|
On 12/22/2013 08:15 PM, David Barr
wrote:
Good Morning! I’m working my way through http://directory.fedoraproject.org/wiki/Howto:SSL trying to create the certificates with OpenSSL, and then get them added to the NSS database. Most of that is fine. It’s only at the end that the directory server refuses to start, with these errors: ### SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) ERROR: SSL Initialization Failed. ### Here’s what I’m going through. These commands are cut/pasted out of a script, so you’ll see my variable substitution. As far as that goes, these commands all return without error. (For what it’s worth, once everything works, I plan to post the script as an alternative to setupssl.sh and setupssl2.sh.) ### Private Key: openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$PRIVATE_RSA_BITS -outform PEM -out $F_PRIVATE_KEY ### CA Certificate: openssl req -new -x509 -extensions v3_ca -key $F_PRIVATE_KEY -days $CERT_CA_EXPIRE \ -subj $CERT_CA_SUBJ -out $F_CERT_CA ### Host Certificate Request: openssl req -new -nodes -key $F_PRIVATE_KEY -days $HOST_CERT_EXPIRE -subj $CERT_CA_SUBJ \ -out $F_CERT_REQ ### Self-sign the Request: openssl ca -keyfile $F_PRIVATE_KEY -selfsign -days $HOST_CERT_EXPIRE -in $F_CERT_REQ \ -out $F_HOST_CERT ### Create a password file to use with creating and populating the certificate database: echo $PASSWORD > $F_PW_FILE chown nobody:nobody $F_PW_FILE chmod u+r,u-wxs,g-rwxs,o-rwxt $F_PW_FILE ### Create the pin.txt file for NSPR: echo "Internal (Software) Token:$PASSWORD" > $F_PINFILE chown nobody:nobody $F_PINFILE chmod u+r,u-wxs,g-rwxs,o-rwxt $F_PINFILE ### Adapt the host certificate to PKCS12 format: openssl pkcs12 -export -in $F_HOST_CERT -inkey $F_PRIVATE_KEY -out $F_HOST_PKCS \ -passout file:${F_PW_FILE} -name "${PKCS_CERT_NAME}" ### Create the certificate database: certutil -N -d sql:$D_INSTANCE_VAR -f $F_PW_FILE ### Import the host certificate: pk12util -v -i $F_HOST_PKCS -d sql:$D_INSTANCE_VAR -k $F_PW_FILE -w $F_PW_FILE ### Import the CA certificate: certutil -A -d sql:$D_INSTANCE_VAR -n "Local CA Certificate" -t CT,, -a -i $F_CERT_CA -f $F_PW_FILE ### List the certificates (This returns both certificates in good order): certutil -L -d sql:$D_INSTANCE_VAR ### Finally, the LDAP modifications (I also set up the “MemberOf” plugin, here. That’s been redacted for clarity.): ldapmodify -x -h localhost -D "cn=Directory Manager" -w $PASSWORD <<EOT dn: cn=config changeType: modify replace: passwordStorageScheme passwordStorageScheme: SSHA512 - add: nsslapd-security nsslapd-security: on - replace: nsslapd-ssl-check-hostname nsslapd-ssl-check-hostname: off dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on - replace: nsSSLClientAuth nsSSLClientAuth: allowed - add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza, +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha, +tls_rsa_export1024_with_des_cbc_sha,-rc4,-rc4export,-rc2,-rc2export,-des, -desede3 dn: cn=RSA,cn=encryption,cn=config changetype: add objectclass: top objectclass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: Server-Cert nsSSLToken: internal (software) nsSSLActivation: on EOT After that, `service restart dirsrv ${INSTANCE}`, as nobody:nobody, What do you mean "as nobody:nobody"? You have to run service restart dirsrv ${INSTANCE} as root - the process itself will do a setuid to nobody at the right time during startup. returns the errors I showed at the top of this message. These usually mean "file not found" or permissions problems. Thoughts? Are all of the files under /etc/dirsrv/slapd-${INSTANCE} owned by nobody:nobody? Are they all readable by nobody:nobody? The actual NSS key/cert db files might have to be rw - to my knowledge, we have not done any testing with "sql:" databases. Thanks! David -- David - Offbeat http://dafydd.livejournal.com dafydd - Online http://pgp.mit.edu/ Battalion 4 - Black Rock City Emergency Services Department Integrity*Commitment*Communication*Support ----5----1----5----2----5----3----5----4----5----5----5----6----5----7-- Pavlov walks into a bar. The phone rings and he says, "Damn! I forgot to feed the dog!" |
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
