Ian Holroyd wrote: > I have been setting up Fedora Directory Server for use with Samba PDC > etc. I had most aspects of this working, with SSL transport operating > correctly, having followed the HowTo. > > However, I have now restarted whole system and the start-slapd will not > work, generating the following errors: (retyped as email sent from > another system, excuse any typos) > [timestamp] - SSL alert: Security Initialization: Can't find certificate > (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape > Portable Runtime error -8174 - security library: bad database.) > [timestamp] - SSL alert: Security Initialization: Unable to retrieve > private key for ert Server-Cert of family cn=RSA,cn=encryption,cn=config > (Netscape Portable Runtime error -8174 - security library: bad > database.) > [timestamp] - SSL failure: None of the cipher are valid > > Now, if (big if) I am reading this correctly, this means that it has > failed to find the certificate named Server-Cert. I believe that this > may be as a result of me having 'used my initiative' and changed all > references to 'Server-Cert' in the HowTo to a personalised version of > this (i.e. I created the certs with my own names). > > Start-admin fails without leaving any message (I assume because it can't > read config information from the LDAP server). > > The problem, however, is that ALL documentation I have found on how to > solve problems like this (or indeed delete and start over) refers to > either using the console (which I cannot start without my slapd-instance > running) or utilities like certutil which appear to fail for the same > reason. > > If I understand this correctly, I am in a catch22 - I cannot start the > LDAP server until I change the config, but I cannot change the config > without the LDAP directory being available. So, is there ANY way to > start FDS without SSL support (which I don't need right now anyway!) so > that I can put-right the damage I have done by following the HowTo > properly this time??? If not, is there any way to reinstall / > reconfigure without scrapping my data (which took some time to build). > The slapd configuration DSE is backed by a flat file which you can edit if the server is not running. Change nsslapd-security to off in the cn=config entry in /opt/fedora-ds/slapd-instance/config/dse.ldif to get it started, or set the nsSSLPersonalitySSL attribute to match your certificate nickname in the cn=RSA,cn=encryption,cn=config entry (should match the one displayed with certutil -L). > Thanks for any thoughts, > > Ian Holroyd > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
