On 8/27/20 12:23 PM, Mark Reynolds wrote:
> > https://access.redhat.com/documentation/en-us/red_hat_directory_server
^^^ This is the official documentation
noted, thx.
i'm pretty sure I came across something/somewhere recently that explicitly
stated red_hat_directory_server
!= fedora directory server.
hence the confusion.
>> so NOT dsconf either ... but dsctl.
>
> You can do it with dsconf, see: "dsconf INST security --help", and "dsconf
> INST security certificate --help"
ok, confused more now. that's where I _started_ (up there^), and failed.
>> _should_ respect the instance config, no?
>
> If you had to copy the cert and key files into /certs for it to work then
> there is a bug in the server(or maybe the CLI) when it is creating the NSS
> database. What is in the errors log? At server startup it logs a lot of
> information about the security configuration. It would be great to see this
> logging as it could help narrow down the problem.
dsctl testinst stop
rm -f /var/log/dirsrv/slapd-testinst/*
rm -f /etc/dirsrv/slapd-testinst/certs/{cert9.db,key4.db,pkcs11.txt}
tree /var/log/dirsrv/slapd-testinst /etc/dirsrv/slapd-testinst
/var/log/dirsrv/slapd-testinst
/etc/dirsrv/slapd-testinst
├── certmap.conf
├── certs
│ ├── noise.txt
│ ├── pin.txt
│ └── pwdfile.txt
├── dse.ldif
├── dse.ldif.bak
├── dse.ldif.startOK
├── schema
│ └── 99user.ldif
└── slapd-collations.conf
2 directories, 12 files
dsctl testinst tls import-server-key-cert \
/etc/ssl/testinst.server.EC.crt.pem \
/etc/ssl/testinst.server.EC.key.pem
tree /var/log/dirsrv/slapd-testinst /etc/dirsrv/slapd-testinst
/var/log/dirsrv/slapd-testinst
/etc/dirsrv/slapd-testinst
>>> ├── cert9.db
├── certmap.conf
├── certs
│ ├── noise.txt
│ ├── pin.txt
│ └── pwdfile.txt
├── dse.ldif
├── dse.ldif.bak
├── dse.ldif.startOK
>>> ├── key4.db
>>> ├── pkcs11.txt
├── schema
│ └── 99user.ldif
└── slapd-collations.conf
dsctl testinst start
journalctl -f -u [email protected]
Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.429465758
-0700] - CRIT - Security Initialization - warn_if_no_cert_file - Certificate DB
file cert8.db nor cert9.db exists in [/etc/dirsrv/slapd-testinst/certs] - SSL
initialization will likely fail
Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.431266675
-0700] - CRIT - Security Initialization - warn_if_no_key_file - Key DB file
key3.db nor key4.db exists in [/etc/dirsrv/slapd-testinst/certs] - SSL
initialization will likely fail
Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.469911561
-0700] - WARN - Security Initialization - SSL alert: Sending pin request to
SVRCore. You may need to run systemd-tty-ask-password-agent to provide the
password.
Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.470543103
-0700] - ERR - Security Initialization - slapd_ssl_init - Unable to
authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred
during security authorization.)
Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.470988905
-0700] - ERR - force_to_disable_security - ERROR: SSL Initialization Failed.
Disabling SSL.
Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.471534047
-0700] - INFO - main - 389-Directory/1.4.3.12 B2020.213.0000 starting up
Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.471982899
-0700] - INFO - main - Setting the maximum file descriptor limit to: 524288
Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.281841989
-0700] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds
Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.285150261
-0700] - NOTICE - ldbm_back_start - found 8143628k physical memory
Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.285636673
-0700] - NOTICE - ldbm_back_start - found 5759888k available
Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.286082825
-0700] - NOTICE - ldbm_back_start - cache autosizing: db cache: 508976k
Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.286526296
-0700] - NOTICE - ldbm_back_start - total cache size: 416953753 B;
Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.362425203
-0700] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port
389 for LDAP requests
tree /var/log/dirsrv/slapd-testinst /etc/dirsrv/slapd-testinst
/var/log/dirsrv/slapd-testinst
├── access
├── access.rotationinfo
├── audit
├── audit.rotationinfo
├── errors
└── errors.rotationinfo
/etc/dirsrv/slapd-testinst
├── cert9.db
├── certmap.conf
├── certs
│ ├── cert9.db
│ ├── key4.db
│ ├── noise.txt
│ ├── pin.txt
│ ├── pkcs11.txt
│ └── pwdfile.txt
├── dse.ldif
├── dse.ldif.bak
├── dse.ldif.startOK
├── key4.db
├── pkcs11.txt
├── schema
│ └── 99user.ldif
└── slapd-collations.conf
cat /var/log/dirsrv/slapd-testinst/errors
389-Directory/1.4.3.12 B2020.213.0000
ldap.example.com:636 (/etc/dirsrv/slapd-testinst)
[27/Aug/2020:12:49:14.430826073 -0700] - CRIT - Security Initialization
- warn_if_no_cert_file - Certificate DB file cert8.db nor cert9.db exists in
[/etc/dirsrv/slapd-testinst/certs] - SSL initialization will likely fail
[27/Aug/2020:12:49:14.431281245 -0700] - CRIT - Security Initialization
- warn_if_no_key_file - Key DB file key3.db nor key4.db exists in
[/etc/dirsrv/slapd-testinst/certs] - SSL initialization will likely fail
[27/Aug/2020:12:49:14.469940641 -0700] - WARN - Security Initialization
- SSL alert: Sending pin request to SVRCore. You may need to run
systemd-tty-ask-password-agent to provide the password.
[27/Aug/2020:12:49:14.470559053 -0700] - ERR - Security Initialization
- slapd_ssl_init - Unable to authenticate (Netscape Portable Runtime error
-8192 - An I/O error occurred during security authorization.)
[27/Aug/2020:12:49:14.471001315 -0700] - ERR -
force_to_disable_security - ERROR: SSL Initialization Failed. Disabling SSL.
[27/Aug/2020:12:49:14.471547467 -0700] - INFO - main -
389-Directory/1.4.3.12 B2020.213.0000 starting up
[27/Aug/2020:12:49:14.471993239 -0700] - INFO - main - Setting the
maximum file descriptor limit to: 524288
[27/Aug/2020:12:49:15.281878669 -0700] - INFO - PBKDF2_SHA256 - Based
on CPU performance, chose 2048 rounds
[27/Aug/2020:12:49:15.285170541 -0700] - NOTICE - ldbm_back_start -
found 8143628k physical memory
[27/Aug/2020:12:49:15.285646883 -0700] - NOTICE - ldbm_back_start -
found 5759888k available
[27/Aug/2020:12:49:15.286093875 -0700] - NOTICE - ldbm_back_start -
cache autosizing: db cache: 508976k
[27/Aug/2020:12:49:15.286536256 -0700] - NOTICE - ldbm_back_start -
total cache size: 416953753 B;
[27/Aug/2020:12:49:15.362452333 -0700] - INFO - slapd_daemon - slapd
started. Listening on All Interfaces port 389 for LDAP requests
dsconf -D "cn=Directory Manager" testinst security certificate list
(empty)
dsctl testinst stop
mv -f \
/etc/dirsrv/slapd-testinst/{cert9.db,key4.db,pkcs11.txt} \
/etc/dirsrv/slapd-testinst/certs/
tree /var/log/dirsrv/slapd-testinst /etc/dirsrv/slapd-testinst
/var/log/dirsrv/slapd-testinst
├── access
├── access.rotationinfo
├── audit
├── audit.rotationinfo
├── errors
└── errors.rotationinfo
/etc/dirsrv/slapd-testinst
├── certmap.conf
├── certs
│ ├── cert9.db
│ ├── key4.db
│ ├── noise.txt
│ ├── pin.txt
│ ├── pkcs11.txt
│ └── pwdfile.txt
├── dse.ldif
├── dse.ldif.bak
├── dse.ldif.startOK
├── schema
│ └── 99user.ldif
└── slapd-collations.conf
dsctl testinst start
Instance "testinst" has been started
journalctl -f -u [email protected]
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.528433965
-0700] - WARN - Security Initialization - SSL alert: Sending pin request to
SVRCore. You may need to run systemd-tty-ask-password-agent to provide the
password.
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.531337496
-0700] - ERR - extractRSAKeysAndSubject - Failed extract cert with
ldap.testinst.server.p12, (0-no error, 0).
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.531922688
-0700] - ERR - slapd_extract_key - Unable to export encrypted private key
(-8187, 0).
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.533254283
-0700] - INFO - Security Initialization - SSL info: Configured NSS Ciphers
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.533823726
-0700] - INFO - Security Initialization - SSL info:
TLS_CHACHA20_POLY1305_SHA256: enabled
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.534399188
-0700] - INFO - Security Initialization - SSL info:
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.535590322
-0700] - WARN - Security Initialization - SSL alert: Can't find certificate
(ldap.testinst.server.p12) for family cn=RSA,cn=encryption,cn=config (Netscape
Portable Runtime error -5978 - Network file descriptor is not connected.)
