> On 29 Apr 2020, at 11:45, fedoraproject@xxxxxxxxxxxxxxxxx wrote: > > I have a new 389 installation running on Centos 8. I'm trying to follow the https://directory.fedoraproject.org/docs/389ds/howto/howto-install-389.html and https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html instructions. However, once I enable TLS, my instance no longer starts up and I get the following error: > > [26/Apr/2020:17:09:55.928293129 +0000] - ERR - attrcrypt_fetch_private_key - Can't find certificate server-cert: -5950 - File not found. > [26/Apr/2020:17:09:55.928654096 +0000] - ERR - attrcrypt_fetch_private_key - Can't get private key from cert server-cert: -5950 - File not found. > > This is the ldif I'm using to configure TLS: > > dn: cn=ECDSA,cn=encryption,cn=config > objectClass: top > objectClass: nsEncryptionModule > cn: ECDSA > nsSSLPersonalitySSL: ldap2.mydomain.com > nsSSLActivation: on > nsSSLToken: Internal (Software) > > and > > dn: cn=encryption,cn=config > changetype: modify > add: sslVersionMin > sslVersionMin: TLS1.2 > > I also deleted the cn=RSA object as these are ECDSA certificates. Note that yes, I did change the name of the cert. So I have no idea why it is looking for server-cert. > > Two questions. Once I turn on TLS,by setting nsslapd-security, the instance no longer starts. Is there a way to revert the latest configuration change so that I can get the instance started and fix it? So far I've been having to recreate the instance completely. There should be a file called /etc/dirsrv/slapd-<instance>/dse.ldif.startOK which is the last known working config we started up from, that you can copy to /etc/dirsrv/slapd-<instance>/dse.ldif > > Second, what did I break? How do I get TLS working on my instance? I suspect we don't support ECDSA yet, and that's what's causing the issue. See: https://pagure.io/389-ds-base/issue/50010 We can talk about it as a project and try to prioritise it, because I think it would be important to have. Sorry aboutthat :( > > Thanks > > Scott > > > > > > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
