[389-users] dirsrv-admin with existing (remote) configuration server using SSL

Rich Megginson rmeggins at redhat.com
Wed Feb 8 15:43:07 UTC 2012 

On 02/08/2012 07:20 AM, MATON Brett wrote:
>
> Installation appears to go fine until it tries to start the admin server:
>
> Configuration directory server URL [ldap://<local 
> FQDN>:389/o=NetscapeRoot]: ldaps://<Config Server FQDN>:636/o=NetscapeRoot
>
> ...
>
> CA certificate filename: /etc/openldap/cacerts/<base64 cert file>
>
> ...
>
> output: Server failed to start !!! Please check errors log for problems
>
> output:                                                    [FAILED]
>
> /var/log/dirsrv/admin-serv/error:
>
> [Wed Feb 08 13:35:26 2012] [notice] SELinux policy enabled; httpd 
> running as context unconfined_u:system_r:httpd_t:s0
>
> [Wed Feb 08 13:35:32 2012] [crit] sslinit: NSS is required to use 
> LDAPS, but security initialization failed [-12285:Unable to find the 
> certificate or key necessary for authentication.].  Cannot start server
>
> The server, has however successfully registered itself with the remote 
> Configuration Directory Server.
>
> (shows up in the server group in 389-Console and Directory Server is 
> available).
>
> I wasn't asked to provide a keystore password  when adding the 
> certificate to the store, as you would be with 389-Console GUI when 
> first opening the certificate store.
>
> Is that intentional or not?
>
> I'm now a bit stumped (again), I had a look at the certdb with certutil:
>
> [root@<host> admin-serv]# certutil -d . -L
>
> Certificate Nickname                                         Trust 
> Attributes
>
>                                                              
> SSL,S/MIME,JAR/XPI
>
> CA certificate                                               CT,,
>
> Which leads me to believe that it should be able to at least find the 
> certificate...
>
> I also checked file/directory ownership and permissions which match 
> those on the working 'master' server.
>
> Installer issue:
>
>   If you make a mistake and get asked to try again (I typed the ldaps 
> port as 633 instead if 636), you get stuck at the CA Certificate 
> filename stage with the following:
>
> CA certificate filename [/etc/openldap/cacerts/CAServer.crt]:
>
> The certificate database in '/etc/dirsrv/admin-serv' already contains 
> a CA certificate.  Please remove it first, or use the certutil program 
> to add the CA certificate with a different name.
>
> Please try again, in case you mis-typed something.
>
> Simple enough solution as for me this is a fresh install, is to delete 
> cert8.db and keys3.db in /etc/dirserv/admin-serv/ from another session.
>
You can use ldapsearch to test if the cert db is correct:

LDAPTLS_CACERTDIR=/etc/dirsrv/admin-serv ldapsearch -x -H 
ldaps://<Config Server FQDN> -D "cn=directory manager" -W -s base -b ""
if that doesn't work, use ldapsearch -d 1 -x .... to get more debugging 
information.

The error is strange though.  It seems to imply that the admin server is 
looking for a cert or key.  If the admin server is acting only as an SSL 
client, it should not need to look up a cert or key, it should only need 
the CA cert.
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that 
> is confidential and/or protected by intellectual property rights, are 
> intended for the exclusive use of the above-mentioned addressee(s). 
> Any use (including reproduction, disclosure and whole or partial 
> distribution in any form whatsoever) of their content is prohibited 
> without prior authorization of NRB. If you have received this message 
> by error, please contact the sender promptly by resending this e-mail 
> back to him (her), or by calling the above number. Thank you for 
> subsequently deleting this e-mail and any files attached thereto./
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120208/27071ee0/attachment.html>

More information about the 389-users mailing list