As an aside, I can get rid of the errors on the setupssl2.sh script by making the following change...but I don't know if its a change I should be making.
[root@ldap ~]# diff setupssl2.sh setupssl2.sh.orig 185c185 < pk12util -d $secdir -n server-cert -i $secdir/adminserver.p12 -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt --- > pk12util -d $assecdir -n server-cert -i $secdir/adminserver.p12 -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt ********************************************************************* results of commands requested: ********************************************************************* root@ldap ~]# ls -al /etc/dirsrv/slapd-* total 472 drwxrwx--- 3 ldap ldap 4096 Jul 31 15:01 . drwxrwxr-x 7 root ldap 4096 Jul 31 14:03 .. -r-------- 1 ldap ldap 2114 Jul 31 14:36 adminserver.p12 -rw-r--r-- 1 ldap root 647 Jul 31 14:36 cacert.asc -rw------- 1 ldap ldap 65536 Jul 31 16:23 cert8.db -r--r----- 1 ldap ldap 3595 Jul 31 13:19 certmap.conf -rw------- 1 ldap ldap 71692 Jul 31 15:01 dse.ldif -rw------- 1 ldap ldap 71174 Jul 31 15:01 dse.ldif.bak -rw------- 1 ldap ldap 71917 Jul 31 15:00 dse.ldif.startOK -r--r----- 1 ldap ldap 32836 Jul 31 13:19 dse_original.ldif -rw------- 1 ldap ldap 16384 Jul 31 16:23 key3.db -r-------- 1 ldap ldap 41 Jul 31 14:36 noise.txt -rw-rw---- 1 ldap ldap 65536 Jul 31 15:00 orig-cert8.db -rw-rw---- 1 ldap ldap 16384 Jul 31 15:00 orig-key3.db -r-------- 1 ldap ldap 67 Jul 31 14:36 pin.txt -r-------- 1 ldap ldap 41 Jul 31 14:36 pwdfile.txt drwxrwx--- 2 ldap ldap 4096 Jul 31 15:01 schema -rw-rw---- 1 ldap ldap 16384 Jul 31 15:01 secmod.db -r--r----- 1 ldap ldap 5366 Jul 31 13:19 slapd-collations.conf [root@ldap ~]# ls -al /etc/dirsrv/admin-serv total 196 drwx------ 2 ldap root 4096 Jul 31 15:27 . drwxrwxr-x 7 root ldap 4096 Jul 31 14:03 .. -rw------- 1 ldap ldap 498 Jul 31 14:36 adm.conf -rw------- 1 ldap root 40 Jul 31 13:19 admpw -rw-r--r-- 1 root root 3936 Mar 27 08:33 admserv.conf -rw------- 1 ldap root 65536 Jul 31 16:05 cert8.db -rw------- 1 ldap ldap 4467 Jul 31 14:36 console.conf -rw------- 1 ldap root 4467 Jul 27 18:42 console.conf.rpmsave -rw-r--r-- 1 root root 26302 Mar 27 08:33 httpd.conf -rw------- 1 ldap root 16384 Jul 31 16:05 key3.db -rw------- 1 ldap root 13343 Jul 31 13:19 local.conf -r-------- 1 ldap ldap 4535 Jul 31 14:36 nss.conf -rw------- 1 ldap root 4535 Jul 27 16:20 nss.conf.rpmsave -rw------- 1 ldap root 50 Jul 31 15:27 password.conf -rw------- 1 ldap root 16384 Jul 27 14:21 secmod.db On Wed, Aug 1, 2012 at 10:17 AM, Rich Megginson <rmegg...@redhat.com> wrote: > On 08/01/2012 08:17 AM, Arnold Werschky wrote: > > Good morning, > > I'm trying to set up a new install LDAP server with self signed TLS/SSL > on CentOS 6.2 > > My install using setup-ds-admin.pl was typical, and I was able to login > to the 389-Console after installation. > > At that point I downloaded the script from richm : > https://github.com/richm/scripts/blob/master/setupssl2.sh > > I received two errors during its run (full output is at the bottom). > > pk12util: Failed to authenticate to PKCS11 slot: The security password > entered is incorrect. > pk12util: Failed to authenticate to "NSS User Private Key and Certificate > Services": The user pressed cancel. > > > start-ds-admin now fails to start, with the following error messages in > /var/log/dirsrv/admin-serv/error > > [Tue Jul 31 16:34:09 2012] [error] Password for slot internal is > incorrect. > [Tue Jul 31 16:34:09 2012] [error] NSS initialization failed. Certificate > database: /etc/dirsrv/admin-serv. > [Tue Jul 31 16:34:09 2012] [error] SSL Library Error: -8177 The security > password entered is incorrect: > > > I've searched for the SSL Library error to no avail. If anyone can give > me a starting point I'd appreciate it. > > > > *************************************************************************** > setupssl2.sh output > *************************************************************************** > > Using /etc/dirsrv/slapd-ldap-xxxxx as sec directory > No CA certificate found - will create new one > No Server Cert found - will create new one > No Admin Server Cert found - will create new one > Creating password file for security token > Creating noise file > Creating new key and cert db > Creating encryption key for CA > > > Generating key. This may take a few moments... > > Creating self-signed CA certificate > > > Generating key. This may take a few moments... > > Is this a CA certificate [y/N]? > Enter the path length constraint, enter to skip [<0 for unlimited path]: > > Is this a critical extension [y/N]? > Exporting the CA certificate to cacert.asc > Generating server certificate for 389 Directory Server on host > ldap.xxxxx.com > Using fully qualified hostname ldap.xxxxx.com for the server name in the > server cert subject DN > Note: If you do not want to use this hostname, edit this script to change > myhost to the > real hostname you want to use > > > Generating key. This may take a few moments... > > Creating the admin server certificate > > > Generating key. This may take a few moments... > > Exporting the admin server certificate pk12 file > pk12util: PKCS12 EXPORT SUCCESSFUL > Creating pin file for directory server > Importing the admin server key and cert (created above) > Incorrect password/PIN entered. > pk12util: Failed to authenticate to PKCS11 slot: The security password > entered is incorrect. > pk12util: Failed to authenticate to "NSS User Private Key and Certificate > Services": The user pressed cancel. > > Hmm - this is really strange. > ls -al /etc/dirsrv/slapd-* > ls -al /etc/dirsrv/admin-serv > > Importing the CA certificate from cacert.asc > Enabling the use of a password file in admin server > Turning on NSSEngine > Use ldaps for config ds connections > Enabling SSL in the directory server > when prompted, provide the directory manager password > Password:modifying entry "cn=encryption,cn=config" > > modifying entry "cn=config" > > adding new entry "cn=RSA,cn=encryption,cn=config" > > Enabling SSL in the admin server > modifying entry "cn=slapd-ldap-xxxxx,cn=389 Directory Server,cn=Server > Group,cn=ldap.xxxxx.com,ou=xxxxx,o=NetscapeRoot" > > modifying entry "cn=configuration,cn=admin-serv-ldap,cn=389 > Administration Server,cn=Server Group,cn=ldap.xxxxx.com > ,ou=xxxxx,o=NetscapeRoot" > > Done. You must restart the directory server and the admin server for > the changes to take effect. > > > -- > 389 users mailing > list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users > > >
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users