On 08/01/2012 08:17 AM, Arnold Werschky wrote:
Good morning,
I'm trying to set up a new install LDAP server with self signed
TLS/SSL on CentOS 6.2
My install using setup-ds-admin.pl <http://setup-ds-admin.pl/> was
typical, and I was able to login to the 389-Console after installation.
At that point I downloaded the script from richm :
https://github.com/richm/scripts/blob/master/setupssl2.sh
I received two errors during its run (full output is at the bottom).
pk12util: Failed to authenticate to PKCS11 slot: The security
password entered is incorrect.
pk12util: Failed to authenticate to "NSS User Private Key and
Certificate Services": The user pressed cancel.
start-ds-admin now fails to start, with the following error messages
in /var/log/dirsrv/admin-serv/error
[Tue Jul 31 16:34:09 2012] [error] Password for slot internal is
incorrect.
[Tue Jul 31 16:34:09 2012] [error] NSS initialization failed.
Certificate database: /etc/dirsrv/admin-serv.
[Tue Jul 31 16:34:09 2012] [error] SSL Library Error: -8177 The
security password entered is incorrect:
I've searched for the SSL Library error to no avail. If anyone can
give me a starting point I'd appreciate it.
***************************************************************************
setupssl2.sh output
***************************************************************************
Using /etc/dirsrv/slapd-ldap-xxxxx as sec directory
No CA certificate found - will create new one
No Server Cert found - will create new one
No Admin Server Cert found - will create new one
Creating password file for security token
Creating noise file
Creating new key and cert db
Creating encryption key for CA
Generating key. This may take a few moments...
Creating self-signed CA certificate
Generating key. This may take a few moments...
Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited
path]: > Is this a critical extension [y/N]?
Exporting the CA certificate to cacert.asc
Generating server certificate for 389 Directory Server on host
ldap.xxxxx.com <http://ldap.xxxxx.com/>
Using fully qualified hostname ldap.xxxxx.com
<http://ldap.xxxxx.com/> for the server name in the server cert subject DN
Note: If you do not want to use this hostname, edit this script to
change myhost to the
real hostname you want to use
Generating key. This may take a few moments...
Creating the admin server certificate
Generating key. This may take a few moments...
Exporting the admin server certificate pk12 file
pk12util: PKCS12 EXPORT SUCCESSFUL
Creating pin file for directory server
Importing the admin server key and cert (created above)
Incorrect password/PIN entered.
pk12util: Failed to authenticate to PKCS11 slot: The security password
entered is incorrect.
pk12util: Failed to authenticate to "NSS User Private Key and
Certificate Services": The user pressed cancel.
Hmm - this is really strange.
ls -al /etc/dirsrv/slapd-*
ls -al /etc/dirsrv/admin-serv
Importing the CA certificate from cacert.asc
Enabling the use of a password file in admin server
Turning on NSSEngine
Use ldaps for config ds connections
Enabling SSL in the directory server
when prompted, provide the directory manager password
Password:modifying entry "cn=encryption,cn=config"
modifying entry "cn=config"
adding new entry "cn=RSA,cn=encryption,cn=config"
Enabling SSL in the admin server
modifying entry "cn=slapd-ldap-xxxxx,cn=389 Directory Server,cn=Server
Group,cn=ldap.xxxxx.com <http://ldap.xxxxx.com/>,ou=xxxxx,o=NetscapeRoot"
modifying entry "cn=configuration,cn=admin-serv-ldap,cn=389
Administration Server,cn=Server Group,cn=ldap.xxxxx.com
<http://ldap.xxxxx.com/>,ou=xxxxx,o=NetscapeRoot"
Done. You must restart the directory server and the admin server for
the changes to take effect.
--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users
