Unable to connect to 389 admin server after applying SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello

We've successfully deployed a test instance of 389 on Centos 7 within
Docker. We can connect with our usual LDAP tools, our code, the
administrator web application and by using the 389 Windows
application. All OK.

When we applied SSL/TLS, by using the setupssl2.sh script we can no
longer connect using the 389 Windows application, although all other
functions are running OK. The error messages we receive after entering
the user information are:

The certificate this server present is either untrusted or unknown -
that's fine it's a self signed certificate, so I accept this
certificate.

Cannot connect to the Admin Server "https://<host>:9830". The Url is
not correct or the server is not running.

Looking in the error log file for the admin server I have the following entries:

[Thu Feb 04 11:34:28.884037 2016] [:info] [pid 662:tid
140597238659136] Configuring server for SSL protocol
[Thu Feb 04 11:34:28.884248 2016] [:debug] [pid 662:tid
140597238659136] nss_engine_init.c(702): NSSProtocol:  Enabling
TLSv1.1
[Thu Feb 04 11:34:28.884331 2016] [:debug] [pid 662:tid
140597238659136] nss_engine_init.c(761): NSSProtocol:  [TLS 1.1]
(minimum)
[Thu Feb 04 11:34:28.884420 2016] [:debug] [pid 662:tid
140597238659136] nss_engine_init.c(778): NSSProtocol:  [TLS 1.1]
(maximum)
[Thu Feb 04 11:34:28.884642 2016] [:debug] [pid 662:tid
140597238659136] nss_engine_init.c(983): NSSCipherSuite:  Configuring
permitted SSL ciphers
[+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha]
[Thu Feb 04 11:34:28.884792 2016] [:info] [pid 662:tid
140597238659136] Using nickname server-cert.
[Thu Feb 04 11:34:28.918651 2016] [:debug] [pid 662:tid
140597238659136] mod_admserv/mod_admserv.c(2369): Entering
do_admserv_post_config - pid is [662]
[Thu Feb 04 11:34:28.918813 2016] [:debug] [pid 662:tid
140597238659136] mod_admserv/mod_admserv.c(2377): Entering
do_admserv_post_config - init count is [2]
[Thu Feb 04 11:34:28.918899 2016] [:debug] [pid 662:tid
140597238659136] mod_admserv/mod_admserv.c(2401): [662] Cache
expiration set to 600 seconds
[Thu Feb 04 11:34:28.956732 2016] [:debug] [pid 662:tid
140597238659136] mod_admserv/mod_admserv.c(2505): Added StartConfigDs
task entry [cn=startconfigds,cn=operation,cn=tasks,cn=admin-serv-ldap-server,cn=389
administration server,cn=server
group,cn=ldap-server.docker,ou=docker,o=netscaperoot:start_config_ds:]
for user [LocalSuper]
[Thu Feb 04 11:34:28.961067 2016] [:info] [pid 662:tid
140597238659136] host_ip_init(): problem creating secure AdmldapInfo
(error code = 4)
[Thu Feb 04 11:34:28.963356 2016] [:notice] [pid 662:tid
140597238659136] Access Host filter is: *.docker
[Thu Feb 04 11:34:28.963422 2016] [:notice] [pid 662:tid
140597238659136] Access Address filter is: *

When I try to connect to the admin server, there is no corresponding
entry in the access logs for the directory server. Running strace
shows the following logs around the point the software logs the
"host_ip_init(): problem creating secure AdmldapInfo" message:

659   11:34:28 stat("/etc/dirsrv/admin-serv/adm.conf",
{st_mode=S_IFREG|0600, st_size=508, ...}) = 0
659   11:34:28 open("/etc/dirsrv/admin-serv/adm.conf", O_RDONLY) = 12
659   11:34:28 fstat(12, {st_mode=S_IFREG|0600, st_size=508, ...}) = 0
659   11:34:28 mmap(NULL, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdf58776000
659   11:34:28 read(12, "AdminDomain: docker\nsysuser: nobody\nisie:
cn=389 Administration Server,cn=Server
Group,cn=ldap-server.docker,ou=docker,o=Netscap"..., 4096) = 508
659   11:34:28 read(12, "", 4096)       = 0
659   11:34:28 close(12)                = 0
659   11:34:28 munmap(0x7fdf58776000, 4096) = 0
659   11:34:28 stat("/etc/dirsrv/admin-serv/admpw",
{st_mode=S_IFREG|0600, st_size=40, ...}) = 0
659   11:34:28 open("/etc/dirsrv/admin-serv/admpw", O_RDONLY) = 12
659   11:34:28 fstat(12, {st_mode=S_IFREG|0600, st_size=40, ...}) = 0
659   11:34:28 mmap(NULL, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdf58776000
659   11:34:28 read(12, "admin:{SHA}L9P5p6bDeyroxEtjCalDW6iFyIc=\n", 4096) = 40
659   11:34:28 close(12)                = 0
659   11:34:28 munmap(0x7fdf58776000, 4096) = 0
659   11:34:28 write(2, "[Thu Feb 04 11:34:28.659125 2016] [:info]
[pid 659:tid 140597238659136] host_ip_init(): problem creating secure
AdmldapInfo (err"..., 141) = 141
659   11:34:28 geteuid()                = 0
659   11:34:28 setresuid(-1, 99, -1)    = 0

These are the 389 packages that have been installed:

389-admin-1.1.42-1.el7.x86_64.rpm
389-admin-console-1.1.10-1.el7.noarch.rpm
389-adminutil-1.1.22-1.el7.x86_64.rpm
389-console-1.1.9-1.el7.noarch.rpm
389-ds-base-1.3.3.1-20.el7_1.x86_64.rpm
389-ds-base-libs-1.3.3.1-20.el7_1.x86_64.rpm
389-ds-console-1.2.12-1.el7.noarch.rpm

And this is the output from uname -all:

Linux d83459731f6d 3.10.0-229.11.1.el7.x86_64 #1 SMP Thu Aug 6
01:06:18 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

and finally this is the hosts file:

172.17.0.3  ldap-server.docker d83459731f6d ldap-server.bridge ldap-server
127.0.0.1       localhost
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

We're at a bit of a loss where to turn.

-- 
This email is sent on behalf of Northgate Public Services (UK) Limited and 
its associated companies including Rave Technologies (India) Pvt Limited 
(together "Northgate Public Services") and is strictly confidential and 
intended solely for the addressee(s). 
If you are not the intended recipient of this email you must: (i) not 
disclose, copy or distribute its contents to any other person nor use its 
contents in any way or you may be acting unlawfully;  (ii) contact 
Northgate Public Services immediately on +44(0)1908 264500 quoting the name 
of the sender and the addressee then delete it from your system.
Northgate Public Services has taken reasonable precautions to ensure that 
no viruses are contained in this email, but does not accept any 
responsibility once this email has been transmitted.  You should scan 
attachments (if any) for viruses.

Northgate Public Services (UK) Limited, registered in England and Wales 
under number 00968498 with a registered address of Peoplebuilding 2, 
Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 
4NN.  Rave Technologies (India) Pvt Limited, registered in India under 
number 117068 with a registered address of 2nd Floor, Ballard House, Adi 
Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001.
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux