Re: Trying to follow the howto ssl from wiki

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Can anyone else point me to any how to  on this? This process seems to
be destructive. If anything goes wrong fds will not start making it
very hard to roll back the changes to the database. I end up just
removing the entire installation and starting over.

My fall back plan is to use stunnel or some other proxy.

On Fri, Jun 20, 2008 at 3:40 PM, Edward Capriolo <edlinuxguru at gmail.com> wrote:
> I was attempting to follow...http://directory.fedoraproject.org/wiki/Howto:SSL
> I first ran the script
> http://directory.fedoraproject.org/download/setupssl2.sh After
> completing fds would not start. I rein
> I eventually ended up reading the script and running every operation
> stp by step. That was quite an ordeal. All the steps ran however no
> errors.
>
> [root at ldapslave1 slapd-ldapslave1]# /etc/init.d/dirsrv start
> Starting dirsrv:
>    ldapslave1...Warning: Incorrect PIN may result in disabling the token
> Enter PIN for Internal (Software) Token:
>
> I replaced the data inside pin.txt with :
>
> Internal (Software) Token:dirserv_cert_password
>
> But I am still getting the same message. Is this just a bogus message.
> The problem could be elsewhere?
>
>
> Thanks in advance.
> (ps -ef ; w) | sha1sum > /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>  (w ; ps -ef ; date ) | sha1sum | awk '{print $1}' >
> /etc/dirsrv/slapd-ldapslave1/noise.txt
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/noise.txt
>  certutil -N -P new- -d /etc/dirsrv/slapd-ldapslave1 -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/key3.db
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/cert8.db
> chmod 600 /etc/dirsrv/slapd-ldapslave1/key3.db
> chmod 600 /etc/dirsrv/slapd-ldapslave1/cert8.db
> certutil -G -P new- -d /etc/dirsrv/slapd-ldapslave1 -z
> /etc/dirsrv/slapd-ldapslave1/noise.txt -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> certutil -S -P new- /etc/dirsrv/slapd-ldapslave1/ -n "CA certificate"
> -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d
> /etc/dirsrv/slapd-ldapslave1 -z /etc/dirsrv/slapd-ldapslave1/noise.txt
> -f /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> certutil -L -P new- -d /etc/dirsrv/slapd-ldapslave1 -n "CA
> certificate" -a > /etc/dirsrv/slapd-ldapslave1/cacert.asc
> pk12util -d /etc/dirsrv/slapd-ldapslave1 -P new- -o
> /etc/dirsrv/slapd-ldapslave1/cacert.p12 -n "CA certificate" -w
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
> certutil -S -P new- -n "Server-Cert" -s
> "cn=ldapslave1.ops.ec.com,ou=Fedora Directory Server" -c "CA
> certificate" -t "u,u,u" -m 1001 -v 120 -d
> /etc/dirsrv/slapd-ldapslave1/ -z
> /etc/dirsrv/slapd-ldapslave1/noise.txt  -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> certutil -S -P new- -n "server-cert" -s
> "cn=ldapslave1.ops.ec.com,ou=Fedora Administration Server" -c "CA
> certificate" -t "u,u,u" -m 1002 -v 120 -d
> /etc/dirsrv/slapd-ldapslave1/ -z
> /etc/dirsrv/slapd-ldapslave1/noise.txt -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> pk12util -d /etc/dirsrv/slapd-ldapslave1 -P new- -o
> /etc/dirsrv/slapd-ldapslave1/adminserver.p12 -n server-cert -w
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/adminserver.p12
> chmod 400 /etc/dirsrv/slapd-ldapslave1/adminserver.p12
>
> cat /etc/dirsrv/slapd-ldapslave1/pwdfile.txt >
> /etc/dirsrv/slapd-ldapslave1/pin.txt
>
> chmod 400 /etc/dirsrv/slapd-ldapslave1/pin.txt
>
> mv /etc/dirsrv/slapd-ldapslave1/cert8.db
> /etc/dirsrv/slapd-ldapslave1/orig-cert8.db
> mv /etc/dirsrv/slapd-ldapslave1/key3.db
> /etc/dirsrv/slapd-ldapslave1/orig-key3.db
>
>
> certutil -N -d /etc/dirsrv/slapd-ldapslave1 -P admin-serv- -f
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/admin-serv-*.db
> [root at ldapslave1 tmp]# chmod 600 /etc/dirsrv/slapd-ldapslave1/admin-serv-*.db
>
> pk12util -d /etc/dirsrv/slapd-ldapslave1/ -P admin-serv- -n
> server-cert -i /etc/dirsrv/slapd-ldapslave1/adminserver.p12 -w
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k
> /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
>
> certutil -A -d /etc/dirsrv/slapd-ldapslave1/ -P admin-serv- -n "CA
> certificate" -t "CT,," -a -i /etc/dirsrv/slapd-ldapslave1/cacert.asc
>
> cat /etc/dirsrv/slapd-ldapslave1/pwdfile.txt >
> /etc/dirsrv/slapd-ldapslave1/password.conf
>
> chmod 400 /etc/dirsrv/slapd-ldapslave1/password.conf
> chown fds:fds /etc/dirsrv/slapd-ldapslave1/password.conf
>
> sed -e "s@^NSSPassPhrasDialog .*@NSSPassPhraseDialog
> file:/etc/dirsrv/slapd-ldapslave1/password/conf
>
> mv /etc/dirsrv/slapd-ldapslave1/new-key3.db
> /etc/dirsrv/slapd-ldapslave1/key3.db
> mv /etc/dirsrv/slapd-ldapslave1/new-cert8.db
> /etc/dirsrv/slapd-ldapslave1/cert8.db
>
>
> ldapmodify -x -h localhost -p 389 -D "cn=directory manager" -W <<EOF
> dn: cn=encryption,cn=config
> changetype: modify
> replace: nsSSL3
> nsSSL3: on
> -
> replace: nsSSLClientAuth
> nsSSLClientAuth: allowed
> -
> add: nsSSL3Ciphers
> nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>  +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
>  +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
>  +tls_rsa_export1024_with_des_cbc_sha
>
> dn: cn=config
> changetype: modify
> add: nsslapd-security
> nsslapd-security: on
> -
> replace: nsslapd-ssl-check-hostname
> nsslapd-ssl-check-hostname: off
>
> dn: cn=RSA,cn=encryption,cn=config
> changetype: add
> objectclass: top
> objectclass: nsEncryptionModule
> cn: RSA
> nsSSLPersonalitySSL: Server-Cert
> nsSSLToken: internal (software)
> nsSSLActivation: on
>
> EOF
>
>
> [root at ldapslave1 slapd-ldapslave1]# /etc/init.d/dirsrv start
> Starting dirsrv:
>    ldapslave1...Warning: Incorrect PIN may result in disabling the token
> Enter PIN for Internal (Software) Token:
>
> Any hints thanks!
>




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux