Re: dirsrv-admin startup issues with SSL/TLS configuration [solved]

[Arnold Werschky <ag+389@xxxxxxxxxxxx>]

This issue was solved with a total reinstall.  I believe I had messed up the configuration somehow with trying to install multiple times.

In addition, the script should not be corrected, as it worked just fine.

Thank you very much for your assistance, and patience.

On Wed, Aug 1, 2012 at 1:12 PM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:

On 08/01/2012 10:27 AM, Arnold Werschky wrote:

As an aside, I can get rid of the errors on the setupssl2.sh script by making the following change...but I don't know if its a change I should be making.

Yes, that looks correct.  Not sure when/how that was broken.

[root@ldap ~]# diff setupssl2.sh setupssl2.sh.orig 

185c185

<     pk12util -d $secdir -n server-cert -i $secdir/adminserver.p12 -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt

---

>     pk12util -d $assecdir -n server-cert -i $secdir/adminserver.p12 -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt

*********************************************************************

results of commands requested:

*********************************************************************

root@ldap ~]# ls -al /etc/dirsrv/slapd-*

total 472

drwxrwx--- 3 ldap ldap  4096 Jul 31 15:01 .

drwxrwxr-x 7 root ldap  4096 Jul 31 14:03 ..

-r-------- 1 ldap ldap  2114 Jul 31 14:36 adminserver.p12

-rw-r--r-- 1 ldap root   647 Jul 31 14:36 cacert.asc

-rw------- 1 ldap ldap 65536 Jul 31 16:23 cert8.db

-r--r----- 1 ldap ldap  3595 Jul 31 13:19 certmap.conf

-rw------- 1 ldap ldap 71692 Jul 31 15:01 dse.ldif

-rw------- 1 ldap ldap 71174 Jul 31 15:01 dse.ldif.bak

-rw------- 1 ldap ldap 71917 Jul 31 15:00 dse.ldif.startOK

-r--r----- 1 ldap ldap 32836 Jul 31 13:19 dse_original.ldif

-rw------- 1 ldap ldap 16384 Jul 31 16:23 key3.db

-r-------- 1 ldap ldap    41 Jul 31 14:36 noise.txt

-rw-rw---- 1 ldap ldap 65536 Jul 31 15:00 orig-cert8.db

-rw-rw---- 1 ldap ldap 16384 Jul 31 15:00 orig-key3.db

-r-------- 1 ldap ldap    67 Jul 31 14:36 pin.txt

-r-------- 1 ldap ldap    41 Jul 31 14:36 pwdfile.txt

drwxrwx--- 2 ldap ldap  4096 Jul 31 15:01 schema

-rw-rw---- 1 ldap ldap 16384 Jul 31 15:01 secmod.db

-r--r----- 1 ldap ldap  5366 Jul 31 13:19 slapd-collations.conf

[root@ldap ~]# ls -al /etc/dirsrv/admin-serv

total 196

drwx------ 2 ldap root  4096 Jul 31 15:27 .

drwxrwxr-x 7 root ldap  4096 Jul 31 14:03 ..

-rw------- 1 ldap ldap   498 Jul 31 14:36 adm.conf

-rw------- 1 ldap root    40 Jul 31 13:19 admpw

-rw-r--r-- 1 root root  3936 Mar 27 08:33 admserv.conf

-rw------- 1 ldap root 65536 Jul 31 16:05 cert8.db

-rw------- 1 ldap ldap  4467 Jul 31 14:36 console.conf

-rw------- 1 ldap root  4467 Jul 27 18:42 console.conf.rpmsave

-rw-r--r-- 1 root root 26302 Mar 27 08:33 httpd.conf

-rw------- 1 ldap root 16384 Jul 31 16:05 key3.db

-rw------- 1 ldap root 13343 Jul 31 13:19 local.conf

-r-------- 1 ldap ldap  4535 Jul 31 14:36 nss.conf

-rw------- 1 ldap root  4535 Jul 27 16:20 nss.conf.rpmsave

-rw------- 1 ldap root    50 Jul 31 15:27 password.conf

-rw------- 1 ldap root 16384 Jul 27 14:21 secmod.db

On Wed, Aug 1, 2012 at 10:17 AM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:

On 08/01/2012 08:17 AM, Arnold Werschky wrote:

Good morning,

I'm trying to set up a new install LDAP server with self signed TLS/SSL on CentOS 6.2

My install using setup-ds-admin.pl was typical, and I was able to login to the 389-Console after installation.

At that point I downloaded the script from richm : https://github.com/richm/scripts/blob/master/setupssl2.sh

I received two errors during its run (full output is at the bottom).

pk12util: Failed to authenticate to PKCS11 slot: The security password entered is incorrect.

pk12util: Failed to authenticate to "NSS User Private Key and Certificate Services": The user pressed cancel.

start-ds-admin now fails to start, with the following error messages in /var/log/dirsrv/admin-serv/error

[Tue Jul 31 16:34:09 2012] [error] Password for slot internal is incorrect.

[Tue Jul 31 16:34:09 2012] [error] NSS initialization failed. Certificate database: /etc/dirsrv/admin-serv.

[Tue Jul 31 16:34:09 2012] [error] SSL Library Error: -8177 The security password entered is incorrect:

I've searched for the SSL Library error to no avail.  If anyone can give me a starting point I'd appreciate it.

***************************************************************************

setupssl2.sh output

***************************************************************************

Using /etc/dirsrv/slapd-ldap-xxxxx as sec directory

No CA certificate found - will create new one

No Server Cert found - will create new one

No Admin Server Cert found - will create new one

Creating password file for security token

Creating noise file

Creating new key and cert db

Creating encryption key for CA

Generating key.  This may take a few moments...

Creating self-signed CA certificate

Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?

Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?

Exporting the CA certificate to cacert.asc

Generating server certificate for 389 Directory Server on host ldap.xxxxx.com

Using fully qualified hostname ldap.xxxxx.com for the server name in the server cert subject DN

Note: If you do not want to use this hostname, edit this script to change myhost to the

real hostname you want to use

Generating key.  This may take a few moments...

Creating the admin server certificate

Generating key.  This may take a few moments...

Exporting the admin server certificate pk12 file

pk12util: PKCS12 EXPORT SUCCESSFUL

Creating pin file for directory server

Importing the admin server key and cert (created above)

Incorrect password/PIN entered.

pk12util: Failed to authenticate to PKCS11 slot: The security password entered is incorrect.

pk12util: Failed to authenticate to "NSS User Private Key and Certificate Services": The user pressed cancel.

Hmm - this is really strange.
ls -al /etc/dirsrv/slapd-*
ls -al /etc/dirsrv/admin-serv

Importing the CA certificate from cacert.asc

Enabling the use of a password file in admin server

Turning on NSSEngine

Use ldaps for config ds connections

Enabling SSL in the directory server

when prompted, provide the directory manager password

Password:modifying entry "cn=encryption,cn=config"

modifying entry "cn=config"

adding new entry "cn=RSA,cn=encryption,cn=config"

Enabling SSL in the admin server

modifying entry "cn=slapd-ldap-xxxxx,cn=389 Directory Server,cn=Server Group,cn=ldap.xxxxx.com,ou=xxxxx,o=NetscapeRoot"

modifying entry "cn=configuration,cn=admin-serv-ldap,cn=389 Administration Server,cn=Server Group,cn=ldap.xxxxx.com,ou=xxxxx,o=NetscapeRoot"

Done.  You must restart the directory server and the admin server for the changes to take effect.

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users