On 01/04/2016 09:23 AM, Phil Daws wrote:
Hello Rich,
Have ran in debug mode and connected to the admin interface which has been secured with a cert:
{SUBJECT_DN=CN=ads01-admin.lab, SUBJECT={CN=ads01-admin}, SERIAL=8741097289627376099, AFTERDATE=Tue Dec 19 14:05:35 2017, ISSUER={CN=LAB-CA, O=LAB, C=GB}, SIGNATURE=SHA256withRSA, BEFOREDATE=Sun Dec 20 14:05:35 2015, KEYTYPE=RSA, REASONS={}, VERSION=3, ISSUER_DN=C=GB, O=LAB, CN=LAB-CA}
JButtonFactory: button width = 54
JButtonFactory: button height = 20
JButtonFactory: button width = 54
JButtonFactory: button height = 20
JButtonFactory: button width = 72
JButtonFactory: button height = 20
JButtonFactory: button width = 72
JButtonFactory: button height = 20
JButtonFactory: button width = 54
JButtonFactory: button height = 20
JButtonFactory: button width = 72
HttpsChannel::select(...) - SELECT CERTIFICATE
Unable to create ssl socket
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8186) security library: invalid algorithm.
at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method)
at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source)
at com.netscape.management.client.comm.CommManager.send(Unknown Source)
at com.netscape.management.client.comm.HttpManager.get(Unknown Source)
at com.netscape.management.client.console.Console.invoke_task(Unknown Source)
at com.netscape.management.client.console.Console.authenticate_user(Unknown Source)
at com.netscape.management.client.console.Console.<init>(Unknown Source)
at com.netscape.management.client.console.Console.main(Unknown Source)
So it accepts the admin certificate fine but then shows an empty selection box for a certificate ?
Not sure what it means by "invalid algorithm" but it looks as though
that is the root cause. The console doesn't know what to do with that
error, so it asks you to select another cert, which is just a
distraction at that point. Please open a ticket.
Thanks, Phil
----- On 4 Jan, 2016, at 15:50, Rich Megginson rmeggins@xxxxxxxxxx wrote:
On 01/04/2016 01:11 AM, Phil Daws wrote:
Any thoughts on this please ?
----- On 20 Dec, 2015, at 16:02, Phil Daws uxbod@xxxxxxxxxxxx wrote:
Hello,
Have now got to the point where it says "Select a certificate to authenticate"
yet the drop down box is empty.
Can you run the console with -D 9 -f console.log, then check console.log
to remove any sensitive information, then post that to this list? The
easiest way to do this is to make a copy of the .bat file that runs the
console, then add those arguments to the command line in the copy of the
.bat file.
I'm assuming you have not configured the admin server/directory server
to require client cert authentication. If you don't know, then you
probably haven't.
If I check the NSS database it looks okay ?
D:\Scratch\firefox_add-certs\bin>certutil.exe -d "c:\Documents and
Settings\pmdaws\.389-console" -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
LAB CA Certificate CT,,
Phil Daws p,p,p
Seems as though the console is not picking them up :(
Thanks, Phil
----- On 15 Dec, 2015, at 20:35, Noriko Hosoi nhosoi@xxxxxxxxxx wrote:
On 12/15/2015 11:40 AM, Phil Daws wrote:
Hello,
Unfortunately I do not have a console under Fedora/RHEL.
I can log into the Administration console fine, but when I click on Server
Group, and then double click on the Directory Server it prompts me for the
Distinguished name and password. The status is showing as:
Server status: Stopped
Port: 636
The ports are listening fine:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
301/sshd
tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN
1261/httpd
tcp6 0 0 :::22 :::* LISTEN
301/sshd
tcp6 0 0 :::636 :::* LISTEN
1196/ns-slapd
tcp6 0 0 :::389 :::* LISTEN
1196/ns-slapd
So am guessing it's probably due to when I enabled "Secure Connection" in the
console :(
Any thoughts please ?
Not sure yet, but did you have a chance to see this section?
http://www.port389.org/docs/389ds/howto/howto-ssl.html#admin-server-tlsssl-information
Thanks, Phil
----- On 15 Dec, 2015, at 19:01, Noriko Hosoi nhosoi@xxxxxxxxxx wrote:
On 12/15/2015 09:51 AM, Phil Daws wrote:
Hello,
I have 389 up and running in my lab, with encryption enabled, but when I connect
too the Administration panel and double click on the Directory Server it just
hangs. The CA certificate has been imported using:
d:\Scratch\firefox_add-certs\bin>certutil -A -d "C:\Documents and
Settings\phild\.389-console" -n "CA Certificate" -t CT,, -i
d:\Downloads\CA-chain.pem -a
Am I missing something obvious please ?
Thanks, Phil
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Administration URL starts with https?
If you use Console on Fedora/RHEL, you have no problem?
Thanks.
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
