----- On 14 Dec, 2015, at 22:01, William Brown wibrown@xxxxxxxxxx wrote: > On Mon, 2015-12-14 at 15:23 +0000, Phil Daws wrote: >> Hello, >> >> Am trying to enable SSL on my 389 lab instance but having real >> issues. >> >> I imported the CA certificate chain, created a CSR, signed and >> installed the certificate. Then went into Directory Server -> >> Configuration and enabled SSL. Restarted the directory server but now >> get this error in the log: >> >> [12/Dec/2015:11:51:02 +0000] - SSL alert: Security Initialization: >> Unable to authenticate (Netscape Portable Runtime error -8177 - The >> security password entered is incorrect.) >> [12/Dec/2015:11:51:02 +0000] - ERROR: SSL Initialization Failed. >> Disabling SSL. >> >> >> When I issue systemctl restart dirsrv@lab389 it does not prompt for a >> password, and if I create a pin.txt that does not work. Yet if I use >> certutil that all looks good: >> >> [root@ads01 slapd-lab389]# certutil -d /etc/dirsrv/slapd-lab389/ -K >> certutil: Checking token "NSS Certificate DB" in slot "NSS User >> Private Key and Certificate Services" >> Enter Password or Pin for "NSS Certificate DB": >> < 0> rsa 725d885b5d0a1ce92babc48d230108e46dd44866 server-cert >> > > > Okay, lets go through my standard SSL checklist: > > First, check cn=config: nsslapd-certdir > Does the value match where you have put your certificates? > > > Now, check cn=config: nsslapd-security=on > > Do a certutil -d /path -L. Write down the alias name of the cert. I > call mine Server-Cert > > Next, check cn=RSA,cn=encryption,cn=config. My template is: > > dn: cn=RSA,cn=encryption,cn=config > changetype: add > objectclass: top > objectclass: nsEncryptionModule > nsSSLPersonalitySSL: Server-Cert #Should match your -L output > nsSSLActivation: on > nsSSLToken: internal (software) # Write this down!!! > cn: RSA > > > Now, check your pin.txt. It should be in the folder listed in > nsslapd-certdir, and the line should be title casing of the line > nsSSLToken with the word " Token" after it. For example: > > from dse.ldif > nsSSLToken: internal (software) > > pin.txt > Internal (Software) Token:<pin> > > Finally, make sure the <pin> can be used to look at the certs: > > certutil -d /path -K > > > In my experience I tend to see most mistakes are in cn=RSA, so it's > well worth checking this to make sure it all looks correct. There are > gaps in the documentation around the ssl section, so I hope this helps. > > > -- > Sincerely, > > William Brown > Software Engineer > Red Hat, Brisbane Thank you William this appears to be working now :) -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
