On 06/13/2017 09:06 AM, dave_horton2001@xxxxxxxxxxx wrote: > I believe that should all be ok. It's using the same key/cert as the DS although I've also tried different keys/certs. There is an intermediate cert in the chain, but in Manage Certs in both DS and admin server the trust chain seems to appear ok. > > I can contact the admin server over https, it's just when I change the config DS to secure, and it updates the ldapurl in adm.conf that it subsequently fails. > > Some more info in case it helps shed some light... If I attempt to update the User DS in the console then the update fails to apply. But if I use ldapmodify to manually update the directoryURL, then that seems to work ok over SSL. The issue seems to be limited to the config DS only as far as I can tell. > > Admin server key/certs below. > > [root@ldap admin-serv]# certutil -d . -K > certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" > Enter Password or Pin for "NSS Certificate DB": > < 0> rsa 629b29a5d48bb157af44d40edf6b7b27d9fe6c2a ldap.example.com > [root@ldap admin-serv]# > > [root@ldap admin-serv]# certutil -d . -L > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > root-ca CT,, > ca-cert CT,, > ldap.example.com CTu,u,u > > Is there anything in particular about the config DS that would require some specific certificate extensions or anything like that? It seems peculiar that only that portion seems to be failing, unless I'm mistaken in what I'm seeing. This is from my setup that works: DS ================================ [root@localhost slapd-localhost]# certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CTu,u,u server-cert u,u,Pu Server-Cert u,u,Pu Admin ================================ [root@localhost admin-serv]# certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI server-cert u,u,u CA certificate CT,, There are some differences. Perhaps you could try these extensions to see if it helps? Also what is in your cn=config/cn=encryption,cn=config entries for the config DS (dse.ldif). Here is mine: dn: cn=config ... ... nsslapd-ssl-check-hostname: off dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed sslVersionMin: TLS1.0 nsSSL3Ciphers: +all numSubordinates: 1 This link below might also be useful. While this doc talks about disabling SSLv3, the part I want you to look at is configuring the console preferences to use TLS 1.1/1.2 http://www.port389.org/docs/389ds/howto/howto-disable-sslv3.html > > Thanks again for your help. > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx