[root@ldap ~]# diff setupssl2.sh setupssl2.sh.orig
185c185
< pk12util -d $secdir -n server-cert -i
$secdir/adminserver.p12 -w $secdir/pwdfile.txt -k
$secdir/pwdfile.txt
---
> pk12util -d $assecdir -n server-cert -i
$secdir/adminserver.p12 -w $secdir/pwdfile.txt -k
$secdir/pwdfile.txt
*********************************************************************
results of commands requested:
*********************************************************************
root@ldap ~]# ls -al /etc/dirsrv/slapd-*
total 472
drwxrwx--- 3 ldap ldap 4096 Jul 31 15:01 .
drwxrwxr-x 7 root ldap 4096 Jul 31 14:03 ..
-r-------- 1 ldap ldap 2114 Jul 31 14:36 adminserver.p12
-rw-r--r-- 1 ldap root 647 Jul 31 14:36 cacert.asc
-rw------- 1 ldap ldap 65536 Jul 31 16:23 cert8.db
-r--r----- 1 ldap ldap 3595 Jul 31 13:19 certmap.conf
-rw------- 1 ldap ldap 71692 Jul 31 15:01 dse.ldif
-rw------- 1 ldap ldap 71174 Jul 31 15:01 dse.ldif.bak
-rw------- 1 ldap ldap 71917 Jul 31 15:00 dse.ldif.startOK
-r--r----- 1 ldap ldap 32836 Jul 31 13:19 dse_original.ldif
-rw------- 1 ldap ldap 16384 Jul 31 16:23 key3.db
-r-------- 1 ldap ldap 41 Jul 31 14:36 noise.txt
-rw-rw---- 1 ldap ldap 65536 Jul 31 15:00 orig-cert8.db
-rw-rw---- 1 ldap ldap 16384 Jul 31 15:00 orig-key3.db
-r-------- 1 ldap ldap 67 Jul 31 14:36 pin.txt
-r-------- 1 ldap ldap 41 Jul 31 14:36 pwdfile.txt
drwxrwx--- 2 ldap ldap 4096 Jul 31 15:01 schema
-rw-rw---- 1 ldap ldap 16384 Jul 31 15:01 secmod.db
-r--r----- 1 ldap ldap 5366 Jul 31 13:19
slapd-collations.conf
[root@ldap ~]# ls -al /etc/dirsrv/admin-serv
total 196
drwx------ 2 ldap root 4096 Jul 31 15:27 .
drwxrwxr-x 7 root ldap 4096 Jul 31 14:03 ..
-rw------- 1 ldap ldap 498 Jul 31 14:36 adm.conf
-rw------- 1 ldap root 40 Jul 31 13:19 admpw
-rw-r--r-- 1 root root 3936 Mar 27 08:33 admserv.conf
-rw------- 1 ldap root 65536 Jul 31 16:05 cert8.db
-rw------- 1 ldap ldap 4467 Jul 31 14:36 console.conf
-rw------- 1 ldap root 4467 Jul 27 18:42
console.conf.rpmsave
-rw-r--r-- 1 root root 26302 Mar 27 08:33 httpd.conf
-rw------- 1 ldap root 16384 Jul 31 16:05 key3.db
-rw------- 1 ldap root 13343 Jul 31 13:19 local.conf
-r-------- 1 ldap ldap 4535 Jul 31 14:36 nss.conf
-rw------- 1 ldap root 4535 Jul 27 16:20 nss.conf.rpmsave
-rw------- 1 ldap root 50 Jul 31 15:27 password.conf
-rw------- 1 ldap root 16384 Jul 27 14:21 secmod.db
On Wed, Aug 1, 2012 at 10:17 AM, Rich
Megginson
<rmeggins@xxxxxxxxxx >
wrote:
On 08/01/2012 08:17 AM, Arnold Werschky
wrote:
Good
morning,
I'm
trying to set up a new install LDAP server with self
signed TLS/SSL on CentOS 6.2
My
install using
setup-ds-admin.pl was
typical, and I was able to login to the 389-Console
after installation.
I
received two errors during its run (full output is
at the bottom).
pk12util: Failed to authenticate to PKCS11
slot: The security password entered is incorrect.
pk12util: Failed to authenticate to "NSS User
Private Key and Certificate Services": The user
pressed cancel.
start-ds-admin
now fails to start, with the following error
messages in /var/log/dirsrv/admin-serv/error
[Tue Jul 31 16:34:09 2012] [error] Password for
slot internal is incorrect.
[Tue Jul 31 16:34:09 2012] [error] NSS
initialization failed. Certificate database:
/etc/dirsrv/admin-serv.
[Tue Jul 31 16:34:09 2012] [error] SSL Library
Error: -8177 The security password entered is
incorrect:
I've
searched for the SSL Library error to no avail. If
anyone can give me a starting point I'd appreciate
it.
***************************************************************************
setupssl2.sh
output
***************************************************************************
Using /etc/dirsrv/slapd-ldap-xxxxx as sec
directory
No CA certificate found - will create new one
No Server Cert found - will create new one
No Admin Server Cert found - will create new
one
Creating password file for security token
Creating noise file
Creating new key and cert db
Creating encryption key for CA
Generating key. This may take a few moments...
Creating self-signed CA certificate
Generating key. This may take a few moments...
Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip
[<0 for unlimited path]: > Is this a
critical extension [y/N]?
Exporting the CA certificate to cacert.asc
Generating server certificate for 389 Directory
Server on host
ldap.xxxxx.com Using fully qualified hostname
ldap.xxxxx.com for
the server name in the server cert subject DN
Note: If you do not want to use this hostname,
edit this script to change myhost to the
real hostname you want to use
Generating key. This may take a few moments...
Creating the admin server certificate
Generating key. This may take a few moments...
Exporting the admin server certificate pk12
file
pk12util: PKCS12 EXPORT SUCCESSFUL
Creating pin file for directory server
Importing the admin server key and cert
(created above)
Incorrect password/PIN entered.
pk12util: Failed to authenticate to PKCS11
slot: The security password entered is incorrect.
pk12util: Failed to authenticate to "NSS User
Private Key and Certificate Services": The user
pressed cancel.
Hmm - this is really strange.
ls -al /etc/dirsrv/slapd-*
ls -al /etc/dirsrv/admin-serv
Importing the CA certificate from cacert.asc
Enabling the use of a password file in admin
server
Turning on NSSEngine
Use ldaps for config ds connections
Enabling SSL in the directory server
when prompted, provide the directory manager
password
Password:modifying entry
"cn=encryption,cn=config"
modifying entry "cn=config"
adding new entry "cn=RSA,cn=encryption,cn=config"
Enabling SSL in the admin server
modifying entry "cn=slapd-ldap-xxxxx,cn=389
Directory Server,cn=Server Group,cn=
ldap.xxxxx.com ,ou=xxxxx,o=NetscapeRoot"
modifying entry
"cn=configuration,cn=admin-serv-ldap,cn=389
Administration Server,cn=Server Group,cn=
ldap.xxxxx.com ,ou=xxxxx,o=NetscapeRoot"
Done. You must restart the directory server and
the admin server for the changes to take effect.
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
