Tuesday, April 28, 2020

[389-users] Help getting 389ds working with TLS certs

I have a new 389 installation running on Centos 8. I'm trying to follow the https://directory.fedoraproject.org/docs/389ds/howto/howto-install-389.html and https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html instructions. However, once I enable TLS, my instance no longer starts up and I get the following error:

[26/Apr/2020:17:09:55.928293129 +0000] - ERR - attrcrypt_fetch_private_key - Can't find certificate server-cert: -5950 - File not found.
[26/Apr/2020:17:09:55.928654096 +0000] - ERR - attrcrypt_fetch_private_key - Can't get private key from cert server-cert: -5950 - File not found.

This is the ldif I'm using to configure TLS:

dn: cn=ECDSA,cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionModule
cn: ECDSA
nsSSLPersonalitySSL: ldap2.mydomain.com
nsSSLActivation: on
nsSSLToken: Internal (Software)

and

dn: cn=encryption,cn=config
changetype: modify
add: sslVersionMin
sslVersionMin: TLS1.2

I also deleted the cn=RSA object as these are ECDSA certificates. Note that yes, I did change the name of the cert. So I have no idea why it is looking for server-cert.

Two questions. Once I turn on TLS,by setting nsslapd-security, the instance no longer starts. Is there a way to revert the latest configuration change so that I can get the instance started and fix it? So far I've been having to recreate the instance completely.

Second, what did I break? How do I get TLS working on my instance?

Thanks

Scott



No comments:

Post a Comment