[389-users] dirsrv-admin startup issues with SSL/TLS configuration [solved]

Arnold Werschky ag+389 at amergint.com
Thu Aug 2 15:15:16 UTC 2012 

This issue was solved with a total reinstall.  I believe I had messed up
the configuration somehow with trying to install multiple times.

In addition, the script should not be corrected, as it worked just fine.

Thank you very much for your assistance, and patience.

On Wed, Aug 1, 2012 at 1:12 PM, Rich Megginson <rmeggins at redhat.com> wrote:

>  On 08/01/2012 10:27 AM, Arnold Werschky wrote:
>
> As an aside, I can get rid of the errors on the setupssl2.sh script by
> making the following change...but I don't know if its a change I should be
> making.
>
> Yes, that looks correct.  Not sure when/how that was broken.
>
>
>  [root at ldap ~]# diff setupssl2.sh setupssl2.sh.orig
> 185c185
> <     pk12util -d $secdir -n server-cert -i $secdir/adminserver.p12 -w
> $secdir/pwdfile.txt -k $secdir/pwdfile.txt
> ---
> >     pk12util -d $assecdir -n server-cert -i $secdir/adminserver.p12 -w
> $secdir/pwdfile.txt -k $secdir/pwdfile.txt
>
>  *********************************************************************
> results of commands requested:
> *********************************************************************
> root at ldap ~]# ls -al /etc/dirsrv/slapd-*
> total 472
> drwxrwx--- 3 ldap ldap  4096 Jul 31 15:01 .
> drwxrwxr-x 7 root ldap  4096 Jul 31 14:03 ..
> -r-------- 1 ldap ldap  2114 Jul 31 14:36 adminserver.p12
> -rw-r--r-- 1 ldap root   647 Jul 31 14:36 cacert.asc
> -rw------- 1 ldap ldap 65536 Jul 31 16:23 cert8.db
> -r--r----- 1 ldap ldap  3595 Jul 31 13:19 certmap.conf
> -rw------- 1 ldap ldap 71692 Jul 31 15:01 dse.ldif
> -rw------- 1 ldap ldap 71174 Jul 31 15:01 dse.ldif.bak
> -rw------- 1 ldap ldap 71917 Jul 31 15:00 dse.ldif.startOK
> -r--r----- 1 ldap ldap 32836 Jul 31 13:19 dse_original.ldif
> -rw------- 1 ldap ldap 16384 Jul 31 16:23 key3.db
> -r-------- 1 ldap ldap    41 Jul 31 14:36 noise.txt
> -rw-rw---- 1 ldap ldap 65536 Jul 31 15:00 orig-cert8.db
> -rw-rw---- 1 ldap ldap 16384 Jul 31 15:00 orig-key3.db
> -r-------- 1 ldap ldap    67 Jul 31 14:36 pin.txt
> -r-------- 1 ldap ldap    41 Jul 31 14:36 pwdfile.txt
> drwxrwx--- 2 ldap ldap  4096 Jul 31 15:01 schema
> -rw-rw---- 1 ldap ldap 16384 Jul 31 15:01 secmod.db
> -r--r----- 1 ldap ldap  5366 Jul 31 13:19 slapd-collations.conf
> [root at ldap ~]# ls -al /etc/dirsrv/admin-serv
> total 196
> drwx------ 2 ldap root  4096 Jul 31 15:27 .
> drwxrwxr-x 7 root ldap  4096 Jul 31 14:03 ..
> -rw------- 1 ldap ldap   498 Jul 31 14:36 adm.conf
> -rw------- 1 ldap root    40 Jul 31 13:19 admpw
> -rw-r--r-- 1 root root  3936 Mar 27 08:33 admserv.conf
> -rw------- 1 ldap root 65536 Jul 31 16:05 cert8.db
> -rw------- 1 ldap ldap  4467 Jul 31 14:36 console.conf
> -rw------- 1 ldap root  4467 Jul 27 18:42 console.conf.rpmsave
> -rw-r--r-- 1 root root 26302 Mar 27 08:33 httpd.conf
> -rw------- 1 ldap root 16384 Jul 31 16:05 key3.db
> -rw------- 1 ldap root 13343 Jul 31 13:19 local.conf
> -r-------- 1 ldap ldap  4535 Jul 31 14:36 nss.conf
> -rw------- 1 ldap root  4535 Jul 27 16:20 nss.conf.rpmsave
> -rw------- 1 ldap root    50 Jul 31 15:27 password.conf
> -rw------- 1 ldap root 16384 Jul 27 14:21 secmod.db
>
> On Wed, Aug 1, 2012 at 10:17 AM, Rich Megginson <rmeggins at redhat.com>wrote:
>
>>   On 08/01/2012 08:17 AM, Arnold Werschky wrote:
>>
>> Good morning,
>>
>>  I'm trying to set up a new install LDAP server with self signed TLS/SSL
>> on CentOS 6.2
>>
>>  My install using setup-ds-admin.pl was typical, and I was able to login
>> to the 389-Console after installation.
>>
>>  At that point I downloaded the script from richm :
>> https://github.com/richm/scripts/blob/master/setupssl2.sh
>>
