[389-users] Troubles with automated deployment of secure 389 server

Nicolas Martin nico.martin at gmail.com
Fri Apr 17 11:07:58 UTC 2015 

Hello,

I've been trying to deploy a secure 389 server with TLS/SSL on the port 636.
If I do things manually, it works alright.

But using the scripts provided on the website, I run into some troubles.

BACKGROUND INFO:
Attached to this mail are the scripts and conf file I use. My setupssl.sh
is a modified version of the setupssl2.ssh meant for DS >= 1.1. I changed
the cipher suite and I changed the name of the admin cert from server-cert
to admin-cert for clarity (I changed manually the name of the certificate
in the admin console configuration file accordingly).
Reason behind the cipher suite change is that the one in the original
script prevents the script from running (AttributeType error) so I used a
cipher suite from a working, manually deployed LDAP server.
I use the packages provided with RHEL6U5. Here are the components version:

389-ds-base-1.2.11.15-34.el6_5.x86_64
389-ds-1.2.2-1.el6.noarch
389-ds-console-1.2.6-1.el6.noarch
389-adminutil-1.1.19-1.el6.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-dsgw-1.1.11-1.el6.x86_64
389-admin-1.1.35-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-libs-1.2.11.15-34.el6_5.x86_64
389-console-1.1.7-1.el6.noarch

openjdk version:
java-1.6.0-openjdk-1.6.0.0-6.1.13.4.el6_5.x86_64

PROBLEM DESCRIPTION:
Once the scripts are ran, I start 389-console using the https URL.
Authentication yields an error message: "Cannot connect..."

Console with debugging enabled shows this error message:
Unable to create ssl socket
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8054)
You are attempting to import a cert with the same issuer/serial as an
existing cert, but that is not the same cert.

/var/log/dirsrv/admin-server/error has the following line:
[error] SSL Library Error: -12271 SSL client cannot verify your certificate

Certificates list from admin server:
admin-cert                                                   u,u,u
CA certificate                                               CT,,

Certificates list from slapd-myserver7:
CA certificate                                               CTu,u,u
admin-cert                                                   u,u,u
Server-Cert                                                  u,u,u

My certificates all have different serial numbers: 1000 for CA, 1001 for
Server-Cert, 1002 for admin-cert.


If I disable the security for the console by setting NSSEngine to Off, I
can log to the console with the normal http URL, but as soon as I access a
certificate-related tab (For example "Manage Certificates" or the
Encryption tab of the server), I get the following error message:

Unable to create ssl socket
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12263)
SSL received a record that exceeded the maximum permissible length.

Has anyone ever experienced these SSL errors ? Is there something I can
compare between my working, manually deployed LDAP servers and the one that
I try to deploy automatically ?

Thanks in advance.

Regards,

Nicolas Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20150417/76479ebf/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: setup.inf
Type: application/octet-stream
Size: 517 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20150417/76479ebf/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: setupssl.sh
Type: application/x-sh
Size: 10681 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20150417/76479ebf/attachment.sh>

More information about the 389-users mailing list