Good Morning! I’m working my way through http://directory.fedoraproject.org/wiki/Howto:SSL trying to create the certificates with OpenSSL, and then get them added to the NSS database. Most of that is fine. It’s only at the end that the directory server refuses to start, with these errors: ### SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) ERROR: SSL Initialization Failed. ### Here’s what I’m going through. These commands are cut/pasted out of a script, so you’ll see my variable substitution. As far as that goes, these commands all return without error. (For what it’s worth, once everything works, I plan to post the script as an alternative to setupssl.sh and setupssl2.sh.) ### Private Key: openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$PRIVATE_RSA_BITS -outform PEM -out $F_PRIVATE_KEY ### CA Certificate: openssl req -new -x509 -extensions v3_ca -key $F_PRIVATE_KEY -days $CERT_CA_EXPIRE \ -subj $CERT_CA_SUBJ -out $F_CERT_CA ### Host Certificate Request: openssl req -new -nodes -key $F_PRIVATE_KEY -days $HOST_CERT_EXPIRE -subj $CERT_CA_SUBJ \ -out $F_CERT_REQ ### Self-sign the Request: openssl ca -keyfile $F_PRIVATE_KEY -selfsign -days $HOST_CERT_EXPIRE -in $F_CERT_REQ \ -out $F_HOST_CERT ### Create a password file to use with creating and populating the certificate database: echo $PASSWORD > $F_PW_FILE chown nobody:nobody $F_PW_FILE chmod u+r,u-wxs,g-rwxs,o-rwxt $F_PW_FILE ### Create the pin.txt file for NSPR: echo "Internal (Software) Token:$PASSWORD" > $F_PINFILE chown nobody:nobody $F_PINFILE chmod u+r,u-wxs,g-rwxs,o-rwxt $F_PINFILE ### Adapt the host certificate to PKCS12 format: openssl pkcs12 -export -in $F_HOST_CERT -inkey $F_PRIVATE_KEY -out $F_HOST_PKCS \ -passout file:${F_PW_FILE} -name "${PKCS_CERT_NAME}" ### Create the certificate database: certutil -N -d sql:$D_INSTANCE_VAR -f $F_PW_FILE ### Import the host certificate: pk12util -v -i $F_HOST_PKCS -d sql:$D_INSTANCE_VAR -k $F_PW_FILE -w $F_PW_FILE ### Import the CA certificate: certutil -A -d sql:$D_INSTANCE_VAR -n "Local CA Certificate" -t CT,, -a -i $F_CERT_CA -f $F_PW_FILE ### List the certificates (This returns both certificates in good order): certutil -L -d sql:$D_INSTANCE_VAR ### Finally, the LDAP modifications (I also set up the “MemberOf” plugin, here. That’s been redacted for clarity.): ldapmodify -x -h localhost -D "cn=Directory Manager" -w $PASSWORD <<EOT dn: cn=config changeType: modify replace: passwordStorageScheme passwordStorageScheme: SSHA512 - add: nsslapd-security nsslapd-security: on - replace: nsslapd-ssl-check-hostname nsslapd-ssl-check-hostname: off dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on - replace: nsSSLClientAuth nsSSLClientAuth: allowed - add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza, +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha, +tls_rsa_export1024_with_des_cbc_sha,-rc4,-rc4export,-rc2,-rc2export,-des, -desede3 dn: cn=RSA,cn=encryption,cn=config changetype: add objectclass: top objectclass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: Server-Cert nsSSLToken: internal (software) nsSSLActivation: on EOT After that, `service restart dirsrv ${INSTANCE}`, as nobody:nobody, returns the errors I showed at the top of this message. Thoughts? Thanks! David -- David - Offbeat http://dafydd.livejournal.com dafydd - Online http://pgp.mit.edu/ Battalion 4 - Black Rock City Emergency Services Department Integrity*Commitment*Communication*Support ----5----1----5----2----5----3----5----4----5----5----5----6----5----7-- Pavlov walks into a bar. The phone rings and he says, "Damn! I forgot to feed the dog!"
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
