Problems with SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ski Kacoroski wrote:
> Rich,
> 
> Thanks very much for your replies.  I tried again with no luck.  I had 
> it working with the self-signed cert using setupssl2.sh.  I changed the 
> password on the database to one I could type and verified that it worked 
> ok.  I then added in my star cert, removed the self-signed certs, and 
> stopped the services.  When I tried to restart I get this error:
> 
> [root at ldaptest slapd-nsd-org]# service dirsrv start
> Starting dirsrv:
>      nsd-org...[03/Mar/2010:09:09:25 -0800] - SSL alert: Security 
> Initialization: Can't find certificate (CA certificate) for family 
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - 
> security library: bad database.)
> [03/Mar/2010:09:09:25 -0800] - SSL alert: Security Initialization: 
> Unable to retrieve private key for cert CA certificate of family 
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - 
> security library: bad database.)
> [03/Mar/2010:09:09:25 -0800] - SSL failure: None of the cipher are valid
> [03/Mar/2010:09:09:25 -0800] - ERROR: SSL Initialization phase 2 Failed.
>                                                             [FAILED]
>    *** Warning: 1 instance(s) failed to start
> 
> I use digicert as my authority.  They have options for the certs when I 
> get them (e.g. Apache, Tomcat, Java, etc.).  I have been choosing Apache 
> and it seems to install just fine.  Perhaps I need to choose a different 
> type?
> 
> It looks like by adding in my cert and removing my old certs, it trashed 
> the database somehow.
> 
> certutil -P ldaptest -d . -L
> certutil: function failed: security library: bad database.
> 
> I am going to do another reinstall and try again.  Do you know of any 
> documentation for using non-self-signed certs with 389 directory server 
> all the docs I find are for self-signed certs.

The problem is in the error message: Unable to retrieve private key for 
cert.

You need the private key for this certificate. The easiest way to load 
it into NSS using the PKCS#12 format, as Rich suggested. If you have the 
key and cert stored as PEM files, common with openssl, see the openssl 
pkcs12 man page.

rob
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux