PGNet Dev wrote: > i've installed > > ns-slapd -v > 389 Project > 389-Directory/1.4.3.12 B2020.213.0000 > > on > > grep PRETTY /etc/os-release > PRETTY_NAME="Fedora 32 (Server Edition)" > > a server instance is up > > dsctl testinst status > Instance "testinst" is running > > i check for cipher support > > dsconf -D "cn=Directory Manager" testinst security ciphers list --supported | grep -i cha > TLS_CHACHA20_POLY1305_SHA256 > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 > TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 > > setup security, enabling those ciphers > > dsconf -D "cn=Directory Manager" testinst security set \ > --security on \ > --listen-host ldap.testinst.example.com \ > --secure-port 636 \ > --tls-protocol-min 3.3 \ > --allow-insecure-ciphers off \ > --allow-weak-dh-param off \ > --cipher-pref +TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 > > dsconf -D "cn=Directory Manager" testinst security ciphers list > +TLS_CHACHA20_POLY1305_SHA256 > +TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 > > bundle my EC cert & key into a pkcs12 > > openssl pkcs12 -export \ > -in testinst.server.EC.crt \ > -inkey testinst.server.EC.key \ > -out testinst.server.EC.p12 \ > -name Server-Cert > > verify it > > openssl pkcs12 -info -in testinst.server.EC.p12 > Enter Import Password: > MAC: sha1, Iteration 2048 > MAC length: 20, salt length: 8 > PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 > Certificate bag > Bag Attributes > localKeyID: 52 ... E3 > friendlyName: Server-Cert > subject=... > > -----BEGIN CERTIFICATE----- > MII...dBn > -----END CERTIFICATE----- > PKCS7 Data > Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 > Bag Attributes > localKeyID: 52 ... E3 > friendlyName: Server-Cert > Key Attributes: <No Attributes> > Enter PEM pass phrase: > Verifying - Enter PEM pass phrase: > -----BEGIN ENCRYPTED PRIVATE KEY----- > MII...6Fa > -----END ENCRYPTED PRIVATE KEY----- > > add my CA cert > > dsconf -D "cn=Directory Manager" testinst security ca-certificate add \ > --file /src/ssl/myCA.chain.crt \ > --name myCA.chain.crt > > and, finally, attempt to add my just-created .p12 > > dsconf -D "cn=Directory Manager" testinst security certificate add \ > --file /src/ssl/testinst.server.EC.p12 \ > --name ldap.testinst.server.p12 \ > --primary-cert > > the attempt FAILs, > > Error: Command '['/usr/bin/certutil', '-A', '-d', '/etc/dirsrv/slapd-testinst/certs', '-n', 'ldap.testinst.server.p12', '-t', ',,', '-i', '/src/ssl/testinst.server.EC.p12', '-a', '-f', '/etc/dirsrv/slapd-testinst/certs/pwdfile.txt']' returned non-zero exit status 255. > > manually exec'ing that^ failed cmd > > /usr/bin/certutil \ > -A \ > -d /etc/dirsrv/slapd-testinst/certs \ > -n ldap.testinst.server.p12 \ > -t,, \ > -i /src/ssl/testinst.server.EC.p12 \ > -a \ > -f /etc/dirsrv/slapd-testinst/certs/pwdfile.txt > > returns > > certutil: could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error. > > my cert/key are good, .p12 verification passes ... I'm not sure which 'security library' is being referenced here. > > what's the cause of the problem here? > > my usage? 389ds capabilities/support? I'm no expert but it looks to me like it is expecting a certificate, not a PKCS#12 file. The man page isn't exactly clear on what types are acceptable but based on the certutil error it looks like it only accepts PEM files. It isn't at all clear to me how one passes in the private key or a chain of trust. rob _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
