i've installed
ns-slapd -v
389 Project
389-Directory/1.4.3.12 B2020.213.0000
on
grep PRETTY /etc/os-release
PRETTY_NAME="Fedora 32 (Server Edition)"
a server instance is up
dsctl testinst status
Instance "testinst" is running
i check for cipher support
dsconf -D "cn=Directory Manager" testinst security ciphers list --supported | grep -i cha
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
setup security, enabling those ciphers
dsconf -D "cn=Directory Manager" testinst security set \
--security on \
--listen-host ldap.testinst.example.com \
--secure-port 636 \
--tls-protocol-min 3.3 \
--allow-insecure-ciphers off \
--allow-weak-dh-param off \
--cipher-pref +TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
dsconf -D "cn=Directory Manager" testinst security ciphers list
+TLS_CHACHA20_POLY1305_SHA256
+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
bundle my EC cert & key into a pkcs12
openssl pkcs12 -export \
-in testinst.server.EC.crt \
-inkey testinst.server.EC.key \
-out testinst.server.EC.p12 \
-name Server-Cert
verify it
openssl pkcs12 -info -in testinst.server.EC.p12
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 52 ... E3
friendlyName: Server-Cert
subject=...
-----BEGIN CERTIFICATE-----
MII...dBn
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: 52 ... E3
friendlyName: Server-Cert
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MII...6Fa
-----END ENCRYPTED PRIVATE KEY-----
add my CA cert
dsconf -D "cn=Directory Manager" testinst security ca-certificate add \
--file /src/ssl/myCA.chain.crt \
--name myCA.chain.crt
and, finally, attempt to add my just-created .p12
dsconf -D "cn=Directory Manager" testinst security certificate add \
--file /src/ssl/testinst.server.EC.p12 \
--name ldap.testinst.server.p12 \
--primary-cert
the attempt FAILs,
Error: Command '['/usr/bin/certutil', '-A', '-d', '/etc/dirsrv/slapd-testinst/certs', '-n', 'ldap.testinst.server.p12', '-t', ',,', '-i', '/src/ssl/testinst.server.EC.p12', '-a', '-f', '/etc/dirsrv/slapd-testinst/certs/pwdfile.txt']' returned non-zero exit status 255.
manually exec'ing that^ failed cmd
/usr/bin/certutil \
-A \
-d /etc/dirsrv/slapd-testinst/certs \
-n ldap.testinst.server.p12 \
-t,, \
-i /src/ssl/testinst.server.EC.p12 \
-a \
-f /etc/dirsrv/slapd-testinst/certs/pwdfile.txt
returns
certutil: could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error.
my cert/key are good, .p12 verification passes ... I'm not sure which 'security library' is being referenced here.
what's the cause of the problem here?
my usage? 389ds capabilities/support?
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
No comments:
Post a Comment