Re: dsconf-adding pkcs12 cert to 398ds/1.4.3.12 fails : "could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error." ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 8/27/20 3:10 PM, PGNet Dev wrote:

On 8/27/20 11:27 AM, Mark Reynolds wrote:

This is the old "archived" link - it is definitely outdated. Here's a newer one:

https://www.port389.org/docs/389ds/howto/howto-ssl.html

Or better yet check out the official docs which tells you how to use dsconf and set all of this up:

https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_the_nss_database_used_by_directory_server

for future reference, _which_ is the "official/current documentation" site for Fedora-pkg'd 389ds?

	https://access.redhat.com/documentation/en-us/red_hat_directory_server
	https://directory.fedoraproject.org/docs/389ds

or

	https://www.port389.org/docs/389ds


?

per,

	https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_the_nss_database_used_by_directory_server#importing-a-private-key-and-server-certifiate

		"This section describes how to import both a private key and Certificate Signing Request (CSR), if you did not create them in the NSS database using an external tool."

which _is_ my case (though, i think "import ... Certificate Signing Request (CSR)" is a typo here)

so NOT dsconf either ... but dsctl.
You can do it with dsconf, see:   "dsconf INST security --help", and "dsconf INST security certificate --help" 




checking,

	dsctl testinst tls import-server-key-cert  -h
		usage: dsctl [instance] tls import-server-key-cert [-h] cert_path key_path

		positional arguments:
		  cert_path   The path to the x509 cert to import as Server-Cert
		  key_path    The path to the x509 key to import atestinstciated to Server-Cert

		optional arguments:
		  -h, --help  show this help message and exit

exec

	dsctl testinst tls import-server-key-cert \
	 /etc/ssl/ldap.testinst.server.crt.pem \
	 /etc/ssl/ldap.testinst.server.key.pem

_appears_ 'happy' to add the server cert, with no error returned

verifying

	cat des.ldif
		....
		dn: cn=RSA,cn=encryption,cn=config
		objectClass: top
		objectClass: nsEncryptionModule
		cn: RSA
		nsSSLPersonalitySSL: ldap.testinst.server.p12
		nsSSLActivation: on
		nsSSLToken: internal (software)
		modifiersName: cn=directory manager
		modifyTimestamp: 20200827175643Z
		...

but per,

	https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/enabling_tls#enabling_tls_in_directory_server_using_the_command_line
		"Display the name of the server certificate in the NSS database: "

checking

	dsctl testinst restart
	dsconf -D "cn=Directory Manager" testinst security certificate list

returns

	(empty)

where'd it go?

checking

	tree /usr/local/etc/dirsrv/slapd-testinst/
		/usr/local/etc/dirsrv/slapd-testinst/

		├── cert9.db

		├── certmap.conf
		├── certs
???		│   ├── cert9.db
???		│   ├── key4.db
		│   ├── noise.txt
		│   ├── pin.txt
???		│   ├── pkcs11.txt
		│   └── pwdfile.txt
		├── dse.ldif
		├── dse.ldif.bak
		├── dse.ldif.startOK

		├── key4.db
		├── pkcs11.txt

		├── schema
		│   └── 99user.ldif
		└── slapd-collations.conf

it appears to have _ignored_ my instance's cert_dir spec'n

	nsslapd-certdir: /usr/local/etc/dirsrv/slapd-testinst/certs


if I manually

	cd /usr/local/etc/dirsrv/slapd-testinst/
	mv -f cert9.db key4.db pkcs11.txt certs/

NOW,

	dsconf -D "cn=Directory Manager" testinst security certificate list

correctly sees/lists the cert

		Certificate Name: Server-Cert
		Subject DN: ...

the instance-specific

	dsctl testinst tls import-server-key-cert

_should_ respect the instance config, no?
If you had to copy the cert and key files into /certs for it to work then there is a bug in the server(or maybe the CLI) when it is creating the NSS database.  What is in the errors log?  At server startup it logs a lot of information about the security configuration.  It would be great to see this logging as it could help narrow down the problem. 

Thanks,

Mark

--

389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux