Re: Issues enabling SSL/TLS for config DS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 06/13/2017 09:06 AM, dave_horton2001@xxxxxxxxxxx wrote:
> I believe that should all be ok.  It's using the same key/cert as the DS although I've also tried different keys/certs.  There is an intermediate cert in the chain, but in Manage Certs in both DS and admin server the trust chain seems to appear ok.
>
> I can contact the admin server over https, it's just when I change the config DS to secure, and it updates the ldapurl in adm.conf that it subsequently fails.
>
> Some more info in case it helps shed some light...  If I attempt to update the User DS in the console then the update fails to apply.  But if I use ldapmodify to manually update the directoryURL, then that seems to work ok over SSL.  The issue seems to be limited to the config DS only as far as I can tell.
>
> Admin server key/certs below.
>
> [root@ldap admin-serv]# certutil -d . -K
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
> Enter Password or Pin for "NSS Certificate DB":
> < 0> rsa      629b29a5d48bb157af44d40edf6b7b27d9fe6c2a   ldap.example.com
> [root@ldap admin-serv]#
>
> [root@ldap admin-serv]# certutil -d . -L
>
> Certificate Nickname                                         Trust Attributes
>                                                              SSL,S/MIME,JAR/XPI
>
> root-ca                                                      CT,,
> ca-cert                                                      CT,,
> ldap.example.com                                                CTu,u,u
>
> Is there anything in particular about the config DS that would require some specific certificate extensions or anything like that?  It seems peculiar that only that portion seems to be failing, unless I'm mistaken in what I'm seeing.


This is from my setup that works:


DS
================================
[root@localhost slapd-localhost]# certutil -d . -L

Certificate Nickname                                         Trust
Attributes
                                                            
SSL,S/MIME,JAR/XPI

CA certificate                                               CTu,u,u
server-cert                                                  u,u,Pu
Server-Cert                                                  u,u,Pu


Admin
================================
[root@localhost admin-serv]# certutil -d . -L

Certificate Nickname                                         Trust
Attributes
                                                            
SSL,S/MIME,JAR/XPI

server-cert                                                  u,u,u
CA certificate                                               CT,,


There are some differences.  Perhaps you could try these extensions to
see if it helps?

Also what is in your cn=config/cn=encryption,cn=config entries for the
config DS (dse.ldif).  Here is mine:

dn: cn=config
...
...
nsslapd-ssl-check-hostname: off

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
sslVersionMin: TLS1.0
nsSSL3Ciphers: +all
numSubordinates: 1


This link below might also be useful.  While this doc talks about
disabling SSLv3, the part I want you to look at is configuring the
console preferences to use TLS 1.1/1.2

http://www.port389.org/docs/389ds/howto/howto-disable-sslv3.html
>
> Thanks again for your help.
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux