On 8/27/20 11:27 AM, Mark Reynolds wrote: > This is the old "archived" link - it is definitely outdated. Here's a newer one: > > https://www.port389.org/docs/389ds/howto/howto-ssl.html > > Or better yet check out the official docs which tells you how to use dsconf and set all of this up: > > https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_the_nss_database_used_by_directory_server for future reference, _which_ is the "official/current documentation" site for Fedora-pkg'd 389ds? https://access.redhat.com/documentation/en-us/red_hat_directory_server https://directory.fedoraproject.org/docs/389ds or https://www.port389.org/docs/389ds ? per, https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_the_nss_database_used_by_directory_server#importing-a-private-key-and-server-certifiate "This section describes how to import both a private key and Certificate Signing Request (CSR), if you did not create them in the NSS database using an external tool." which _is_ my case (though, i think "import ... Certificate Signing Request (CSR)" is a typo here) so NOT dsconf either ... but dsctl. checking, dsctl testinst tls import-server-key-cert -h usage: dsctl [instance] tls import-server-key-cert [-h] cert_path key_path positional arguments: cert_path The path to the x509 cert to import as Server-Cert key_path The path to the x509 key to import atestinstciated to Server-Cert optional arguments: -h, --help show this help message and exit exec dsctl testinst tls import-server-key-cert \ /etc/ssl/ldap.testinst.server.crt.pem \ /etc/ssl/ldap.testinst.server.key.pem _appears_ 'happy' to add the server cert, with no error returned verifying cat des.ldif .... dn: cn=RSA,cn=encryption,cn=config objectClass: top objectClass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: ldap.testinst.server.p12 nsSSLActivation: on nsSSLToken: internal (software) modifiersName: cn=directory manager modifyTimestamp: 20200827175643Z ... but per, https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/enabling_tls#enabling_tls_in_directory_server_using_the_command_line "Display the name of the server certificate in the NSS database: " checking dsctl testinst restart dsconf -D "cn=Directory Manager" testinst security certificate list returns (empty) where'd it go? checking tree /usr/local/etc/dirsrv/slapd-testinst/ /usr/local/etc/dirsrv/slapd-testinst/ >>> ├── cert9.db ├── certmap.conf ├── certs ??? │ ├── cert9.db ??? │ ├── key4.db │ ├── noise.txt │ ├── pin.txt ??? │ ├── pkcs11.txt │ └── pwdfile.txt ├── dse.ldif ├── dse.ldif.bak ├── dse.ldif.startOK >>> ├── key4.db >>> ├── pkcs11.txt ├── schema │ └── 99user.ldif └── slapd-collations.conf it appears to have _ignored_ my instance's cert_dir spec'n nsslapd-certdir: /usr/local/etc/dirsrv/slapd-testinst/certs if I manually cd /usr/local/etc/dirsrv/slapd-testinst/ mv -f cert9.db key4.db pkcs11.txt certs/ NOW, dsconf -D "cn=Directory Manager" testinst security certificate list correctly sees/lists the cert Certificate Name: Server-Cert Subject DN: ... the instance-specific dsctl testinst tls import-server-key-cert _should_ respect the instance config, no? _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