>>  I received two errors during its run (full output is at the bottom).
>>
>>  pk12util: Failed to authenticate to PKCS11 slot: The security password
>> entered is incorrect.
>> pk12util: Failed to authenticate to "NSS User Private Key and Certificate
>> Services": The user pressed cancel.
>>
>>
>>  start-ds-admin now fails to start, with the following error messages in
>> /var/log/dirsrv/admin-serv/error
>>
>>  [Tue Jul 31 16:34:09 2012] [error] Password for slot internal is
>> incorrect.
>> [Tue Jul 31 16:34:09 2012] [error] NSS initialization failed. Certificate
>> database: /etc/dirsrv/admin-serv.
>> [Tue Jul 31 16:34:09 2012] [error] SSL Library Error: -8177 The security
>> password entered is incorrect:
>>
>>
>>  I've searched for the SSL Library error to no avail.  If anyone can
>> give me a starting point I'd appreciate it.
>>
>>
>>
>> ***************************************************************************
>> setupssl2.sh output
>> ***************************************************************************
>>
>>  Using /etc/dirsrv/slapd-ldap-xxxxx as sec directory
>> No CA certificate found - will create new one
>> No Server Cert found - will create new one
>> No Admin Server Cert found - will create new one
>> Creating password file for security token
>> Creating noise file
>> Creating new key and cert db
>> Creating encryption key for CA
>>
>>
>>  Generating key.  This may take a few moments...
>>
>>  Creating self-signed CA certificate
>>
>>
>>  Generating key.  This may take a few moments...
>>
>>  Is this a CA certificate [y/N]?
>> Enter the path length constraint, enter to skip [<0 for unlimited path]:
>> > Is this a critical extension [y/N]?
>> Exporting the CA certificate to cacert.asc
>> Generating server certificate for 389 Directory Server on host
>> ldap.xxxxx.com
>> Using fully qualified hostname ldap.xxxxx.com for the server name in the
>> server cert subject DN
>> Note: If you do not want to use this hostname, edit this script to change
>> myhost to the
>> real hostname you want to use
>>
>>
>>  Generating key.  This may take a few moments...
>>
>>  Creating the admin server certificate
>>
>>
>>  Generating key.  This may take a few moments...
>>
>>  Exporting the admin server certificate pk12 file
>> pk12util: PKCS12 EXPORT SUCCESSFUL
>> Creating pin file for directory server
>> Importing the admin server key and cert (created above)
>> Incorrect password/PIN entered.
>> pk12util: Failed to authenticate to PKCS11 slot: The security password
>> entered is incorrect.
>> pk12util: Failed to authenticate to "NSS User Private Key and Certificate
>> Services": The user pressed cancel.
>>
>>  Hmm - this is really strange.
>> ls -al /etc/dirsrv/slapd-*
>> ls -al /etc/dirsrv/admin-serv
>>
>>  Importing the CA certificate from cacert.asc
>> Enabling the use of a password file in admin server
>> Turning on NSSEngine
>> Use ldaps for config ds connections
>> Enabling SSL in the directory server
>> when prompted, provide the directory manager password
>> Password:modifying entry "cn=encryption,cn=config"
>>
>>  modifying entry "cn=config"
>>
>>  adding new entry "cn=RSA,cn=encryption,cn=config"
>>
>>  Enabling SSL in the admin server
>> modifying entry "cn=slapd-ldap-xxxxx,cn=389 Directory Server,cn=Server
>> Group,cn=ldap.xxxxx.com,ou=xxxxx,o=NetscapeRoot"
>>
>>  modifying entry "cn=configuration,cn=admin-serv-ldap,cn=389
>> Administration Server,cn=Server Group,cn=ldap.xxxxx.com
>> ,ou=xxxxx,o=NetscapeRoot"
>>
>>  Done.  You must restart the directory server and the admin server for
>> the changes to take effect.
>>
>>
>>  --
>> 389 users mailing list389-users at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120802/2f9ad657/attachment.html>

More information about the 389-users mailing list