Hi Mark,
I am using certutil and a pin file, but that’s only half of what’s required. The other half involves adding and/or amending entries in the local and adm bootstrap configs, in the global config database (o=NetscapeRoot), and some apache config. The latter tasks are simplified by using the console to enable SSL for the admin server (which does so by calling the sec-activate cgi), but that is a manual step and doesn’t lend itself well to automation. I have played a little with hand editing these files with success, which I can automate, but it’s fickle. Any upstream change could potentially break that, whereas calling the tool used by the admin server to configure itself would be a more robust approach (IMO).
The official documentation only has the manual approach via the console. No good for automation.
_______________________________________________
Grant
From: Mark Reynolds <mreynolds@xxxxxxxxxx>
Sent: Thursday, 7 November 2019 12:24 AM
To: General discussion list for the 389 Directory server project. <389-users@xxxxxxxxxxxxxxxxxxxxxxx>; Grant Byers <Grant.Byers@xxxxxxxxxxxxx>
Subject: Re: [389-users] Using sec-activate to enable SSL for admin server
On 11/6/19 12:42 AM, Grant Byers wrote:
Hi,
I’ve mostly completed automated deployment of a 389ds cluster via Ansible. The final piece of the puzzle is the enablement of SSL/TLS for the Admin server. From what I understand, I should be able to use the sec-activate tool to do this;
/usr/lib64/dirsrv/cgi-bin/sec-activate /etc/dirsrv/admin-serv on
What I can’t figure out is how to authenticate. When I run this, it prompts me repeatedly for Ënter Admin Server Administrator password:”. I have tried both the RootDN and ConfigDirectoryAdminPwd passwords, but neither seem to work.
Can anyone suggest what’s going on here & how I might get past it?
I have never used, or heard of anyone using, sec-activate to enable SSL in the admin server. I suggest following the official documentation on setting this up using certutil and a password/pin file:
HTH,
Mark
Thanks,
Grant
_______________________________________________389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxxTo unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxxFedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelinesList Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx--389 Directory Server Development Team
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
