[389-users] dirsrv-admin with existing (remote) configuration server using SSL

["MATON Brett" <Brett.Maton@xxxxxx>]

Installation appears to go fine until it tries to start the admin server:

 

Configuration directory server URL [ldap://<local FQDN>:389/o=NetscapeRoot]: ldaps://<Config Server FQDN>:636/o=NetscapeRoot

...

CA certificate filename: /etc/openldap/cacerts/<base64 cert file>

...

 

output: Server failed to start !!! Please check errors log for problems

output:                                                    [FAILED]

 

/var/log/dirsrv/admin-serv/error:

 

[Wed Feb 08 13:35:26 2012] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0

[Wed Feb 08 13:35:32 2012] [crit] sslinit: NSS is required to use LDAPS, but security initialization failed [-12285:Unable to find the certificate or key necessary for authentication.].  Cannot start server

 

The server, has however successfully registered itself with the remote Configuration Directory Server.

(shows up in the server group in 389-Console and Directory Server is available).

 

I wasn’t asked to provide a keystore password  when adding the certificate to the store, as you would be with 389-Console GUI when first opening the certificate store.

Is that intentional or not?

 

I’m now a bit stumped (again), I had a look at the certdb with certutil:

 

[root@<host> admin-serv]# certutil -d . -L

 

Certificate Nickname                                         Trust Attributes

                                                             SSL,S/MIME,JAR/XPI

 

CA certificate                                               CT,,

 

Which leads me to believe that it should be able to at least find the certificate...

I also checked file/directory ownership and permissions which match those on the working ‘master’ server.

 

 

Installer issue:

  If you make a mistake and get asked to try again (I typed the ldaps port as 633 instead if 636), you get stuck at the CA Certificate filename stage with the following:

 

CA certificate filename [/etc/openldap/cacerts/CAServer.crt]:

The certificate database in '/etc/dirsrv/admin-serv' already contains a CA certificate.  Please remove it first, or use the certutil program to add the CA certificate with a different name.

Please try again, in case you mis-typed something.

 

Simple enough solution as for me this is a fresh install, is to delete cert8.db and keys3.db in /etc/dirserv/admin-serv/ from another session.

 

-------------------------------------------------------------------

GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?  

NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users