Re: Create 389 directory server secure connections

"xinhuan zheng" <xhzheng2001@xxxxxxxxx> · Tue, 12 Apr 2016 01:32:28 -0000

Hello Mr. Brown,

I used below ldapsearch command:

ldapsearch  -d 5 -H ldaps://labd1.christianbook.com -x -D "cn=Directory Manager" -w****** -s base -b "" objectclass=*

I got below result:

ldap_url_parse_ext(ldaps://labd1.christianbook.com)
ldap_create
ldap_url_parse_ext(ldaps://labd1.christianbook.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP labd1.christianbook.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.13.26:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/certs', error -8018:Unknown PKCS #11 error.
TLS: certificate [CN=CAcert] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 0 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Since I ran the setupssl2.sh twice, the first time there were errors in error_log, the second time it didn't appear to be:

[07/Apr/2016:13:21:37 -0400] - Warning: Adding configuration attribute "nsslapd-security"
[07/Apr/2016:13:21:37 -0400] - The change of nsslapd-secureport will not take effect until the server is restarted
[07/Apr/2016:13:23:55 -0400] - slapd shutting down - signaling operation threads
[07/Apr/2016:13:23:55 -0400] - slapd shutting down - closing down internal subsystems and plugins
[07/Apr/2016:13:23:55 -0400] - Waiting for 4 database threads to stop
[07/Apr/2016:13:23:56 -0400] - All database threads now stopped
[07/Apr/2016:13:23:56 -0400] - slapd stopped.
[07/Apr/2016:13:24:17 -0400] - SSL alert: Security Initialization: Can't find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.)
[07/Apr/2016:13:24:17 -0400] - SSL alert: Security Initialization: Unable to retrieve private key for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.)
[07/Apr/2016:13:24:17 -0400] - SSL failure: None of the cipher are valid
[07/Apr/2016:13:24:17 -0400] - ERROR: SSL Initialization phase 2 Failed.
[07/Apr/2016:13:33:11 -0400] - SSL alert: Security Initialization: Can't find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.)
[07/Apr/2016:13:33:11 -0400] - SSL alert: Security Initialization: Unable to retrieve private key for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.)
[07/Apr/2016:13:33:11 -0400] - SSL failure: None of the cipher are valid
[07/Apr/2016:13:33:11 -0400] - ERROR: SSL Initialization phase 2 Failed.
[07/Apr/2016:13:35:07 -0400] - 389-Directory/1.2.11.15 B2016.082.1529 starting up
[07/Apr/2016:13:35:07 -0400] - Db home directory is not set. Possibly nsslapd-directory (optinally nsslapd-db-home-directory) is missing in the config file.
[07/Apr/2016:13:35:08 -0400] - slapd started.  Listening on All Interfaces port 389 for LDAP requests
[07/Apr/2016:13:35:23 -0400] - Warning: Adding configuration attribute "nsslapd-security"
[07/Apr/2016:13:35:23 -0400] - The change of nsslapd-secureport will not take effect until the server is restarted
[07/Apr/2016:13:36:20 -0400] - slapd shutting down - signaling operation threads
[07/Apr/2016:13:36:20 -0400] - slapd shutting down - waiting for 27 threads to terminate
[07/Apr/2016:13:36:20 -0400] - slapd shutting down - closing down internal subsystems and plugins
[07/Apr/2016:13:36:20 -0400] - Waiting for 4 database threads to stop
[07/Apr/2016:13:36:21 -0400] - All database threads now stopped
[07/Apr/2016:13:36:21 -0400] - slapd stopped.
[07/Apr/2016:13:36:33 -0400] - 389-Directory/1.2.11.15 B2016.082.1529 starting up
[07/Apr/2016:13:36:33 -0400] attrcrypt - No symmetric key found for cipher AES in backend userRoot, attempting to create one...
[07/Apr/2016:13:36:33 -0400] attrcrypt - Key for cipher AES successfully generated and stored
[07/Apr/2016:13:36:33 -0400] attrcrypt - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one...
[07/Apr/2016:13:36:33 -0400] attrcrypt - Key for cipher 3DES successfully generated and stored
[07/Apr/2016:13:36:33 -0400] - slapd started.  Listening on All Interfaces port 389 for LDAP requests
[07/Apr/2016:13:36:33 -0400] - Listening on All Interfaces port 636 for LDAPS requests
[07/Apr/2016:14:06:12 -0400] - slapd shutting down - signaling operation threads
[07/Apr/2016:14:06:12 -0400] - slapd shutting down - waiting for 28 threads to terminate
[07/Apr/2016:14:06:12 -0400] - slapd shutting down - closing down internal subsystems and plugins
[07/Apr/2016:14:06:12 -0400] - Waiting for 4 database threads to stop
[07/Apr/2016:14:06:12 -0400] - All database threads now stopped
[07/Apr/2016:14:06:12 -0400] - slapd stopped.
[07/Apr/2016:21:25:49 -0400] - 389-Directory/1.2.11.15 B2016.082.1529 starting up
[07/Apr/2016:21:25:49 -0400] - slapd started.  Listening on All Interfaces port 389 for LDAP requests
[07/Apr/2016:21:25:49 -0400] - Listening on All Interfaces port 636 for LDAPS requests

Below is in my access file:

	389-Directory/1.2.11.15 B2016.082.1529
	labd1.christianbook.com:636 (/etc/dirsrv/slapd-userauth1)

[11/Apr/2016:20:27:35 -0400] conn=27 fd=64 slot=64 SSL connection from 192.168.13.26 to 192.168.13.26
[11/Apr/2016:20:27:35 -0400] conn=27 op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate.
[11/Apr/2016:21:14:18 -0400] conn=28 fd=64 slot=64 SSL connection from 192.168.13.26 to 192.168.13.26
[11/Apr/2016:21:14:18 -0400] conn=28 op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate.

Below is my server certificate output:

# certutil -L -d /etc/dirsrv/slapd-userauth1/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA certificate                                               CTu,u,u
Server-Cert                                                  u,u,u

Below is my admin server certificate output:

# certutil -L -d /etc/dirsrv/admin-serv/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

server-cert                                                  u,u,u
CA certificate                                               CT,,

I also have an orphaned private key:

certutil -K -d /etc/dirsrv/slapd-userauth1/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
--> < 0> rsa      7ce6fa7d24be45acd0d4e03eb6aea8b2dd62be69   (orphan)
< 1> rsa      51b9007f7669c1aebb9750ed0b24055d22d212fa   NSS Certificate DB:CA certificate
< 2> rsa      daaf50b878d189db111b5488034d302012538da1   NSS Certificate DB:Server-Cert

I think I'll need to delete all certificates then re-create them all from scratch. One thing I am not sure is the certificate flags, in setupssl2.sh. For "CA certificate" the flag is "CT,,", while for server certificate, it is "u,u,u", is it correct?

Thanks,
- xinhuan
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx