[389-users] Re: dsconf-adding pkcs12 cert to 398ds/1.4.3.12 fails : "could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error." ?

Mark Reynolds Thu, 27 Aug 2020 12:24:29 -0700


On 8/27/20 3:10 PM, PGNet Dev wrote:

On 8/27/20 11:27 AM, Mark Reynolds wrote:

This is the old "archived" link - it is definitely outdated. Here's a newer one:


https://www.port389.org/docs/389ds/howto/howto-ssl.html

Or better yet check out the official docs which tells you how to use dsconf and 
set all of this up:

https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_the_nss_database_used_by_directory_server

for future reference, _which_ is the "official/current documentation" site for 
Fedora-pkg'd 389ds?

        https://access.redhat.com/documentation/en-us/red_hat_directory_server
        https://directory.fedoraproject.org/docs/389ds

or

        https://www.port389.org/docs/389ds


?

per,

        
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_the_nss_database_used_by_directory_server#importing-a-private-key-and-server-certifiate

                "This section describes how to import both a private key and 
Certificate Signing Request (CSR), if you did not create them in the NSS database using 
an external tool."

which _is_ my case (though, i think "import ... Certificate Signing Request 
(CSR)" is a typo here)

so NOT dsconf either ... but dsctl.

You can do it with dsconf, see: "dsconf INST security --help", and"dsconf INST security certificate --help"


checking,

        dsctl testinst tls import-server-key-cert  -h
                usage: dsctl [instance] tls import-server-key-cert [-h] 
cert_path key_path

                positional arguments:
                  cert_path   The path to the x509 cert to import as Server-Cert
                  key_path    The path to the x509 key to import 
atestinstciated to Server-Cert

                optional arguments:
                  -h, --help  show this help message and exit

exec

        dsctl testinst tls import-server-key-cert \
         /etc/ssl/ldap.testinst.server.crt.pem \
         /etc/ssl/ldap.testinst.server.key.pem

_appears_ 'happy' to add the server cert, with no error returned

verifying

        cat des.ldif
                ....
                dn: cn=RSA,cn=encryption,cn=config
                objectClass: top
                objectClass: nsEncryptionModule
                cn: RSA
                nsSSLPersonalitySSL: ldap.testinst.server.p12
                nsSSLActivation: on
                nsSSLToken: internal (software)
                modifiersName: cn=directory manager
                modifyTimestamp: 20200827175643Z
                ...

but per,

        
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/enabling_tls#enabling_tls_in_directory_server_using_the_command_line
                "Display the name of the server certificate in the NSS database: 
"

checking

        dsctl testinst restart
        dsconf -D "cn=Directory Manager" testinst security certificate list

returns

        (empty)

where'd it go?

checking

        tree /usr/local/etc/dirsrv/slapd-testinst/
                /usr/local/etc/dirsrv/slapd-testinst/

                ├── cert9.db

                ├── certmap.conf
                ├── certs
???             │   ├── cert9.db
???             │   ├── key4.db
                │   ├── noise.txt
                │   ├── pin.txt
???             │   ├── pkcs11.txt
                │   └── pwdfile.txt
                ├── dse.ldif
                ├── dse.ldif.bak
                ├── dse.ldif.startOK

                ├── key4.db
                ├── pkcs11.txt

                ├── schema
                │   └── 99user.ldif
                └── slapd-collations.conf

it appears to have _ignored_ my instance's cert_dir spec'n

        nsslapd-certdir: /usr/local/etc/dirsrv/slapd-testinst/certs


if I manually

        cd /usr/local/etc/dirsrv/slapd-testinst/
        mv -f cert9.db key4.db pkcs11.txt certs/

NOW,

        dsconf -D "cn=Directory Manager" testinst security certificate list

correctly sees/lists the cert

                Certificate Name: Server-Cert
                Subject DN: ...

the instance-specific

        dsctl testinst tls import-server-key-cert

_should_ respect the instance config, no?

If you had to copy the cert and key files into /certs for it to workthen there is a bug in the server(or maybe the CLI) when it is creatingthe NSS database. What is in the errors log? At server startup it logsa lot of information about the security configuration. It would begreat to see this logging as it could help narrow down the problem.


Thanks,

Mark

--

389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: dsconf-adding pkcs12 cert to 398ds/1.4.3.12 fails : "could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error." ?

Reply via email to