/log/dirsrv/admin-serv/error
>>
>>         [Tue Jul 31 16:34:09 2012] [error] Password for slot internal
>>         is incorrect.
>>         [Tue Jul 31 16:34:09 2012] [error] NSS initialization failed.
>>         Certificate database: /etc/dirsrv/admin-serv.
>>         [Tue Jul 31 16:34:09 2012] [error] SSL Library Error: -8177
>>         The security password entered is incorrect:
>>
>>
>>     I've searched for the SSL Library error to no avail.  If anyone
>>     can give me a starting point I'd appreciate it.
>>
>>
>>     ***************************************************************************
>>     setupssl2.sh output
>>     ***************************************************************************
>>
>>     Using /etc/dirsrv/slapd-ldap-xxxxx as sec directory
>>     No CA certificate found - will create new one
>>     No Server Cert found - will create new one
>>     No Admin Server Cert found - will create new one
>>     Creating password file for security token
>>     Creating noise file
>>     Creating new key and cert db
>>     Creating encryption key for CA
>>
>>
>>     Generating key.  This may take a few moments...
>>
>>     Creating self-signed CA certificate
>>
>>
>>     Generating key.  This may take a few moments...
>>
>>     Is this a CA certificate [y/N]?
>>     Enter the path length constraint, enter to skip [<0 for unlimited
>>     path]: > Is this a critical extension [y/N]?
>>     Exporting the CA certificate to cacert.asc
>>     Generating server certificate for 389 Directory Server on host
>>     ldap.xxxxx.com <http://ldap.xxxxx.com/>
>>     Using fully qualified hostname ldap.xxxxx.com
>>     <http://ldap.xxxxx.com/> for the server name in the server cert
>>     subject DN
>>     Note: If you do not want to use this hostname, edit this script
>>     to change myhost to the
>>     real hostname you want to use
>>
>>
>>     Generating key.  This may take a few moments...
>>
>>     Creating the admin server certificate
>>
>>
>>     Generating key.  This may take a few moments...
>>
>>     Exporting the admin server certificate pk12 file
>>     pk12util: PKCS12 EXPORT SUCCESSFUL
>>     Creating pin file for directory server
>>     Importing the admin server key and cert (created above)
>>     Incorrect password/PIN entered.
>>     pk12util: Failed to authenticate to PKCS11 slot: The security
>>     password entered is incorrect.
>>     pk12util: Failed to authenticate to "NSS User Private Key and
>>     Certificate Services": The user pressed cancel.
>     Hmm - this is really strange.
>     ls -al /etc/dirsrv/slapd-*
>     ls -al /etc/dirsrv/admin-serv
>>     Importing the CA certificate from cacert.asc
>>     Enabling the use of a password file in admin server
>>     Turning on NSSEngine
>>     Use ldaps for config ds connections
>>     Enabling SSL in the directory server
>>     when prompted, provide the directory manager password
>>     Password:modifying entry "cn=encryption,cn=config"
>>
>>     modifying entry "cn=config"
>>
>>     adding new entry "cn=RSA,cn=encryption,cn=config"
>>
>>     Enabling SSL in the admin server
>>     modifying entry "cn=slapd-ldap-xxxxx,cn=389 Directory
>>     Server,cn=Server Group,cn=ldap.xxxxx.com
>>     <http://ldap.xxxxx.com/>,ou=xxxxx,o=NetscapeRoot"
>>
>>     modifying entry "cn=configuration,cn=admin-serv-ldap,cn=389
>>     Administration Server,cn=Server Group,cn=ldap.xxxxx.com
>>     <http://ldap.xxxxx.com/>,ou=xxxxx,o=NetscapeRoot"
>>
>>     Done.  You must restart the directory server and the admin server
>>     for the changes to take effect.
>>
>>
>>     --
>>     389 users mailing list
>>     389-users at lists.fedoraproject.org  <mailto:389-users at lists.fedoraproject.org>
>>     https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120801/9ff66526/attachment.html>

More information about the 389-users mailing list