Re: Error enabling SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 2015-12-14 at 15:23 +0000, Phil Daws wrote:
> Hello, 
> 
> Am trying to enable SSL on my 389 lab instance but having real
> issues. 
> 
> I imported the CA certificate chain, created a CSR, signed and
> installed the certificate. Then went into Directory Server ->
> Configuration and enabled SSL. Restarted the directory server but now
> get this error in the log: 
> 
> [12/Dec/2015:11:51:02 +0000] - SSL alert: Security Initialization:
> Unable to authenticate (Netscape Portable Runtime error -8177 - The
> security password entered is incorrect.) 
> [12/Dec/2015:11:51:02 +0000] - ERROR: SSL Initialization Failed.
> Disabling SSL. 
> 
> 
> When I issue systemctl restart dirsrv@lab389 it does not prompt for a
> password, and if I create a pin.txt that does not work. Yet if I use
> certutil that all looks good: 
> 
> [root@ads01 slapd-lab389]# certutil -d /etc/dirsrv/slapd-lab389/ -K 
> certutil: Checking token "NSS Certificate DB" in slot "NSS User
> Private Key and Certificate Services" 
> Enter Password or Pin for "NSS Certificate DB": 
> < 0> rsa 725d885b5d0a1ce92babc48d230108e46dd44866 server-cert 
> 


Okay, lets go through my standard SSL checklist:

First, check cn=config: nsslapd-certdir
Does the value match where you have put your certificates?


Now, check cn=config: nsslapd-security=on 

Do a certutil -d /path -L. Write down the alias name of the cert. I
call mine Server-Cert

Next, check cn=RSA,cn=encryption,cn=config. My template is:

dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
nsSSLPersonalitySSL: Server-Cert   #Should match your -L output
nsSSLActivation: on
nsSSLToken: internal (software)    # Write this down!!!
cn: RSA


Now, check your pin.txt. It should be in the folder listed in 
nsslapd-certdir, and the line should be title casing of the line
nsSSLToken with the word " Token" after it. For example:

from dse.ldif
nsSSLToken: internal (software)

pin.txt
Internal (Software) Token:<pin>

Finally, make sure the <pin> can be used to look at the certs:

certutil -d /path -K


In my experience I tend to see most mistakes are in cn=RSA, so it's
well worth checking this to make sure it all looks correct. There are
gaps in the documentation around the ssl section, so I hope this helps.


-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Brisbane

Attachment: signature.asc
Description: This is a digitally signed message part

--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux