Fedora Info: [389-users] Re: dsconf-adding pkcs12 cert to 398ds/1.4.3.12 fails : "could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error." ?

On 8/27/20 1:17 PM, PGNet Dev wrote:
> i've installed
>
> ns-slapd -v
> 389 Project
> 389-Directory/1.4.3.12 B2020.213.0000
>
> on
>
> grep PRETTY /etc/os-release
> PRETTY_NAME="Fedora 32 (Server Edition)"
>
> a server instance is up
>
> dsctl testinst status
> Instance "testinst" is running
>
> i check for cipher support
>
> dsconf -D "cn=Directory Manager" testinst security ciphers list --supported | grep -i cha
> TLS_CHACHA20_POLY1305_SHA256
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
>
> setup security, enabling those ciphers
>
> dsconf -D "cn=Directory Manager" testinst security set \
> --security on \
> --listen-host ldap.testinst.example.com \
> --secure-port 636 \
> --tls-protocol-min 3.3 \
> --allow-insecure-ciphers off \
> --allow-weak-dh-param off \
> --cipher-pref +TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
>
> dsconf -D "cn=Directory Manager" testinst security ciphers list
> +TLS_CHACHA20_POLY1305_SHA256
> +TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
>
> bundle my EC cert & key into a pkcs12
>
> openssl pkcs12 -export \
> -in testinst.server.EC.crt \
> -inkey testinst.server.EC.key \
> -out testinst.server.EC.p12 \
> -name Server-Cert
>
> verify it
>
> openssl pkcs12 -info -in testinst.server.EC.p12
> Enter Import Password:
> MAC: sha1, Iteration 2048
> MAC length: 20, salt length: 8
> PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
> Certificate bag
> Bag Attributes
> localKeyID: 52 ... E3
> friendlyName: Server-Cert
> subject=...
>
> -----BEGIN CERTIFICATE-----
> MII...dBn
> -----END CERTIFICATE-----
> PKCS7 Data
> Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
> Bag Attributes
> localKeyID: 52 ... E3
> friendlyName: Server-Cert
> Key Attributes: <No Attributes>
> Enter PEM pass phrase:
> Verifying - Enter PEM pass phrase:
> -----BEGIN ENCRYPTED PRIVATE KEY-----
> MII...6Fa
> -----END ENCRYPTED PRIVATE KEY-----
>
> add my CA cert
>
> dsconf -D "cn=Directory Manager" testinst security ca-certificate add \
> --file /src/ssl/myCA.chain.crt \
> --name myCA.chain.crt
>
> and, finally, attempt to add my just-created .p12
>
> dsconf -D "cn=Directory Manager" testinst security certificate add \
> --file /src/ssl/testinst.server.EC.p12 \
> --name ldap.testinst.server.p12 \
> --primary-cert
>
> the attempt FAILs,
>
> Error: Command '['/usr/bin/certutil', '-A', '-d', '/etc/dirsrv/slapd-testinst/certs', '-n', 'ldap.testinst.server.p12', '-t', ',,', '-i', '/src/ssl/testinst.server.EC.p12', '-a', '-f', '/etc/dirsrv/slapd-testinst/certs/pwdfile.txt']' returned non-zero exit status 255.
>
> manually exec'ing that^ failed cmd
>
> /usr/bin/certutil \
> -A \
> -d /etc/dirsrv/slapd-testinst/certs \
> -n ldap.testinst.server.p12 \
> -t,, \
> -i /src/ssl/testinst.server.EC.p12 \
> -a \
> -f /etc/dirsrv/slapd-testinst/certs/pwdfile.txt
>
> returns
>
> certutil: could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error.
>
> my cert/key are good, .p12 verification passes ... I'm not sure which 'security library' is being referenced here.
>
> what's the cause of the problem here?
>
> my usage? 389ds capabilities/support?

A few things here. The server's securtity/certificate directory is
typically /etc/dirsrv/slapd-INSTANCE, so that is what you should use
with the "-d" option with certutil. You listed a subdirectory which is
probably not correct and SELinux might not like it. Use the same value
for "-d" that is returned by this command:

# dsconf INSTANCE config get nsslapd-certdir ---> if you use
the instance name (INSTANCE) then dsconf uses LDAPI to authenticate if
you are root (little easier to type)

# dsconf testinst config get nsslapd-certdir

Also the SSL min version should be 1.1, 1.2, or 1.3, yours is set to 3.3
(definitely not valid - it is probably generating an error in the logs,
but unrelated to the current problem).

HTH,

Mark

> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

--

389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

Fedora Info

Thursday, August 27, 2020

[389-users] Re: dsconf-adding pkcs12 cert to 398ds/1.4.3.12 fails : "could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error." ?

No comments:

Post a Comment