Package: 389-ds-base Version: 1.3.5.13-1 Severity: important Dear Maintainer, After recent updates the 389 directory server fails to start SSL on port 636. The rest of server starts fine but in the logs, there is an error message: SSL alert: Security Initialization: Unable to create PinObj (Netscape Portable Runtime error -5977 - Failure to load dynamic library.) ERROR: SSL Initialization Failed. Disabling SSL. When I ran strace on ns-slapd, I've noticed it's missing file /etc/dirsrv/slapd-suffix/libnssckbi.so. After linking /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so from package libnss3 the error message changed to: SSL alert: Security Initialization: Unable to create PinObj (Netscape Portable Runtime error -8015 - The certificate/key database is in an old, unsupported format or failed to open.) I've checked the cert db with certutil -L -d /etc/dirsrv/slapd-suffix and it seems OK. The certificate is valid until the start of the november so I have no idea now, where the problem might be. Is it some libraries incompatibility or are there some other steps I can do to debug the issue. I'm running 389 server as a part of freeipa installation, so I'm now not able to issue different certificate to test, becouse the CA can't start without LDAP server running.
-- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (650, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages 389-ds-base depends on: ii 389-ds-base-libs 1.3.5.13-1 ii acl 2.2.52-3 ii adduser 3.115 ii debconf [debconf-2.0] 1.5.59 ii init-system-helpers 1.45 ii ldap-utils 2.4.42+dfsg-2+b3 ii libc6 2.24-5 ii libdb5.3 5.3.28-12 ii libgcc1 1:6.2.0-7 ii libicu57 57.1-4 ii libldap-2.4-2 2.4.42+dfsg-2+b3 ii libmozilla-ldap-perl 1.5.3-2+b3 ii libnetaddr-ip-perl 4.079+dfsg-1+b1 ii libnspr4 2:4.12-6 ii libnss3 2:3.26-2 ii libpam0g 1.1.8-3.3 ii libpci3 1:3.3.1-1.1 ii libperl4-corelibs-perl 0.003-2 ii libsasl2-2 2.1.26.dfsg1-15 ii libsasl2-modules-gssapi-mit 2.1.26.dfsg1-15 ii libsensors4 1:3.4.0-3 ii libsnmp30 5.7.3+dfsg-1.5+b1 ii libsocket-getaddrinfo-perl 0.22-3 ii libssl1.0.2 1.0.2j-1 ii libstdc++6 6.2.0-7 ii libsvrcore0 1:4.1.2+dfsg1-2 ii libsystemd0 231-9 ii libwrap0 7.6.q-25 ii perl 5.24.1~rc3-3 ii python 2.7.11-2 ii systemd 231-9 389-ds-base recommends no packages. 389-ds-base suggests no packages. -- Configuration Files: /etc/default/dirsrv changed: KRB5_KTNAME=/etc/dirsrv/ds.keytab KRB5CCNAME=/tmp/krb5cc_114 /etc/default/dirsrv.systemd changed: [Service] TimeoutStartSec=10m NotifyAccess=all LimitNOFILE=8192 -- no debconf information