[389-users] Re: 389 and TLS woes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Phil Daws wrote:
> ----- On 17 Jan, 2016, at 14:48, Rob Crittenden rcritten@xxxxxxxxxx wrote:
> 
>> Phil Daws wrote:
>>> Hello all:
>>>
>>> Have tried to get my lab set up with 389 and secure connections multiple times
>>> now with disasterous results; and yes have tried to follow
>>> http://www.port389.org/docs/389ds/howto/howto-ssl.html
>>>
>>> Here is a very brief walkthrough of what I did:
>>>
>>> * from my PKI created four certificates - node1 admin and node2 directory +
>>> node2 admin and node2 directory certificates
>>> * on both node1 and node2 installed the following packages:
>>>
>>> [root@ads01 ~]# rpm -qa | grep 389
>>> 389-adminutil-1.1.22-1.el7.x86_64
>>> 389-ds-base-1.3.4.0-21.el7_2.x86_64
>>> 389-admin-console-1.1.10-1.el7.noarch
>>> 389-console-1.1.9-1.el7.noarch
>>> 389-ds-base-libs-1.3.4.0-21.el7_2.x86_64
>>> 389-admin-1.1.42-1.el7.x86_64
>>> 389-ds-console-1.2.12-1.el7.noarch
>>>
>>> * on node1 ran setup-ds-admin.pl and configured the initial directory server
>>> * on node1 configured the admin to use TLS + the directory server so that it
>>> bound to 636
>>> * on node2 ran setup-ds-admin.pl and joined the directory server on node1
>>> * on node2 configured the admin to use TLS
>>> * on node2 launch 389-console using https and then try to connect too the
>>> directory server on node2 and it just hangs and fails with an SSL error over
>>> and over:
>>>
>>> [Fri Jan 15 17:22:14.391824 2016] [:crit] [pid 705:tid 140640199088192] sslinit:
>>> NSS is required to use LDAPS, but security initialization failed [-8015:The
>>> certificate/key database is in an old, unsupported format or failed to open.].
>>
>> Double-check that the user that 389-ds runs as has read permissions to
>> the NSS database.
>>
> 
> Permissions look fine with 0440 and owned by the user that slapd is running under.

I'd check directories too then I guess and ensure that the database is
in the location specified by nsslapd-certdir.

This is a classic, horrible NSS catch-all error code. It means that NSS
wasn't able to initialize the NSS database but doesn't give any reason
why. It could be that it isn't there, or isn't readable, or is
corrupted, or some ancient format. Who knows. But it usually means that
it isn't there or isn't readable.

rob
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux