On 8/27/20 12:23 PM, Mark Reynolds wrote:
> > https://access.redhat.com/documentation/en-us/red_hat_directory_server
^^^ This is the official documentation
noted, thx.
i'm pretty sure I came across something/somewhere recently that explicitly stated red_hat_directory_server
!= fedora directory server.
hence the confusion.
>> so NOT dsconf either ... but dsctl.
>
> You can do it with dsconf, see: "dsconf INST security --help", and "dsconf INST security certificate --help"
ok, confused more now. that's where I _started_ (up there^), and failed.
>> _should_ respect the instance config, no?
>
> If you had to copy the cert and key files into /certs for it to work then there is a bug in the server(or maybe the CLI) when it is creating the NSS database. What is in the errors log? At server startup it logs a lot of information about the security configuration. It would be great to see this logging as it could help narrow down the problem.
dsctl testinst stop
rm -f /var/log/dirsrv/slapd-testinst/*
rm -f /etc/dirsrv/slapd-testinst/certs/{cert9.db,key4.db,pkcs11.txt}
tree /var/log/dirsrv/slapd-testinst /etc/dirsrv/slapd-testinst
/var/log/dirsrv/slapd-testinst
/etc/dirsrv/slapd-testinst
├── certmap.conf
├── certs
│ ├── noise.txt
│ ├── pin.txt
│ └── pwdfile.txt
├── dse.ldif
├── dse.ldif.bak
├── dse.ldif.startOK
├── schema
│ └── 99user.ldif
└── slapd-collations.conf
2 directories, 12 files
dsctl testinst tls import-server-key-cert \
/etc/ssl/testinst.server.EC.crt.pem \
/etc/ssl/testinst.server.EC.key.pem
tree /var/log/dirsrv/slapd-testinst /etc/dirsrv/slapd-testinst
/var/log/dirsrv/slapd-testinst
/etc/dirsrv/slapd-testinst
>>> ├── cert9.db
├── certmap.conf
├── certs
│ ├── noise.txt
│ ├── pin.txt
│ └── pwdfile.txt
├── dse.ldif
├── dse.ldif.bak
├── dse.ldif.startOK
>>> ├── key4.db
>>> ├── pkcs11.txt
├── schema
│ └── 99user.ldif
└── slapd-collations.conf
dsctl testinst start
journalctl -f -u dirsrv@testinst.service
Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.429465758 -0700] - CRIT - Security Initialization - warn_if_no_cert_file - Certificate DB file cert8.db nor cert9.db exists in [/etc/dirsrv/slapd-testinst/certs] - SSL initialization will likely fail
Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.431266675 -0700] - CRIT - Security Initialization - warn_if_no_key_file - Key DB file key3.db nor key4.db exists in [/etc/dirsrv/slapd-testinst/certs] - SSL initialization will likely fail
Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.469911561 -0700] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password.
Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.470543103 -0700] - ERR - Security Initialization - slapd_ssl_init - Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.)
Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.470988905 -0700] - ERR - force_to_disable_security - ERROR: SSL Initialization Failed. Disabling SSL.
Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.471534047 -0700] - INFO - main - 389-Directory/1.4.3.12 B2020.213.0000 starting up
Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.471982899 -0700] - INFO - main - Setting the maximum file descriptor limit to: 524288
Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.281841989 -0700] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds
Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.285150261 -0700] - NOTICE - ldbm_back_start - found 8143628k physical memory
Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.285636673 -0700] - NOTICE - ldbm_back_start - found 5759888k available
Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.286082825 -0700] - NOTICE - ldbm_back_start - cache autosizing: db cache: 508976k
Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.286526296 -0700] - NOTICE - ldbm_back_start - total cache size: 416953753 B;
Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.362425203 -0700] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests
tree /var/log/dirsrv/slapd-testinst /etc/dirsrv/slapd-testinst
/var/log/dirsrv/slapd-testinst
├── access
├── access.rotationinfo
├── audit
├── audit.rotationinfo
├── errors
└── errors.rotationinfo
/etc/dirsrv/slapd-testinst
├── cert9.db
├── certmap.conf
├── certs
│ ├── cert9.db
│ ├── key4.db
│ ├── noise.txt
│ ├── pin.txt
│ ├── pkcs11.txt
│ └── pwdfile.txt
├── dse.ldif
├── dse.ldif.bak
├── dse.ldif.startOK
├── key4.db
├── pkcs11.txt
├── schema
│ └── 99user.ldif
└── slapd-collations.conf
cat /var/log/dirsrv/slapd-testinst/errors
389-Directory/1.4.3.12 B2020.213.0000
ldap.example.com:636 (/etc/dirsrv/slapd-testinst)
[27/Aug/2020:12:49:14.430826073 -0700] - CRIT - Security Initialization - warn_if_no_cert_file - Certificate DB file cert8.db nor cert9.db exists in [/etc/dirsrv/slapd-testinst/certs] - SSL initialization will likely fail
[27/Aug/2020:12:49:14.431281245 -0700] - CRIT - Security Initialization - warn_if_no_key_file - Key DB file key3.db nor key4.db exists in [/etc/dirsrv/slapd-testinst/certs] - SSL initialization will likely fail
[27/Aug/2020:12:49:14.469940641 -0700] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password.
[27/Aug/2020:12:49:14.470559053 -0700] - ERR - Security Initialization - slapd_ssl_init - Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.)
[27/Aug/2020:12:49:14.471001315 -0700] - ERR - force_to_disable_security - ERROR: SSL Initialization Failed. Disabling SSL.
[27/Aug/2020:12:49:14.471547467 -0700] - INFO - main - 389-Directory/1.4.3.12 B2020.213.0000 starting up
[27/Aug/2020:12:49:14.471993239 -0700] - INFO - main - Setting the maximum file descriptor limit to: 524288
[27/Aug/2020:12:49:15.281878669 -0700] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds
[27/Aug/2020:12:49:15.285170541 -0700] - NOTICE - ldbm_back_start - found 8143628k physical memory
[27/Aug/2020:12:49:15.285646883 -0700] - NOTICE - ldbm_back_start - found 5759888k available
[27/Aug/2020:12:49:15.286093875 -0700] - NOTICE - ldbm_back_start - cache autosizing: db cache: 508976k
[27/Aug/2020:12:49:15.286536256 -0700] - NOTICE - ldbm_back_start - total cache size: 416953753 B;
[27/Aug/2020:12:49:15.362452333 -0700] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests
dsconf -D "cn=Directory Manager" testinst security certificate list
(empty)
dsctl testinst stop
mv -f \
/etc/dirsrv/slapd-testinst/{cert9.db,key4.db,pkcs11.txt} \
/etc/dirsrv/slapd-testinst/certs/
tree /var/log/dirsrv/slapd-testinst /etc/dirsrv/slapd-testinst
/var/log/dirsrv/slapd-testinst
├── access
├── access.rotationinfo
├── audit
├── audit.rotationinfo
├── errors
└── errors.rotationinfo
/etc/dirsrv/slapd-testinst
├── certmap.conf
├── certs
│ ├── cert9.db
│ ├── key4.db
│ ├── noise.txt
│ ├── pin.txt
│ ├── pkcs11.txt
│ └── pwdfile.txt
├── dse.ldif
├── dse.ldif.bak
├── dse.ldif.startOK
├── schema
│ └── 99user.ldif
└── slapd-collations.conf
dsctl testinst start
Instance "testinst" has been started
journalctl -f -u dirsrv@testinst.service
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.528433965 -0700] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password.
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.531337496 -0700] - ERR - extractRSAKeysAndSubject - Failed extract cert with ldap.testinst.server.p12, (0-no error, 0).
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.531922688 -0700] - ERR - slapd_extract_key - Unable to export encrypted private key (-8187, 0).
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.533254283 -0700] - INFO - Security Initialization - SSL info: Configured NSS Ciphers
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.533823726 -0700] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.534399188 -0700] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.535590322 -0700] - WARN - Security Initialization - SSL alert: Can't find certificate (ldap.testinst.server.p12) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -5978 - Network file descriptor is not connected.)
