On 8/27/20 11:27 AM, Mark Reynolds wrote:
> This is the old "archived" link - it is definitely outdated. Here's a newer one:
>
> https://www.port389.org/docs/389ds/howto/howto-ssl.html
>
> Or better yet check out the official docs which tells you how to use dsconf and set all of this up:
>
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_the_nss_database_used_by_directory_server
for future reference, _which_ is the "official/current documentation" site for Fedora-pkg'd 389ds?
https://access.redhat.com/documentation/en-us/red_hat_directory_server
https://directory.fedoraproject.org/docs/389ds
or
https://www.port389.org/docs/389ds
?
per,
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_the_nss_database_used_by_directory_server#importing-a-private-key-and-server-certifiate
"This section describes how to import both a private key and Certificate Signing Request (CSR), if you did not create them in the NSS database using an external tool."
which _is_ my case (though, i think "import ... Certificate Signing Request (CSR)" is a typo here)
so NOT dsconf either ... but dsctl.
checking,
dsctl testinst tls import-server-key-cert -h
usage: dsctl [instance] tls import-server-key-cert [-h] cert_path key_path
positional arguments:
cert_path The path to the x509 cert to import as Server-Cert
key_path The path to the x509 key to import atestinstciated to Server-Cert
optional arguments:
-h, --help show this help message and exit
exec
dsctl testinst tls import-server-key-cert \
/etc/ssl/ldap.testinst.server.crt.pem \
/etc/ssl/ldap.testinst.server.key.pem
_appears_ 'happy' to add the server cert, with no error returned
verifying
cat des.ldif
....
dn: cn=RSA,cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: ldap.testinst.server.p12
nsSSLActivation: on
nsSSLToken: internal (software)
modifiersName: cn=directory manager
modifyTimestamp: 20200827175643Z
...
but per,
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/enabling_tls#enabling_tls_in_directory_server_using_the_command_line
"Display the name of the server certificate in the NSS database: "
checking
dsctl testinst restart
dsconf -D "cn=Directory Manager" testinst security certificate list
returns
(empty)
where'd it go?
checking
tree /usr/local/etc/dirsrv/slapd-testinst/
/usr/local/etc/dirsrv/slapd-testinst/
>>> ├── cert9.db
├── certmap.conf
├── certs
??? │ ├── cert9.db
??? │ ├── key4.db
│ ├── noise.txt
│ ├── pin.txt
??? │ ├── pkcs11.txt
│ └── pwdfile.txt
├── dse.ldif
├── dse.ldif.bak
├── dse.ldif.startOK
>>> ├── key4.db
>>> ├── pkcs11.txt
├── schema
│ └── 99user.ldif
└── slapd-collations.conf
it appears to have _ignored_ my instance's cert_dir spec'n
nsslapd-certdir: /usr/local/etc/dirsrv/slapd-testinst/certs
if I manually
cd /usr/local/etc/dirsrv/slapd-testinst/
mv -f cert9.db key4.db pkcs11.txt certs/
NOW,
dsconf -D "cn=Directory Manager" testinst security certificate list
correctly sees/lists the cert
Certificate Name: Server-Cert
Subject DN: ...
the instance-specific
dsctl testinst tls import-server-key-cert
_should_ respect the instance config, no?
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
No comments:
Post a Comment