Troubles with automated deployment of secure 389 server

[Nicolas Martin <nico.martin@xxxxxxxxx>]

Hello,

I've been trying to deploy a secure 389 server with TLS/SSL on the port 636.

If I do things manually, it works alright.

But using the scripts provided on the website, I run into some troubles.

BACKGROUND INFO:

Attached to this mail are the scripts and conf file I use. My setupssl.sh is a modified version of the setupssl2.ssh meant for DS >= 1.1. I changed the cipher suite and I changed the name of the admin cert from server-cert to admin-cert for clarity (I changed manually the name of the certificate in the admin console configuration file accordingly).

Reason behind the cipher suite change is that the one in the original script prevents the script from running (AttributeType error) so I used a cipher suite from a working, manually deployed LDAP server.

I use the packages provided with RHEL6U5. Here are the components version:

389-ds-base-1.2.11.15-34.el6_5.x86_64
389-ds-1.2.2-1.el6.noarch
389-ds-console-1.2.6-1.el6.noarch
389-adminutil-1.1.19-1.el6.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-dsgw-1.1.11-1.el6.x86_64
389-admin-1.1.35-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-libs-1.2.11.15-34.el6_5.x86_64
389-console-1.1.7-1.el6.noarch

openjdk version:
java-1.6.0-openjdk-1.6.0.0-6.1.13.4.el6_5.x86_64

PROBLEM DESCRIPTION:

Once the scripts are ran, I start 389-console using the https URL.

Authentication yields an error message: "Cannot connect..."

Console with debugging enabled shows this error message:
Unable to create ssl socket
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8054) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.

/var/log/dirsrv/admin-server/error has the following line:
[error] SSL Library Error: -12271 SSL client cannot verify your certificate

Certificates list from admin server:
admin-cert                                                   u,u,u
CA certificate                                               CT,,

Certificates list from slapd-myserver7:
CA certificate                                               CTu,u,u
admin-cert                                                   u,u,u
Server-Cert                                                  u,u,u

My certificates all have different serial numbers: 1000 for CA, 1001 for Server-Cert, 1002 for admin-cert.

If I disable the security for the console by setting NSSEngine to Off, I can log to the console with the normal http URL, but as soon as I access a certificate-related tab (For example "Manage Certificates" or the Encryption tab of the server), I get the following error message:

Unable to create ssl socket
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12263) SSL received a record that exceeded the maximum permissible length.

Has anyone ever experienced these SSL errors ? Is there something I can compare between my working, manually deployed LDAP servers and the one that I try to deploy automatically ?

Thanks in advance.

Regards,

Nicolas Martin

Attachment: setup.inf
Description: Binary data

Attachment: setupssl.sh
Description: Bourne shell script

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users