Re: dsconf-adding pkcs12 cert to 398ds/1.4.3.12 fails : "could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error." ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 8/27/20 1:17 PM, PGNet Dev wrote:
i've installed

	ns-slapd -v
		389 Project
		389-Directory/1.4.3.12 B2020.213.0000

on

	grep PRETTY /etc/os-release
		PRETTY_NAME="Fedora 32 (Server Edition)"

a server instance is up

	dsctl testinst status
		Instance "testinst" is running

i check for cipher support

	dsconf -D "cn=Directory Manager" testinst security ciphers list --supported | grep -i cha
		TLS_CHACHA20_POLY1305_SHA256
		TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
		TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
		TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

setup security, enabling those ciphers

	dsconf -D "cn=Directory Manager" testinst security set \
	--security on \
	--listen-host ldap.testinst.example.com \
	--secure-port 636 \
	--tls-protocol-min 3.3 \
	--allow-insecure-ciphers off \
	--allow-weak-dh-param off \
	--cipher-pref +TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

	dsconf -D "cn=Directory Manager" testinst security ciphers list
		+TLS_CHACHA20_POLY1305_SHA256
		+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

bundle my EC cert & key into a pkcs12

	openssl pkcs12 -export \
	 -in    testinst.server.EC.crt \
	 -inkey testinst.server.EC.key \
	 -out   testinst.server.EC.p12 \
	 -name Server-Cert

verify it

	openssl pkcs12 -info -in testinst.server.EC.p12
		Enter Import Password:
			MAC: sha1, Iteration 2048
			MAC length: 20, salt length: 8
			PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
			Certificate bag
			Bag Attributes
			    localKeyID: 52 ... E3
			    friendlyName: Server-Cert
			subject=...

			-----BEGIN CERTIFICATE-----
			MII...dBn
			-----END CERTIFICATE-----
			PKCS7 Data
			Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
			Bag Attributes
			    localKeyID: 52 ... E3
			    friendlyName: Server-Cert
			Key Attributes: <No Attributes>
		Enter PEM pass phrase:
		Verifying - Enter PEM pass phrase:
			-----BEGIN ENCRYPTED PRIVATE KEY-----
			MII...6Fa
			-----END ENCRYPTED PRIVATE KEY-----

add my CA cert

	dsconf -D "cn=Directory Manager" testinst security ca-certificate add \
	--file /src/ssl/myCA.chain.crt \
	--name myCA.chain.crt

and, finally, attempt to add my just-created .p12

	dsconf -D "cn=Directory Manager" testinst security certificate add \
	--file /src/ssl/testinst.server.EC.p12 \
	--name ldap.testinst.server.p12 \
	--primary-cert

the attempt FAILs,

	Error: Command '['/usr/bin/certutil', '-A', '-d', '/etc/dirsrv/slapd-testinst/certs', '-n', 'ldap.testinst.server.p12', '-t', ',,', '-i', '/src/ssl/testinst.server.EC.p12', '-a', '-f', '/etc/dirsrv/slapd-testinst/certs/pwdfile.txt']' returned non-zero exit status 255.

manually exec'ing that^ failed cmd

	/usr/bin/certutil \
	-A \
	-d /etc/dirsrv/slapd-testinst/certs \
	-n ldap.testinst.server.p12 \
	-t,, \
	-i /src/ssl/testinst.server.EC.p12 \
	-a \
	-f /etc/dirsrv/slapd-testinst/certs/pwdfile.txt

returns

	certutil: could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error.

my cert/key are good, .p12 verification passes ... I'm not sure which 'security library' is being referenced here.

what's the cause of the problem here?

my usage?  389ds capabilities/support?

A few things here.  The server's securtity/certificate directory is typically  /etc/dirsrv/slapd-INSTANCE, so that is what you should use with the "-d" option with certutil.  You listed a subdirectory which is probably not correct and SELinux might not like it.  Use the same value for "-d" that is returned by this command:

    # dsconf INSTANCE config get nsslapd-certdir     --->  if you use the instance name (INSTANCE) then dsconf uses LDAPI to authenticate if you are root (little easier to type)

   # dsconf testinst config get nsslapd-certdir

Also the SSL min version should be 1.1, 1.2, or 1.3, yours is set to 3.3 (definitely not valid - it is probably generating an error in the logs, but unrelated to the current problem).

HTH,

Mark

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx

--

389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux