hi
On 8/27/20 10:32 AM, Mark Reynolds wrote:
> A few things here. The server's securtity/certificate directory is typically /etc/dirsrv/slapd-INSTANCE
mine's
grep nsslapd-certdir /etc/dirsrv/slapd-testinst/dse.ldif
nsslapd-certdir: /etc/dirsrv/slapd-testinst/certs
config'd at dscreate/init time
testinst.inf
cert_dir = etc/dirsrv/slapd-{instance_name}/certs
tree /etc/dirsrv/slapd-testinst/certs
/etc/dirsrv/slapd-testinst/certs
├── cert9.db
├── key4.db
├── noise.txt
├── pin.txt
├── pkcs11.txt
└── pwdfile.txt
so it's, here, at least what was intended
> so that is what you should use with the "-d" option with certutil.
point is *I* did not 'create' that `certutil ...` cmd line
that's what's returned when I exec
dsconf -D "cn=Directory Manager" testinst security certificate add \
--file /src/ssl/testinst.server.EC.p12 \
--name ldap.testinst.server.p12 \
--primary-cert
iiuc (??), that^^ _should_ source the 'file' from fullpath, and ADD it to the config'd cert-dir, i.e.,
etc/dirsrv/slapd-{instance_name}/certs
> Use the same value for "-d" that is returned by this command:
and that _does_ appear to be the case
>> /usr/bin/certutil \
>> -A \
>> -d /etc/dirsrv/slapd-testinst/certs \
...
so it's using the config I provided.
is there a problem with the _provided_ config?
> You listed a subdirectory which is probably not correct and
> SELinux might not like it
selinux is disabled
getenforce
Disabled
sestatus
SELinux status: disabled
> Also the SSL min version should be 1.1, 1.2, or 1.3, yours is set to 3.3 (definitely not valid - it is probably generating an error in the logs, but unrelated to the current problem).
I'd gotten that from
https://access.redhat.com/articles/1474813
Protocols
RawolcTLSProtocolMin: 3.3
and
https://man7.org/linux/man-pages/man5/slapd-config.5.html
olcTLSProtocolMin: <major>[.<minor>]Specifies minimum SSL/TLS protocol version that will benegotiated. If the server doesn't support at least thatversion, the SSL handshake will fail. To require TLS 1.x orhigher, set this option to 3.(x+1), e.g.,olcTLSProtocolMin: 3.2would require TLS 1.1. Specifying a minimum that is higherthan that supported by the OpenLDAP implementation will resultin it requiring the highest level that it does support. Thisdirective is ignored with GnuTLS.
which is, admittedly, openldap-centric. since thorough (change) docs have been challenging to find on this ... I'd assumed some consistency 'tween implementations.
seems not! so, for 389ds, pebkac!
1st, switching that to == 1.2, so
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL3Ciphers: +TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
modifiersName: cn=directory manager
modifyTimestamp: 20200827175342Z
>>> sslVersionMin: 1.2
...
, then restarting the instance
unfortunately makes no difference.
on exec
dsconf -D "cn=Directory Manager" testinst security certificate add \
--file /src/ssl/testinst.server.EC.p12 \
--name ldap.testinst.server.p12 \
--primary-cert
still FAILs, returning as above,
Error: Command '['/usr/bin/certutil', '-A', '-d', '/etc/dirsrv/slapd-testinst/certs', '-n', 'ldap.testinst.server.p12', '-t', ',,', '-i', '/src/ssl/testinst.server.EC.p12', '-a', '-f', '/etc/dirsrv/slapd-testinst/certs/pwdfile.txt']' returned non-zero exit status 255.
still missing _something_ :-/
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
