[389-users] dirsrv-admin startup issues with SSL/TLS configuration
Rich Megginson
rmeggins at redhat.com
Wed Aug 1 19:12:52 UTC 2012
On 08/01/2012 10:27 AM, Arnold Werschky wrote:
> As an aside, I can get rid of the errors on the setupssl2.sh script by
> making the following change...but I don't know if its a change I
> should be making.
Yes, that looks correct. Not sure when/how that was broken.
>
> [root at ldap ~]# diff setupssl2.sh setupssl2.sh.orig
> 185c185
> < pk12util -d $secdir -n server-cert -i $secdir/adminserver.p12 -w
> $secdir/pwdfile.txt -k $secdir/pwdfile.txt
> ---
> > pk12util -d $assecdir -n server-cert -i $secdir/adminserver.p12
> -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt
>
> *********************************************************************
> results of commands requested:
> *********************************************************************
> root at ldap ~]# ls -al /etc/dirsrv/slapd-*
> total 472
> drwxrwx--- 3 ldap ldap 4096 Jul 31 15:01 .
> drwxrwxr-x 7 root ldap 4096 Jul 31 14:03 ..
> -r-------- 1 ldap ldap 2114 Jul 31 14:36 adminserver.p12
> -rw-r--r-- 1 ldap root 647 Jul 31 14:36 cacert.asc
> -rw------- 1 ldap ldap 65536 Jul 31 16:23 cert8.db
> -r--r----- 1 ldap ldap 3595 Jul 31 13:19 certmap.conf
> -rw------- 1 ldap ldap 71692 Jul 31 15:01 dse.ldif
> -rw------- 1 ldap ldap 71174 Jul 31 15:01 dse.ldif.bak
> -rw------- 1 ldap ldap 71917 Jul 31 15:00 dse.ldif.startOK
> -r--r----- 1 ldap ldap 32836 Jul 31 13:19 dse_original.ldif
> -rw------- 1 ldap ldap 16384 Jul 31 16:23 key3.db
> -r-------- 1 ldap ldap 41 Jul 31 14:36 noise.txt
> -rw-rw---- 1 ldap ldap 65536 Jul 31 15:00 orig-cert8.db
> -rw-rw---- 1 ldap ldap 16384 Jul 31 15:00 orig-key3.db
> -r-------- 1 ldap ldap 67 Jul 31 14:36 pin.txt
> -r-------- 1 ldap ldap 41 Jul 31 14:36 pwdfile.txt
> drwxrwx--- 2 ldap ldap 4096 Jul 31 15:01 schema
> -rw-rw---- 1 ldap ldap 16384 Jul 31 15:01 secmod.db
> -r--r----- 1 ldap ldap 5366 Jul 31 13:19 slapd-collations.conf
> [root at ldap ~]# ls -al /etc/dirsrv/admin-serv
> total 196
> drwx------ 2 ldap root 4096 Jul 31 15:27 .
> drwxrwxr-x 7 root ldap 4096 Jul 31 14:03 ..
> -rw------- 1 ldap ldap 498 Jul 31 14:36 adm.conf
> -rw------- 1 ldap root 40 Jul 31 13:19 admpw
> -rw-r--r-- 1 root root 3936 Mar 27 08:33 admserv.conf
> -rw------- 1 ldap root 65536 Jul 31 16:05 cert8.db
> -rw------- 1 ldap ldap 4467 Jul 31 14:36 console.conf
> -rw------- 1 ldap root 4467 Jul 27 18:42 console.conf.rpmsave
> -rw-r--r-- 1 root root 26302 Mar 27 08:33 httpd.conf
> -rw------- 1 ldap root 16384 Jul 31 16:05 key3.db
> -rw------- 1 ldap root 13343 Jul 31 13:19 local.conf
> -r-------- 1 ldap ldap 4535 Jul 31 14:36 nss.conf
> -rw------- 1 ldap root 4535 Jul 27 16:20 nss.conf.rpmsave
> -rw------- 1 ldap root 50 Jul 31 15:27 password.conf
> -rw------- 1 ldap root 16384 Jul 27 14:21 secmod.db
>
> On Wed, Aug 1, 2012 at 10:17 AM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> On 08/01/2012 08:17 AM, Arnold Werschky wrote:
>> Good morning,
>>
>> I'm trying to set up a new install LDAP server with self signed
>> TLS/SSL on CentOS 6.2
>>
>> My install using setup-ds-admin.pl
>> <http://setup-ds-admin.pl/> was typical, and I was able to login
>> to the 389-Console after installation.
>>
>> At that point I downloaded the script from richm :
>> https://github.com/richm/scripts/blob/master/setupssl2.sh
>>
>> I received two errors during its run (full output is at the bottom).
>>
>> pk12util: Failed to authenticate to PKCS11 slot: The security
>> password entered is incorrect.
>> pk12util: Failed to authenticate to "NSS User Private Key and
>> Certificate Services": The user pressed cancel.
>>
>>
>> start-ds-admin now fails to start, with the following error
>> messages in /var/log/dirsrv/admin-serv/error
>>
>> [Tue Jul 31 16:34:09 2012] [error] Password for slot internal
>> is incorrect.
>> [Tue Jul 31 16:34:09 2012] [error] NSS initialization failed.
>> Certificate database: /etc/dirsrv/admin-serv.
>> [Tue Jul 31 16:34:09 2012] [error] SSL Library Error: -8177
>> The security password entered is incorrect:
>>
>>
>> I've searched for the SSL Library error to no avail. If anyone
>> can give me a starting point I'd appreciate it.
>>
>>
>> ***************************************************************************
>> setupssl2.sh output
>> ***************************************************************************
>>
>> Using /etc/dirsrv/slapd-ldap-xxxxx as sec directory
>> No CA certificate found - will create new one
>> No Server Cert found - will create new one
>> No Admin Server Cert found - will create new one
>> Creating password file for security token
>> Creating noise file
>> Creating new key and cert db
>> Creating encryption key for CA
>>
>>
>> Generating key. This may take a few moments...
>>
>> Creating self-signed CA certificate
>>
>>
>> Generating key. This may take a few moments...
>>
>> Is this a CA certificate [y/N]?
>> Enter the path length constraint, enter to skip [<0 for unlimited
>> path]: > Is this a critical extension [y/N]?
>> Exporting the CA certificate to cacert.asc
>> Generating server certificate for 389 Directory Server on host
>> ldap.xxxxx.com <http://ldap.xxxxx.com/>
>> Using fully qualified hostname ldap.xxxxx.com
>> <http://ldap.xxxxx.com/> for the server name in the server cert
>> subject DN
>> Note: If you do not want to use this hostname, edit this script
>> to change myhost to the
>> real hostname you want to use
>>
>>
>> Generating key. This may take a few moments...
>>
>> Creating the admin server certificate
>>
>>
>> Generating key. This may take a few moments...
>>
>> Exporting the admin server certificate pk12 file
>> pk12util: PKCS12 EXPORT SUCCESSFUL
>> Creating pin file for directory server
>> Importing the admin server key and cert (created above)
>> Incorrect password/PIN entered.
>> pk12util: Failed to authenticate to PKCS11 slot: The security
>> password entered is incorrect.
>> pk12util: Failed to authenticate to "NSS User Private Key and
>> Certificate Services": The user pressed cancel.
> Hmm - this is really strange.
> ls -al /etc/dirsrv/slapd-*
> ls -al /etc/dirsrv/admin-serv
>> Importing the CA certificate from cacert.asc
>> Enabling the use of a password file in admin server
>> Turning on NSSEngine
>> Use ldaps for config ds connections
>> Enabling SSL in the directory server
>> when prompted, provide the directory manager password
>> Password:modifying entry "cn=encryption,cn=config"
>>
>> modifying entry "cn=config"
>>
>> adding new entry "cn=RSA,cn=encryption,cn=config"
>>
>> Enabling SSL in the admin server
>> modifying entry "cn=slapd-ldap-xxxxx,cn=389 Directory
>> Server,cn=Server Group,cn=ldap.xxxxx.com
>> <http://ldap.xxxxx.com/>,ou=xxxxx,o=NetscapeRoot"
>>
>> modifying entry "cn=configuration,cn=admin-serv-ldap,cn=389
>> Administration Server,cn=Server Group,cn=ldap.xxxxx.com
>> <http://ldap.xxxxx.com/>,ou=xxxxx,o=NetscapeRoot"
>>
>> Done. You must restart the directory server and the admin server
>> for the changes to take effect.
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org <mailto:389-users at lists.fedoraproject.org>
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120801/9ff66526/attachment.html>
More information about the 389-users
mailing list