Re: dirsrv-admin startup issues with SSL/TLS configuration

[Rich Megginson <rmeggins@xxxxxxxxxx>]

On 08/01/2012 08:17 AM, Arnold Werschky wrote:

Good morning,

I'm trying to set up a new install LDAP server with self signed TLS/SSL on CentOS 6.2

My install using setup-ds-admin.pl was typical, and I was able to login to the 389-Console after installation.

At that point I downloaded the script from richm : https://github.com/richm/scripts/blob/master/setupssl2.sh

I received two errors during its run (full output is at the bottom).

pk12util: Failed to authenticate to PKCS11 slot: The security password entered is incorrect.

pk12util: Failed to authenticate to "NSS User Private Key and Certificate Services": The user pressed cancel.

start-ds-admin now fails to start, with the following error messages in /var/log/dirsrv/admin-serv/error

[Tue Jul 31 16:34:09 2012] [error] Password for slot internal is incorrect.

[Tue Jul 31 16:34:09 2012] [error] NSS initialization failed. Certificate database: /etc/dirsrv/admin-serv.

[Tue Jul 31 16:34:09 2012] [error] SSL Library Error: -8177 The security password entered is incorrect:

I've searched for the SSL Library error to no avail.  If anyone can give me a starting point I'd appreciate it.

***************************************************************************

setupssl2.sh output

***************************************************************************

Using /etc/dirsrv/slapd-ldap-xxxxx as sec directory

No CA certificate found - will create new one

No Server Cert found - will create new one

No Admin Server Cert found - will create new one

Creating password file for security token

Creating noise file

Creating new key and cert db

Creating encryption key for CA

Generating key.  This may take a few moments...

Creating self-signed CA certificate

Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?

Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?

Exporting the CA certificate to cacert.asc

Generating server certificate for 389 Directory Server on host ldap.xxxxx.com

Using fully qualified hostname ldap.xxxxx.com for the server name in the server cert subject DN

Note: If you do not want to use this hostname, edit this script to change myhost to the

real hostname you want to use

Generating key.  This may take a few moments...

Creating the admin server certificate

Generating key.  This may take a few moments...

Exporting the admin server certificate pk12 file

pk12util: PKCS12 EXPORT SUCCESSFUL

Creating pin file for directory server

Importing the admin server key and cert (created above)

Incorrect password/PIN entered.

pk12util: Failed to authenticate to PKCS11 slot: The security password entered is incorrect.

pk12util: Failed to authenticate to "NSS User Private Key and Certificate Services": The user pressed cancel.

Hmm - this is really strange.
ls -al /etc/dirsrv/slapd-*
ls -al /etc/dirsrv/admin-serv

Importing the CA certificate from cacert.asc

Enabling the use of a password file in admin server

Turning on NSSEngine

Use ldaps for config ds connections

Enabling SSL in the directory server

when prompted, provide the directory manager password

Password:modifying entry "cn=encryption,cn=config"

modifying entry "cn=config"

adding new entry "cn=RSA,cn=encryption,cn=config"

Enabling SSL in the admin server

modifying entry "cn=slapd-ldap-xxxxx,cn=389 Directory Server,cn=Server Group,cn=ldap.xxxxx.com,ou=xxxxx,o=NetscapeRoot"

modifying entry "cn=configuration,cn=admin-serv-ldap,cn=389 Administration Server,cn=Server Group,cn=ldap.xxxxx.com,ou=xxxxx,o=NetscapeRoot"

Done.  You must restart the directory server and the admin server for the changes to take effect.

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users