Hello Rich, Have ran in debug mode and connected to the admin interface which has been secured with a cert: {SUBJECT_DN=CN=ads01-admin.lab, SUBJECT={CN=ads01-admin}, SERIAL=8741097289627376099, AFTERDATE=Tue Dec 19 14:05:35 2017, ISSUER={CN=LAB-CA, O=LAB, C=GB}, SIGNATURE=SHA256withRSA, BEFOREDATE=Sun Dec 20 14:05:35 2015, KEYTYPE=RSA, REASONS={}, VERSION=3, ISSUER_DN=C=GB, O=LAB, CN=LAB-CA} JButtonFactory: button width = 54 JButtonFactory: button height = 20 JButtonFactory: button width = 54 JButtonFactory: button height = 20 JButtonFactory: button width = 72 JButtonFactory: button height = 20 JButtonFactory: button width = 72 JButtonFactory: button height = 20 JButtonFactory: button width = 54 JButtonFactory: button height = 20 JButtonFactory: button width = 72 HttpsChannel::select(...) - SELECT CERTIFICATE Unable to create ssl socket org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8186) security library: invalid algorithm. at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method) at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source) at com.netscape.management.client.comm.CommManager.send(Unknown Source) at com.netscape.management.client.comm.HttpManager.get(Unknown Source) at com.netscape.management.client.console.Console.invoke_task(Unknown Source) at com.netscape.management.client.console.Console.authenticate_user(Unknown Source) at com.netscape.management.client.console.Console.<init>(Unknown Source) at com.netscape.management.client.console.Console.main(Unknown Source) So it accepts the admin certificate fine but then shows an empty selection box for a certificate ? Thanks, Phil ----- On 4 Jan, 2016, at 15:50, Rich Megginson rmeggins@xxxxxxxxxx wrote: > On 01/04/2016 01:11 AM, Phil Daws wrote: >> Any thoughts on this please ? >> >> ----- On 20 Dec, 2015, at 16:02, Phil Daws uxbod@xxxxxxxxxxxx wrote: >> >>> Hello, >>> >>> Have now got to the point where it says "Select a certificate to authenticate" >>> yet the drop down box is empty. > > Can you run the console with -D 9 -f console.log, then check console.log > to remove any sensitive information, then post that to this list? The > easiest way to do this is to make a copy of the .bat file that runs the > console, then add those arguments to the command line in the copy of the > .bat file. > > I'm assuming you have not configured the admin server/directory server > to require client cert authentication. If you don't know, then you > probably haven't. > >>> >>> If I check the NSS database it looks okay ? >>> >>> D:\Scratch\firefox_add-certs\bin>certutil.exe -d "c:\Documents and >>> Settings\pmdaws\.389-console" -L >>> >>> Certificate Nickname Trust Attributes >>> SSL,S/MIME,JAR/XPI >>> >>> LAB CA Certificate CT,, >>> Phil Daws p,p,p >>> >>> Seems as though the console is not picking them up :( >>> >>> Thanks, Phil >>> ----- On 15 Dec, 2015, at 20:35, Noriko Hosoi nhosoi@xxxxxxxxxx wrote: >>> >>>> On 12/15/2015 11:40 AM, Phil Daws wrote: >>>>> Hello, >>>>> >>>>> Unfortunately I do not have a console under Fedora/RHEL. >>>>> >>>>> I can log into the Administration console fine, but when I click on Server >>>>> Group, and then double click on the Directory Server it prompts me for the >>>>> Distinguished name and password. The status is showing as: >>>>> >>>>> Server status: Stopped >>>>> Port: 636 >>>>> >>>>> The ports are listening fine: >>>>> >>>>> Active Internet connections (only servers) >>>>> Proto Recv-Q Send-Q Local Address Foreign Address State >>>>> PID/Program name >>>>> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN >>>>> 301/sshd >>>>> tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN >>>>> 1261/httpd >>>>> tcp6 0 0 :::22 :::* LISTEN >>>>> 301/sshd >>>>> tcp6 0 0 :::636 :::* LISTEN >>>>> 1196/ns-slapd >>>>> tcp6 0 0 :::389 :::* LISTEN >>>>> 1196/ns-slapd >>>>> >>>>> So am guessing it's probably due to when I enabled "Secure Connection" in the >>>>> console :( >>>>> >>>>> Any thoughts please ? >>>> Not sure yet, but did you have a chance to see this section? >>>> http://www.port389.org/docs/389ds/howto/howto-ssl.html#admin-server-tlsssl-information >>>>> Thanks, Phil >>>>> >>>>> >>>>> >>>>> ----- On 15 Dec, 2015, at 19:01, Noriko Hosoi nhosoi@xxxxxxxxxx wrote: >>>>> >>>>>> On 12/15/2015 09:51 AM, Phil Daws wrote: >>>>>>> Hello, >>>>>>> >>>>>>> I have 389 up and running in my lab, with encryption enabled, but when I connect >>>>>>> too the Administration panel and double click on the Directory Server it just >>>>>>> hangs. The CA certificate has been imported using: >>>>>>> >>>>>>> d:\Scratch\firefox_add-certs\bin>certutil -A -d "C:\Documents and >>>>>>> Settings\phild\.389-console" -n "CA Certificate" -t CT,, -i >>>>>>> d:\Downloads\CA-chain.pem -a >>>>>>> >>>>>>> Am I missing something obvious please ? >>>>>>> >>>>>>> Thanks, Phil >>>>>>> >>>>>>> -- >>>>>>> 389 users mailing list >>>>>>> 389-users@%(host_name)s >>>>>>> http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>>>> Administration URL starts with https? >>>>>> >>>>>> If you use Console on Fedora/RHEL, you have no problem? >>>>>> >>>>>> Thanks. >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users@%(host_name)s >>>>>> http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>>> -- >>>>> 389 users mailing list >>>>> 389-users@%(host_name)s >>>>> http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>> -- >>>> 389 users mailing list >>>> 389-users@%(host_name)s >>>> http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx >>> -- >>> 389 users mailing list >>> 389-users@%(host_name)s >>> http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx >> -- >> 389 users mailing list >> 389-users@%(host_name)s >> http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx > -- > 389 users mailing list > 389-users@%(host_name)s > http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx