i've installed ns-slapd -v 389 Project 389-Directory/1.4.3.12 B2020.213.0000 on grep PRETTY /etc/os-release PRETTY_NAME="Fedora 32 (Server Edition)" a server instance is up dsctl testinst status Instance "testinst" is running i check for cipher support dsconf -D "cn=Directory Manager" testinst security ciphers list --supported | grep -i cha TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 setup security, enabling those ciphers dsconf -D "cn=Directory Manager" testinst security set \ --security on \ --listen-host ldap.testinst.example.com \ --secure-port 636 \ --tls-protocol-min 3.3 \ --allow-insecure-ciphers off \ --allow-weak-dh-param off \ --cipher-pref +TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 dsconf -D "cn=Directory Manager" testinst security ciphers list +TLS_CHACHA20_POLY1305_SHA256 +TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 bundle my EC cert & key into a pkcs12 openssl pkcs12 -export \ -in testinst.server.EC.crt \ -inkey testinst.server.EC.key \ -out testinst.server.EC.p12 \ -name Server-Cert verify it openssl pkcs12 -info -in testinst.server.EC.p12 Enter Import Password: MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Bag Attributes localKeyID: 52 ... E3 friendlyName: Server-Cert subject=... -----BEGIN CERTIFICATE----- MII...dBn -----END CERTIFICATE----- PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 Bag Attributes localKeyID: 52 ... E3 friendlyName: Server-Cert Key Attributes: <No Attributes> Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -----BEGIN ENCRYPTED PRIVATE KEY----- MII...6Fa -----END ENCRYPTED PRIVATE KEY----- add my CA cert dsconf -D "cn=Directory Manager" testinst security ca-certificate add \ --file /src/ssl/myCA.chain.crt \ --name myCA.chain.crt and, finally, attempt to add my just-created .p12 dsconf -D "cn=Directory Manager" testinst security certificate add \ --file /src/ssl/testinst.server.EC.p12 \ --name ldap.testinst.server.p12 \ --primary-cert the attempt FAILs, Error: Command '['/usr/bin/certutil', '-A', '-d', '/etc/dirsrv/slapd-testinst/certs', '-n', 'ldap.testinst.server.p12', '-t', ',,', '-i', '/src/ssl/testinst.server.EC.p12', '-a', '-f', '/etc/dirsrv/slapd-testinst/certs/pwdfile.txt']' returned non-zero exit status 255. manually exec'ing that^ failed cmd /usr/bin/certutil \ -A \ -d /etc/dirsrv/slapd-testinst/certs \ -n ldap.testinst.server.p12 \ -t,, \ -i /src/ssl/testinst.server.EC.p12 \ -a \ -f /etc/dirsrv/slapd-testinst/certs/pwdfile.txt returns certutil: could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error. my cert/key are good, .p12 verification passes ... I'm not sure which 'security library' is being referenced here. what's the cause of the problem here? my usage? 389ds capabilities/support? _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
