Thursday, August 27, 2020

[389-users] Re: dsconf-adding pkcs12 cert to 398ds/1.4.3.12 fails : "could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error." ?

On 8/27/20 3:10 PM, PGNet Dev wrote:
> On 8/27/20 11:27 AM, Mark Reynolds wrote:
>> This is the old "archived" link - it is definitely outdated. Here's a newer one:
>>
>> https://www.port389.org/docs/389ds/howto/howto-ssl.html
>>
>> Or better yet check out the official docs which tells you how to use dsconf and set all of this up:
>>
>> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_the_nss_database_used_by_directory_server
> for future reference, _which_ is the "official/current documentation" site for Fedora-pkg'd 389ds?
>
> https://access.redhat.com/documentation/en-us/red_hat_directory_server
^^^  This is the official documentation
> https://directory.fedoraproject.org/docs/389ds
This is our wiki, it's the same as port389.org - it's an alias
>
> or
>
> https://www.port389.org/docs/389ds

This is the link we encourage people to use, but it's the same thing as
directory.fedoraproject.org

Mark

>
>
> ?
>
> per,
>
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_the_nss_database_used_by_directory_server#importing-a-private-key-and-server-certifiate
>
> "This section describes how to import both a private key and Certificate Signing Request (CSR), if you did not create them in the NSS database using an external tool."
>
> which _is_ my case (though, i think "import ... Certificate Signing Request (CSR)" is a typo here)
>
> so NOT dsconf either ... but dsctl.
>
> checking,
>
> dsctl testinst tls import-server-key-cert -h
> usage: dsctl [instance] tls import-server-key-cert [-h] cert_path key_path
>
> positional arguments:
> cert_path The path to the x509 cert to import as Server-Cert
> key_path The path to the x509 key to import atestinstciated to Server-Cert
>
> optional arguments:
> -h, --help show this help message and exit
>
> exec
>
> dsctl testinst tls import-server-key-cert \
> /etc/ssl/ldap.testinst.server.crt.pem \
> /etc/ssl/ldap.testinst.server.key.pem
>
> _appears_ 'happy' to add the server cert, with no error returned
>
> verifying
>
> cat des.ldif
> ....
> dn: cn=RSA,cn=encryption,cn=config
> objectClass: top
> objectClass: nsEncryptionModule
> cn: RSA
> nsSSLPersonalitySSL: ldap.testinst.server.p12
> nsSSLActivation: on
> nsSSLToken: internal (software)
> modifiersName: cn=directory manager
> modifyTimestamp: 20200827175643Z
> ...
>
> but per,
>
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/enabling_tls#enabling_tls_in_directory_server_using_the_command_line
> "Display the name of the server certificate in the NSS database: "
>
> checking
>
> dsctl testinst restart
> dsconf -D "cn=Directory Manager" testinst security certificate list
>
> returns
>
> (empty)
>
> where'd it go?
>
> checking
>
> tree /usr/local/etc/dirsrv/slapd-testinst/
> /usr/local/etc/dirsrv/slapd-testinst/
>>>> ├── cert9.db
> ├── certmap.conf
> ├── certs
> ??? │   ├── cert9.db
> ??? │   ├── key4.db
> │   ├── noise.txt
> │   ├── pin.txt
> ??? │   ├── pkcs11.txt
> │   └── pwdfile.txt
> ├── dse.ldif
> ├── dse.ldif.bak
> ├── dse.ldif.startOK
>>>> ├── key4.db
>>>> ├── pkcs11.txt
> ├── schema
> │   └── 99user.ldif
> └── slapd-collations.conf
>
> it appears to have _ignored_ my instance's cert_dir spec'n
>
> nsslapd-certdir: /usr/local/etc/dirsrv/slapd-testinst/certs
>
>
> if I manually
>
> cd /usr/local/etc/dirsrv/slapd-testinst/
> mv -f cert9.db key4.db pkcs11.txt certs/
>
> NOW,
>
> dsconf -D "cn=Directory Manager" testinst security certificate list
>
> correctly sees/lists the cert
>
> Certificate Name: Server-Cert
> Subject DN: ...
>
> the instance-specific
>
> dsctl testinst tls import-server-key-cert
>
> _should_ respect the instance config, no?
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

--

389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

No comments:

Post a Comment