Hello Rich,
Have ran in debug mode and connected to the admin interface which has been secured with a cert:
{SUBJECT_DN=CN=ads01-admin.lab, SUBJECT={CN=ads01-admin}, SERIAL=8741097289627376099, AFTERDATE=Tue Dec 19 14:05:35 2017, ISSUER={CN=LAB-CA, O=LAB, C=GB}, SIGNATURE=SHA256withRSA, BEFOREDATE=Sun Dec 20 14:05:35 2015, KEYTYPE=RSA, REASONS={}, VERSION=3, ISSUER_DN=C=GB, O=LAB, CN=LAB-CA}
JButtonFactory: button width = 54
JButtonFactory: button height = 20
JButtonFactory: button width = 54
JButtonFactory: button height = 20
JButtonFactory: button width = 72
JButtonFactory: button height = 20
JButtonFactory: button width = 72
JButtonFactory: button height = 20
JButtonFactory: button width = 54
JButtonFactory: button height = 20
JButtonFactory: button width = 72
HttpsChannel::select(...) - SELECT CERTIFICATE
Unable to create ssl socket
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8186) security library: invalid algorithm.
at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method)
at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source)
at com.netscape.management.client.comm.CommManager.send(Unknown Source)
at com.netscape.management.client.comm.HttpManager.get(Unknown Source)
at com.netscape.management.client.console.Console.invoke_task(Unknown Source)
at com.netscape.management.client.console.Console.authenticate_user(Unknown Source)
at com.netscape.management.client.console.Console.<init>(Unknown Source)
at com.netscape.management.client.console.Console.main(Unknown Source)
So it accepts the admin certificate fine but then shows an empty selection box for a certificate ?
Thanks, Phil
----- On 4 Jan, 2016, at 15:50, Rich Megginson rmeggins@xxxxxxxxxx wrote:
> On 01/04/2016 01:11 AM, Phil Daws wrote:
>> Any thoughts on this please ?
>>
>> ----- On 20 Dec, 2015, at 16:02, Phil Daws uxbod@xxxxxxxxxxxx wrote:
>>
>>> Hello,
>>>
>>> Have now got to the point where it says "Select a certificate to authenticate"
>>> yet the drop down box is empty.
>
> Can you run the console with -D 9 -f console.log, then check console.log
> to remove any sensitive information, then post that to this list? The
> easiest way to do this is to make a copy of the .bat file that runs the
> console, then add those arguments to the command line in the copy of the
> .bat file.
>
> I'm assuming you have not configured the admin server/directory server
> to require client cert authentication. If you don't know, then you
> probably haven't.
>
>>>
>>> If I check the NSS database it looks okay ?
>>>
>>> D:\Scratch\firefox_add-certs\bin>certutil.exe -d "c:\Documents and
>>> Settings\pmdaws\.389-console" -L
>>>
>>> Certificate Nickname Trust Attributes
>>> SSL,S/MIME,JAR/XPI
>>>
>>> LAB CA Certificate CT,,
>>> Phil Daws p,p,p
>>>
>>> Seems as though the console is not picking them up :(
>>>
>>> Thanks, Phil
>>> ----- On 15 Dec, 2015, at 20:35, Noriko Hosoi nhosoi@xxxxxxxxxx wrote:
>>>
>>>> On 12/15/2015 11:40 AM, Phil Daws wrote:
>>>>> Hello,
>>>>>
>>>>> Unfortunately I do not have a console under Fedora/RHEL.
>>>>>
>>>>> I can log into the Administration console fine, but when I click on Server
>>>>> Group, and then double click on the Directory Server it prompts me for the
>>>>> Distinguished name and password. The status is showing as:
>>>>>
>>>>> Server status: Stopped
>>>>> Port: 636
>>>>>
>>>>> The ports are listening fine:
>>>>>
>>>>> Active Internet connections (only servers)
>>>>> Proto Recv-Q Send-Q Local Address Foreign Address State
>>>>> PID/Program name
>>>>> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
>>>>> 301/sshd
>>>>> tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN
>>>>> 1261/httpd
>>>>> tcp6 0 0 :::22 :::* LISTEN
>>>>> 301/sshd
>>>>> tcp6 0 0 :::636 :::* LISTEN
>>>>> 1196/ns-slapd
>>>>> tcp6 0 0 :::389 :::* LISTEN
>>>>> 1196/ns-slapd
>>>>>
>>>>> So am guessing it's probably due to when I enabled "Secure Connection" in the
>>>>> console :(
>>>>>
>>>>> Any thoughts please ?
>>>> Not sure yet, but did you have a chance to see this section?
>>>> http://www.port389.org/docs/389ds/howto/howto-ssl.html#admin-server-tlsssl-information
>>>>> Thanks, Phil
>>>>>
>>>>>
>>>>>
>>>>> ----- On 15 Dec, 2015, at 19:01, Noriko Hosoi nhosoi@xxxxxxxxxx wrote:
>>>>>
>>>>>> On 12/15/2015 09:51 AM, Phil Daws wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> I have 389 up and running in my lab, with encryption enabled, but when I connect
>>>>>>> too the Administration panel and double click on the Directory Server it just
>>>>>>> hangs. The CA certificate has been imported using:
>>>>>>>
>>>>>>> d:\Scratch\firefox_add-certs\bin>certutil -A -d "C:\Documents and
>>>>>>> Settings\phild\.389-console" -n "CA Certificate" -t CT,, -i
>>>>>>> d:\Downloads\CA-chain.pem -a
>>>>>>>
>>>>>>> Am I missing something obvious please ?
>>>>>>>
>>>>>>> Thanks, Phil
>>>>>>>
>>>>>>> --
>>>>>>> 389 users mailing list
>>>>>>> 389-users@%(host_name)s
>>>>>>> http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>> Administration URL starts with https?
>>>>>>
>>>>>> If you use Console on Fedora/RHEL, you have no problem?
>>>>>>
>>>>>> Thanks.
>>>>>> --
>>>>>> 389 users mailing list
>>>>>> 389-users@%(host_name)s
>>>>>> http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> --
>>>>> 389 users mailing list
>>>>> 389-users@%(host_name)s
>>>>> http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
>>>> --
>>>> 389 users mailing list
>>>> 389-users@%(host_name)s
>>>> http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
>>> --
>>> 389 users mailing list
>>> 389-users@%(host_name)s
>>> http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
>> --
>> 389 users mailing list
>> 389-users@%(host_name)s
>> http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
> --
> 389 users mailing list
> 389-users@%(host_name)s
> http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
