Re: Can't get certificates installed on new server

Thu, 26 Feb 2015 03:00:37 -0800 

THANK YOU!

Goodness, I really couldn't see the wood for the trees there.

Many thanks.

Philip


On 26 February 2015 at 10:56, Yann Cézard <[email protected]> wrote:
> Le 25/02/2015 15:13, Philip Colmer a écrit :
>
> I'm getting a generic error 80 when I try to use ldapmodify to
> configure my LDAP server to use a SSL certificate. Here is the LDIF
> I'm using:
>
> dn: cn=config
> changetype: modify
> add: olcTLSCACertificateFile
> olcTLSCACertificateFile: /etc/ssl/certs/gd_bundle-g2-g1.pem
> -
> add: olcTLSCertificateFile
> olcTLSCertificateFile: /etc/ssl/private/wildcard.linaro.org.key
> -
> add: olcTLSCertificateKeyFile
> olcTLSCertificateKeyFile: /etc/ssl/certs/wildcard.linaro.org.crt
>
> Seems to me that you have switched cert and key ;-)
>
> and the command:
>
> ldapmodify -v -x -H ldapi:/// -f certinfo.ldif -D cn=admin,cn=config -W
>
> Running logging at the highest level doesn't seem to give me much to go on
> ...
>
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=8
> active_threads=0 tvp=NULL
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll: listen=9
> active_threads=0 tvp=NULL
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll:
> listen=10 active_threads=0 tvp=NULL
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: epoll:
> listen=11 active_threads=0 tvp=NULL
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 do_modify
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1
> do_modify: dn (cn=config)
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: >>> dnPrettyNormal:
> <cn=config>
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <<< dnPrettyNormal:
> <cn=config>, <cn=config>
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 modifications:
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add:
> olcTLSCACertificateFile
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 34
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add:
> olcTLSCertificateFile
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 40
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011add:
> olcTLSCertificateKeyFile
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: #011#011one value, length 38
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD
> dn="cn=config"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 MOD
> attr=olcTLSCACertificateFile olcTLSCertificateFile
> olcTLSCertificateKeyFile
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: <= acl_access_allowed:
> granted to database root
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_required entry
> (cn=config), objectClass "olcGlobal"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "objectClass"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type "cn"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcConfigFile"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcConfigDir"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcArgsFile"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcAttributeOptions"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcAuthzPolicy"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcConcurrency"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcConnMaxPending"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcConnMaxPendingAuth"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcGentleHUP"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcIdleTimeout"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcIndexSubstrIfMaxLen"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcIndexSubstrIfMinLen"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcIndexSubstrAnyLen"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcIndexSubstrAnyStep"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcIndexIntLen"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcListenerThreads"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcLocalSSF"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcLogLevel"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcPidFile"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcReadOnly"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcReverseLookup"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcSaslSecProps"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcSockbufMaxIncoming"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcSockbufMaxIncomingAuth"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcThreads"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcTLSVerifyClient"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcTLSProtocolMin"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcToolThreads"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcWriteTimeout"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "structuralObjectClass"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "entryUUID"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "creatorsName"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "createTimestamp"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcTLSCACertificateFile"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcTLSCertificateFile"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "olcTLSCertificateKeyFile"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "entryCSN"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "modifiersName"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: oc_check_allowed type
> "modifyTimestamp"
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result:
> conn=1001 op=1 p=3
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_result:
> err=80 matched="" text=""
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: send_ldap_response:
> msgid=2 tag=103 err=80
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: conn=1001 op=1 RESULT
> tag=103 err=80 text=
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on 1
> descriptor
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]: daemon: activity on:
> Feb 25 14:03:08 ip-10-166-134-219 slapd[1651]:  14r
>
> I've checked that the user that slapd is running under can read the three
> files.
>
> Any suggestions or clarification on what I've overlooked?
>
> Thanks.
>
> Regards
>
> Philip
>
>
>
> --
> Yann Cézard - administrateur systèmes serveurs
> Direction du Numérique - Infrastructures -   http://dn.univ-pau.fr
> Université de Pau et des pays de l'Adour -  http://www.univ-pau.fr
> bâtiment d'Alembert (anciennement IFR), rue Jules Ferry, 64000 Pau
> Téléphone : +33 (0)5 59 40 77 94

Reply via email to