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.536136904 -0700] - WARN - Security Initialization - SSL alert: Unable to retrieve private key for cert ldap.testinst.server.p12 of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -5978 - Network file descriptor is not connected.)
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.536679436 -0700] - ERR - Security Initialization - SSL failure: None of the cipher are valid
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.537202738 -0700] - ERR - force_to_disable_security - ERROR: SSL2 Initialization Failed. Disabling SSL2.
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.537840071 -0700] - INFO - main - 389-Directory/1.4.3.12 B2020.213.0000 starting up
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.538396543 -0700] - INFO - main - Setting the maximum file descriptor limit to: 524288
Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.347878231 -0700] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds
Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.351455605 -0700] - NOTICE - ldbm_back_start - found 8143628k physical memory
Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.352434269 -0700] - NOTICE - ldbm_back_start - found 5795920k available
Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.353173411 -0700] - NOTICE - ldbm_back_start - cache autosizing: db cache: 508976k
Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.356305113 -0700] - NOTICE - ldbm_back_start - total cache size: 416953753 B;
Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.433760066 -0700] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests
cat errors
389-Directory/1.4.3.12 B2020.213.0000
ldap.example.com:636 (/etc/dirsrv/slapd-testinst)
[27/Aug/2020:12:55:23.530261492 -0700] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password.
[27/Aug/2020:12:55:23.531454427 -0700] - ERR - extractRSAKeysAndSubject - Failed extract cert with ldap.testinst.server.p12, (0-no error, 0).
[27/Aug/2020:12:55:23.532011549 -0700] - ERR - slapd_extract_key - Unable to export encrypted private key (-8187, 0).
[27/Aug/2020:12:55:23.533352904 -0700] - INFO - Security Initialization - SSL info: Configured NSS Ciphers
[27/Aug/2020:12:55:23.533914446 -0700] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled
[27/Aug/2020:12:55:23.534495768 -0700] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[27/Aug/2020:12:55:23.535685673 -0700] - WARN - Security Initialization - SSL alert: Can't find certificate (ldap.testinst.server.p12) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -5978 - Network file descriptor is not connected.)
[27/Aug/2020:12:55:23.536229615 -0700] - WARN - Security Initialization - SSL alert: Unable to retrieve private key for cert ldap.testinst.server.p12 of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -5978 - Network file descriptor is not connected.)
[27/Aug/2020:12:55:23.536760917 -0700] - ERR - Security Initialization - SSL failure: None of the cipher are valid
[27/Aug/2020:12:55:23.537284429 -0700] - ERR - force_to_disable_security - ERROR: SSL2 Initialization Failed. Disabling SSL2.
[27/Aug/2020:12:55:23.537932561 -0700] - INFO - main - 389-Directory/1.4.3.12 B2020.213.0000 starting up
[27/Aug/2020:12:55:23.538492173 -0700] - INFO - main - Setting the maximum file descriptor limit to: 524288
[27/Aug/2020:12:55:24.348152922 -0700] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds
[27/Aug/2020:12:55:24.351606535 -0700] - NOTICE - ldbm_back_start - found 8143628k physical memory
[27/Aug/2020:12:55:24.352537329 -0700] - NOTICE - ldbm_back_start - found 5795920k available
[27/Aug/2020:12:55:24.353271032 -0700] - NOTICE - ldbm_back_start - cache autosizing: db cache: 508976k
[27/Aug/2020:12:55:24.356407814 -0700] - NOTICE - ldbm_back_start - total cache size: 416953753 B;
[27/Aug/2020:12:55:24.433999217 -0700] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests
dsconf -D "cn=Directory Manager" testinst security certificate list
Certificate Name: Server-Cert
Subject DN: E=ssl@example.com,CN=ldap.example.com,OU=myCA,O=example.com,L=city,ST=CA,C=US
Issuer DN: E=ssl@example.com,CN=myCA_INT,OU=myCA,O=example.com,ST=CA,C=US
Expires: 2030-08-25 00:50:38
Trust Flags: u,u,u
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
No comments:
Post a Comment