Re: New SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



William,

Delete the CA and re-added it and worked. We are back in business.

Thanks for all your help!

On 8/22/19 11:27 PM, Fernando Fuentes wrote:
William,

I got a bit further!

I follow this: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/AdminServerConfig#Using-the-DS-Key-Cert-for-Admin-Server

And I added the password.conf part and it seem to have work. BUT I got:

[Thu Aug 22 18:23:27.181517 2019] [:info] [pid 2037:tid 140514400127104] Using nickname hypersouthCert. [Thu Aug 22 18:23:27.181838 2019] [:error] [pid 2037:tid 140514400127104] SSL Library Error: -8179 Certificate is signed by an unknown issuer [Thu Aug 22 18:23:27.181857 2019] [:error] [pid 2037:tid 140514400127104] Unable to verify certificate 'hypersouthCert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

I added the suggested portion and it started.
Funny though I imported my CA. Any ideas?

Thanks!

On 8/22/19 11:18 PM, William Brown wrote:
It might be best to wait for Mark Reynolds to have a look, he's the admin server expert :)

On 23 Aug 2019, at 14:13, Fernando Fuentes <ffuentes@xxxxxxxxxxx> wrote:

William,

Understood, But it still does not do anything for me. I keep getting the same error.
I am not sure is even been loaded.

Is there a way i can find that is looking for this pin file?

Thanks!

On 8/22/19 11:10 PM, William Brown wrote:
Yes, but that format of the pin.txt is what svrcore experts when you start the admin server.

pin.txt -> svrcore -> admin server
pwdfile.txt -> certutil

They do seperate things :)

It's lovely and confusing :)

On 23 Aug 2019, at 13:17, Fernando Fuentes <ffuentes@xxxxxxxxxxx> wrote:

William,

Thanks for your reply.
If I use the pin file with that format I get:

[root@hypersouth admin-serv]# certutil -K -d . -f pin.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Incorrect password/PIN entered.
certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
[root@hypersouth admin-serv]#


On 8/22/19 10:14 PM, William Brown wrote:
Try /etc/dirsrv/admin-serv/pin.txt with the format:

Internal (Software) Token:PASSWORD

On 23 Aug 2019, at 13:12, Fernando Fuentes <ffuentes@xxxxxxxxxxx> wrote:

Just to show that I got the password right :)

[root@hypersouth admin-serv]# certutil -K -d . -f pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa ec05a16fff5a6756702d91a127e4a5dbf8e93380 hypersouthCert
[root@hypersouth admin-serv]#

On 8/22/19 9:53 PM, Fernando Fuentes wrote:
William,

Thank you for your help.

There is something seriously wrong when importing certs and enabling ssl in the admin console. I did a full fresh install of 389 and I get the same error:

[Thu Aug 22 16:46:59.824914 2019] [:error] [pid 12634:tid 140387102636160] Password for slot internal is incorrect. [Thu Aug 22 16:46:59.825384 2019] [:error] [pid 12634:tid 140387102636160] NSS initialization failed. Certificate database: /etc/dirsrv/admin-serv. [Thu Aug 22 16:46:59.825399 2019] [:error] [pid 12634:tid 140387102636160] SSL Library Error: -8177 The security password entered is incorrect

This not because I forgot the password nor I am not setting the pin files..... No matter what I do or what I set (pin.txt or password.conf) It wont start and complains about the same error.

I have reloaded my OS like 5 Times and restarted the whole process to allways end up here with this same error.

SSL Works for the dirsrv, I can restart just fine.
SSL does not work for the admin console.

Is this a bug?

How can I revert back the admin console to normal?
I try to restore a backup of my admin-serv folder and start it and works but when I open the console, the console display the status of the admin server as stopped even though its started and I can loging using the console.


On 8/22/19 9:02 PM, William Brown wrote:
echo "Internal (Software) Token:PASSWORD" > pin.txt
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
—
Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
—
Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
—
Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux