with installed
/usr/sbin/ns-slapd -v
389 Project
389-Directory/1.4.3.12 B2020.213.0000
running instancename == 'sso'
systemctl status dirsrv@sso.service -ln0
● dirsrv@sso.service - 389 Directory Server sso.
Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service;
enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/dirsrv@.service.d
└─custom.conf
/etc/systemd/system/dirsrv@sso.service.d
└─override.conf
Active: active (running) since Thu 2020-08-27 16:11:16
PDT; 6min ago
Process: 24861
ExecStartPre=/usr/libexec/dirsrv/ds_systemd_ask_password_acl
/etc/dirsrv/slapd-sso/dse.ldif (code=exited, status=0/SUCCESS)
Main PID: 24866 (ns-slapd)
Status: "slapd started: Ready to process requests"
Tasks: 25 (limit: 9500)
Memory: 50.7M
CPU: 2.832s
CGroup:
/system.slice/system-dirsrv.slice/dirsrv@sso.service
└─24866 /usr/sbin/ns-slapd -D
/etc/dirsrv/slapd-sso -i /run/dirsrv/slapd-sso.pid
dsctl sso status
Instance "sso" is running
checking _supported_ ciphers
dsconf -D "cn=ds" sso security ciphers list --supported | grep -i cha
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
setting initial security
dsconf -D "cn=ds" sso security set \
--security on \
--listen-host ldap.example.com \
--secure-port 636 \
--tls-protocol-min 1.2 \
--allow-insecure-ciphers off \
--allow-weak-dh-param off \
--cipher-pref
"+TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
stopping server
dsctl sso stop
importing CA, OK
dsctl sso tls import-ca \
/src/ssl/myCA.CHAIN.crt.pem \
ldap.sso.CA.crt
importing cert/key, OK
dsctl sso tls import-server-key-cert \
/src/ssl/ldap.server.EC.crt \
/src/ssl/ldap.server.EC.key
importing client-CA, **FAILS**
dsctl sso tls import-client-ca \
/src/ssl/myCA.CHAIN.crt.pem \
ldap.sso.clientCA.crt
Error: Command '['/usr/bin/certutil', '-M', '-d',
'/etc/dirsrv/slapd-sso', '-n', 'ldap.sso.clientCA.crt', '-t', 'T,,', '-f',
'/etc/dirsrv/slapd-sso/pwdfile.txt']' returned non-zero exit status 255.
restarting server
dsctl sso start
checking _enabled_ ciphers
dsconf -D "cn=ds" sso security ciphers list --enabled
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
*2* certs are listed,
dsconf -D "cn=ds" sso security certificate list
Certificate Name: ldap.sso.CA.crt
Subject DN:
E=s...@example.com,CN=myCA_INTERMEDIATE,OU=myCA,O=example.com,ST=CA,C=US
Issuer DN:
CN=myCA_ROOT,E=s...@example.com,C=US,ST=CA,L=city,OU=myCA,O=example.com
Expires: 2027-06-02 21:41:51
Trust Flags: ,,
Certificate Name: Server-Cert
Subject DN:
E=s...@example.com,CN=ldap.example.com,OU=myCA,O=example.com,L=city,ST=CA,C=US
Issuer DN:
E=s...@example.com,CN=myCA_INTERMEDIATE,OU=myCA,O=example.com,ST=CA,C=US
Expires: 2030-08-25 00:50:38
Trust Flags: u,u,u
only one should be listed 'just' as a cert,
dsctl sso tls show-server-cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4666 (0x123a)
Signature Algorithm: X9.62 ECDSA signature with SHA256
Issuer: "E=s...@example.com,CN=myCA_INTER
MEDIATE,OU=myCA,O=example.com,ST=CA,C=US"
Validity:
Not Before: Thu Aug 27 00:50:38 2020
Not After : Sun Aug 25 00:50:38 2030
Subject: "E=s...@example.com,CN=ldap.example.com,OU=pr
esence-group.net_CA,O=example.com,L=city,ST=CA,C=
US"
Subject Public Key Info:
Public Key Algorithm: X9.62 elliptic curve public
key
Args:
06:05:2b:81:04:00:22
EC Public Key:
PublicValue:
04:...:3c
Curve: SECG elliptic curve secp384r1 (aka NIST
P-384)
Signed Extensions:
Name: Certificate Basic Constraints
Data: Is not a CA.
Name: Certificate Type
Data: <SSL Server>
Name: Certificate Comment
Comment: "example.com SERVER Certificate"
Name: Certificate Subject Key ID
Data:
ea:...:78
Name: Certificate Authority Key Identifier
Key ID:
d0:...:cd
Issuer:
Directory Name: "CN=myCA_ROOT,E=ssl@exa
mple.com,C=US,ST=CA,L=city,OU=my
CA,O=example.com"
Serial Number: 4096 (0x1000)
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Name: Extended Key Usage
TLS Web Server Authentication Certificate
Name: Certificate Subject Alt Name
DNS name: "ldap.example.com"
DNS name: "www.ldap.example.com"
DNS name: "localhost"
Signature Algorithm: X9.62 ECDSA signature with SHA256
Signature:
30:...:67
Fingerprint (SHA-256):
22:...:18
Fingerprint (SHA1):
52:...:E3
Mozilla-CA-Policy: false (attribute missing)
Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User
the other is the ca cert. but ca list reports empty with dsconf
dsconf -D "cn=ds" sso security ca-certificate list
(empty)
as do both of dsctl tls queries
dsctl sso tls list-ca
(empty)
dsctl sso tls list-client-ca
(empty)
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