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.536136904
-0700] - WARN - Security Initialization - SSL alert: Unable to retrieve private
key for cert ldap.testinst.server.p12 of family cn=RSA,cn=encryption,cn=config
(Netscape Portable Runtime error -5978 - Network file descriptor is not
connected.)
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.536679436
-0700] - ERR - Security Initialization - SSL failure: None of the cipher are
valid
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.537202738
-0700] - ERR - force_to_disable_security - ERROR: SSL2 Initialization Failed.
Disabling SSL2.
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.537840071
-0700] - INFO - main - 389-Directory/1.4.3.12 B2020.213.0000 starting up
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.538396543
-0700] - INFO - main - Setting the maximum file descriptor limit to: 524288
Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.347878231
-0700] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds
Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.351455605
-0700] - NOTICE - ldbm_back_start - found 8143628k physical memory
Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.352434269
-0700] - NOTICE - ldbm_back_start - found 5795920k available
Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.353173411
-0700] - NOTICE - ldbm_back_start - cache autosizing: db cache: 508976k
Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.356305113
-0700] - NOTICE - ldbm_back_start - total cache size: 416953753 B;
Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.433760066
-0700] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port
389 for LDAP requests
cat errors
389-Directory/1.4.3.12 B2020.213.0000
ldap.example.com:636 (/etc/dirsrv/slapd-testinst)
[27/Aug/2020:12:55:23.530261492 -0700] - WARN - Security Initialization
- SSL alert: Sending pin request to SVRCore. You may need to run
systemd-tty-ask-password-agent to provide the password.
[27/Aug/2020:12:55:23.531454427 -0700] - ERR - extractRSAKeysAndSubject
- Failed extract cert with ldap.testinst.server.p12, (0-no error, 0).
[27/Aug/2020:12:55:23.532011549 -0700] - ERR - slapd_extract_key -
Unable to export encrypted private key (-8187, 0).
[27/Aug/2020:12:55:23.533352904 -0700] - INFO - Security Initialization
- SSL info: Configured NSS Ciphers
[27/Aug/2020:12:55:23.533914446 -0700] - INFO - Security Initialization
- SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled
[27/Aug/2020:12:55:23.534495768 -0700] - INFO - Security Initialization
- SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[27/Aug/2020:12:55:23.535685673 -0700] - WARN - Security Initialization
- SSL alert: Can't find certificate (ldap.testinst.server.p12) for family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -5978 - Network
file descriptor is not connected.)
[27/Aug/2020:12:55:23.536229615 -0700] - WARN - Security Initialization
- SSL alert: Unable to retrieve private key for cert ldap.testinst.server.p12
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -5978
- Network file descriptor is not connected.)
[27/Aug/2020:12:55:23.536760917 -0700] - ERR - Security Initialization
- SSL failure: None of the cipher are valid
[27/Aug/2020:12:55:23.537284429 -0700] - ERR -
force_to_disable_security - ERROR: SSL2 Initialization Failed. Disabling SSL2.
[27/Aug/2020:12:55:23.537932561 -0700] - INFO - main -
389-Directory/1.4.3.12 B2020.213.0000 starting up
[27/Aug/2020:12:55:23.538492173 -0700] - INFO - main - Setting the
maximum file descriptor limit to: 524288
[27/Aug/2020:12:55:24.348152922 -0700] - INFO - PBKDF2_SHA256 - Based
on CPU performance, chose 2048 rounds
[27/Aug/2020:12:55:24.351606535 -0700] - NOTICE - ldbm_back_start -
found 8143628k physical memory
[27/Aug/2020:12:55:24.352537329 -0700] - NOTICE - ldbm_back_start -
found 5795920k available
[27/Aug/2020:12:55:24.353271032 -0700] - NOTICE - ldbm_back_start -
cache autosizing: db cache: 508976k
[27/Aug/2020:12:55:24.356407814 -0700] - NOTICE - ldbm_back_start -
total cache size: 416953753 B;
[27/Aug/2020:12:55:24.433999217 -0700] - INFO - slapd_daemon - slapd
started. Listening on All Interfaces port 389 for LDAP requests
dsconf -D "cn=Directory Manager" testinst security certificate list
Certificate Name: Server-Cert
Subject DN:
[email protected],CN=ldap.example.com,OU=myCA,O=example.com,L=city,ST=CA,C=US
Issuer DN:
[email protected],CN=myCA_INT,OU=myCA,O=example.com,ST=CA,C=US
Expires: 2030-08-25 00:50:38
Trust Flags: u,u,u
_______________________________________________
389-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
