2010/12/14 Rich Megginson <rmeggins at redhat.com> > On 12/14/2010 01:51 AM, remy d1 wrote: > > Hi list, > > I have followed the instructions of the SSL Howto, but I am still stick > at the SSL activation. > > From a clean installation, I try to launch the setupssl.sh script, but at > the end, I have > > ldapmodify: invalid format (line 11) entry: "cn=encryption,cn=config" > > > There is not specific configuration except that I use the port 9831 for my > DS instead of 389 (I already use the standard LDAP port for OpenLDAP and I > do not want to migrate (it is for testing)). I have modified the setupssl > script to execute on this port. > > What version of 389-ds-base? What platform? > 389-ds-base-1.2.7.2-1.fc13.x86_64 Fedora 13 Linux 2.6.34.7-56.fc13.x86_64 #1 SMP If I just try the end of the script, you can see the error : ldapmodify -x -h localhost -p 9831 -D "cn=Directory Manager" -W <<EOF dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on - replace: nsSSLClientAuth nsSSLClientAuth: allowed - add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza, +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha, +tls_rsa_export1024_with_des_cbc_qsha Did you modify the script in any other way, other than changing the port > number? Because the Ciphers attribute LDIF does not look correct. Each of > the continuation lines should begin with a single space character - these > continuation lines look left justified. > I changed the name of "myhost" to put a "real hostname" corresponding to my domain. I will try to insert a space before each line. > > > dn: cn=config > changetype: modify > add: nsslapd-security > nsslapd-security: on > - > replace: nsslapd-ssl-check-hostname > nsslapd-ssl-check-hostname: off > - > replace: nsslapd-secureport > nsslapd-secureport: 636 > > dn: cn=RSA,cn=encryption,cn=config > changetype: add > objectclass: top > objectclass: nsEncryptionModule > cn: RSA > nsSSLPersonalitySSL: Server-Cert > nsSSLToken: internal (software) > nsSSLActivation: on > > EOF > > Enter LDAP Password: > ldapmodify: invalid format (line 11) entry: "cn=encryption,cn=config" > > > I have checked every part of these ldif data. The error is here : > > nsSSL3Ciphers: > -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, > +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza, > +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha, > +tls_rsa_export1024_with_des_cbc_qsha > > > But if I do the modifications except this piece of code, ldaps can be > started on the port 636, but the cert files could not be loaded from dirsrv, > so I can not do any request in SSL... > > If you do not successfully complete TLS/SSL configuration, you will almost > always find that TLS/SSL is not working correctly. > > What errors do you get? Error codes? > Red Hat Link with error codes "14.2.7. Updating Attribute Encryption for New SSL/TLS Certificates" : http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_SSL.html Another error : Starting dirsrv: KingKong...[16/Dec/2010:13:52:16 +0100] SSL Initialization - Warning: certificate DB file cert8.db nor cert7.db exists in [/etc/dirsrv/slapd-KingKong] - SSL initialization will likely fail [16/Dec/2010:13:52:16 +0100] SSL Initialization - Warning: key DB file /etc/dirsrv/slapd-KingKong/key3.db does not exist - SSL initialization will likely fail [16/Dec/2010:13:52:16 +0100] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) [16/Dec/2010:13:52:16 +0100] - ERROR: SSL Initialization Failed. > I also try to : > - edit dse.ldif file in the dirsrv DS configuration directory and delete > the line corresponding to the cert files as Red Hat documentation tells > (after stoping dirsrv service). > > Since you did not successfully complete TLS/SSL configuration, you will > find that TLS/SSL is not working correctly. > > Can you provide a link to the Red Hat docs? > > We can see that dirsrv reload the cert files in the dse.ldif file, but it > changed nothing. > - delete every *.db and *.txt files and cacert.csa. Then, if I reexecute > setupssl.sh, it generates the cert files, but (again), there is no > changes... > > Obviously, if I open 389-console, I could see this string in the > properties of "cn=encryption,cn=config". > > Including all of the ciphers in the Ciphers attribute? > Yes ! ******** Following the debugging : Finally, it works... ! I have downloaded setupssl2.sh again with good spaces (for ciphers), and execute it. After removing the cert files (cacert, db, txt files) in /etc/dirsrv/slapd-instance/ I could launch ldaps correctly. #./setupssl2.sh /etc/dirsrv/slapd-KingKong/ 9831 Using /etc/dirsrv/slapd-KingKong/ as sec directory No CA certificate found - will create new one No Server Cert found - will create new one No Admin Server Cert found - will create new one Creating password file for security token Creating noise file Creating new key and cert db Creating encryption key for CA Generating key. This may take a few moments... Creating self-signed CA certificate Generating key. This may take a few moments... Is this a CA certificate [y/N]? Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]? Exporting the CA certificate to cacert.asc Generating server certificate for 389 Directory Server on host KingKong.mylocaldomain.com Using fully qualified hostname KingKong.mylocaldomain.com for the server name in the server cert subject DN Note: If you do not want to use this hostname, edit this script to change myhost to the real hostname you want to use Generating key. This may take a few moments... Creating the admin server certificate Generating key. This may take a few moments... Exporting the admin server certificate pk12 file pk12util: PKCS12 EXPORT SUCCESSFUL Creating pin file for directory server Creating key and cert db for admin server Importing the admin server key and cert (created above) pk12util: PKCS12 IMPORT SUCCESSFUL Importing the CA certificate from cacert.asc Enabling the use of a password file in admin server Enabling SSL in the directory server - when prompted, provide the directory manager password Enter LDAP Password: *-> Here, I could launch dirsrv (in another window shell).* modifying entry "cn=encryption,cn=config" ldap_modify: Type or value exists (20) Now, after restarting dirsrv server and adding this : # vi ~/.ldaprc # TLS_CACERT <path-to-ca>.pem TLS_REQCERT allow I could launch ldaps request on my server. Thanks; Regards. > > I have checked my real hostname and other stuffs specified in the > documentation... I know that I do not use the standard LDAP port but I do > not see why this section could not work... Other ldap request on this port > work. > > Sorry for my bad english... > > Any help would be gracefull ! > > Regards; > > R?my > > > -- > 389 users mailing list389-users at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users > > > > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20101216/d08e1c0f/attachment-0001.html
