Hi Grant, On Thu, Nov 7, 2019 at 2:16 AM Grant Byers <grant.by...@aarnet.edu.au> wrote:
> Hi Mark, > > > > I am using certutil and a pin file, but that’s only half of what’s > required. The other half involves adding and/or amending entries in the > local and adm bootstrap configs, in the global config database > (o=NetscapeRoot), and some apache config. The latter tasks are simplified > by using the console to enable SSL for the admin server (which does so by > calling the sec-activate cgi), but that is a manual step and doesn’t lend > itself well to automation. I have played a little with hand editing these > files with success, which I can automate, but it’s fickle. Any upstream > change could potentially break that, whereas calling the tool used by the > admin server to configure itself would be a more robust approach (IMO). > > > > The official documentation only has the manual approach via the console. > No good for automation. > Please check this script: https://raw.githubusercontent.com/richm/scripts/master/setupssl2.sh Run it as # ./setupssl2.ssh /etc/dirsrv/slapd-INSTANCE HTH > > > Grant > > > > *From:* Mark Reynolds <mreyno...@redhat.com> > *Sent:* Thursday, 7 November 2019 12:24 AM > *To:* General discussion list for the 389 Directory server project. < > 389-users@lists.fedoraproject.org>; Grant Byers <grant.by...@aarnet.edu.au > > > *Subject:* Re: [389-users] Using sec-activate to enable SSL for admin > server > > > > > > On 11/6/19 12:42 AM, Grant Byers wrote: > > Hi, > > > > I’ve mostly completed automated deployment of a 389ds cluster via Ansible. > The final piece of the puzzle is the enablement of SSL/TLS for the Admin > server. From what I understand, I should be able to use the sec-activate > tool to do this; > > > > /usr/lib64/dirsrv/cgi-bin/sec-activate /etc/dirsrv/admin-serv on > > > > What I can’t figure out is how to authenticate. When I run this, it > prompts me repeatedly for Ënter Admin Server Administrator password:”. I > have tried both the RootDN and ConfigDirectoryAdminPwd passwords, but > neither seem to work. > > > > Can anyone suggest what’s going on here & how I might get past it? > > > > > > I have never used, or heard of anyone using, sec-activate to enable SSL in > the admin server. I suggest following the official documentation on > setting this up using certutil and a password/pin file: > > > https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/enabling_tls#enabling_tls_in_the_administration_server > > HTH, > > Mark > > > > > > Thanks, > > Grant > > > > _______________________________________________ > > 389-users mailing list -- 389-users@lists.fedoraproject.org > > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > > -- > > > > 389 Directory Server Development Team > > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > -- Viktor
_______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
