> What exactly were you trying to do? Were you trying to change the server certificate name to a different one?
Correct, I was trying to set it to use a "proper" cert issued by LetsEncrypt
I imported the Lets Encrypt cert, that I had converted to pkcs12. Then tried via cockpit security settings, to select it from the drop down. It was listed, and let me save, but when I restarted the instance and refreshed cockpit it reverted to "Server-Cert"
I didn't notice anything at first in the error log, but after setting in dse.ldif I noticed this in errors.
"CERT_VerifyCertificateNow: verify certificate failed for cert MyCert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired"
This made me realise I'd used the older pkcs12I had lying about. At that point I used certultil to replace (i.e deleted it, and re-added it to the keystore) and restarted without issue.
I thought it may be because it was expired that it wasn't saving, but I've just tried doing the same thing with a new cert as a test and get the same result.
1) Covert LE to pkcs12
/usr/bin/openssl pkcs12 -export \
-in $LE_DIR/cert.pem \
-inkey $LE_DIR/privkey.pem \
-out $LE_DIR/$HOSTNAME.p12 -name $HOSTNAME \
-certfile $LE_DIR/chain.pem -caname LE-CHAIN\
2) Import to keystore
pk12util -i $LE_DIR/$HOSTNAME.p12 -d /etc/dirsrv/slapd-<INSTANCE>/ -K $LDAP_STORE_PWD -W $P12_PWD
3) At this point I can see it and select it in cockpit security settings, and save. But after restarting the instance, it reverts to the previous cert that was selected (MyCert)
Tailing the log at the point of saving the setting in cockpit I have found just this
[14/Aug/2022:22:53:08.686135019 +0100] - DEBUG - modify_config_dse - Modification of attribute "modifiersname" is not allowed, ignoring!
[14/Aug/2022:22:53:08.687311089 +0100] - DEBUG - modify_config_dse - Modification of attribute "modifytimestamp" is not allowed, ignoring!
[14/Aug/2022:22:53:08.687839552 +0100] - DEBUG - modify_config_dse - Modification of attribute "modifiersname" is not allowed, ignoring!
[14/Aug/2022:22:53:08.688445652 +0100] - DEBUG - modify_config_dse - Modification of attribute "modifytimestamp" is not allowed, ignoring!
However, checking, I see that when I change other settings (for example Paged Search Size Limit) , but they seem to stick.
All the best
389-users mailing list -- email@example.com
To unsubscribe send an email to firstname.lastname@example.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://email@example.com
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Post a Comment