Good morning, I'm trying to set up a new install LDAP server with self signed TLS/SSL on CentOS 6.2
My install using setup-ds-admin.pl was typical, and I was able to login to the 389-Console after installation. At that point I downloaded the script from richm : https://github.com/richm/scripts/blob/master/setupssl2.sh I received two errors during its run (full output is at the bottom). pk12util: Failed to authenticate to PKCS11 slot: The security password entered is incorrect. pk12util: Failed to authenticate to "NSS User Private Key and Certificate Services": The user pressed cancel. start-ds-admin now fails to start, with the following error messages in /var/log/dirsrv/admin-serv/error [Tue Jul 31 16:34:09 2012] [error] Password for slot internal is incorrect. [Tue Jul 31 16:34:09 2012] [error] NSS initialization failed. Certificate database: /etc/dirsrv/admin-serv. [Tue Jul 31 16:34:09 2012] [error] SSL Library Error: -8177 The security password entered is incorrect: I've searched for the SSL Library error to no avail. If anyone can give me a starting point I'd appreciate it. *************************************************************************** setupssl2.sh output *************************************************************************** Using /etc/dirsrv/slapd-ldap-xxxxx as sec directory No CA certificate found - will create new one No Server Cert found - will create new one No Admin Server Cert found - will create new one Creating password file for security token Creating noise file Creating new key and cert db Creating encryption key for CA Generating key. This may take a few moments... Creating self-signed CA certificate Generating key. This may take a few moments... Is this a CA certificate [y/N]? Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]? Exporting the CA certificate to cacert.asc Generating server certificate for 389 Directory Server on host ldap.xxxxx.com Using fully qualified hostname ldap.xxxxx.com for the server name in the server cert subject DN Note: If you do not want to use this hostname, edit this script to change myhost to the real hostname you want to use Generating key. This may take a few moments... Creating the admin server certificate Generating key. This may take a few moments... Exporting the admin server certificate pk12 file pk12util: PKCS12 EXPORT SUCCESSFUL Creating pin file for directory server Importing the admin server key and cert (created above) Incorrect password/PIN entered. pk12util: Failed to authenticate to PKCS11 slot: The security password entered is incorrect. pk12util: Failed to authenticate to "NSS User Private Key and Certificate Services": The user pressed cancel. Importing the CA certificate from cacert.asc Enabling the use of a password file in admin server Turning on NSSEngine Use ldaps for config ds connections Enabling SSL in the directory server when prompted, provide the directory manager password Password:modifying entry "cn=encryption,cn=config" modifying entry "cn=config" adding new entry "cn=RSA,cn=encryption,cn=config" Enabling SSL in the admin server modifying entry "cn=slapd-ldap-xxxxx,cn=389 Directory Server,cn=Server Group,cn=ldap.xxxxx.com,ou=xxxxx,o=NetscapeRoot" modifying entry "cn=configuration,cn=admin-serv-ldap,cn=389 Administration Server,cn=Server Group,cn=ldap.xxxxx.com,ou=xxxxx,o=NetscapeRoot" Done. You must restart the directory server and the admin server for the changes to take effect.
-- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users