Re: dsconf-adding pkcs12 cert to 398ds/1.4.3.12 fails : "could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error." ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 8/27/20 12:23 PM, Mark Reynolds wrote:
> >  https://access.redhat.com/documentation/en-us/red_hat_directory_server

^^^  This is the official documentation 

noted, thx.

i'm pretty sure I came across something/somewhere recently that explicitly stated red_hat_directory_server

 != fedora directory server.

hence the confusion.


>> so NOT dsconf either ... but dsctl.
> 
> You can do it with dsconf, see:   "dsconf INST security --help", and "dsconf INST security certificate --help"

ok, confused more now.  that's where I _started_ (up there^), and failed.


>> _should_ respect the instance config, no?
> 
> If you had to copy the cert and key files into /certs for it to work then there is a bug in the server(or maybe the CLI) when it is creating the NSS database.  What is in the errors log?  At server startup it logs a lot of information about the security configuration.  It would be great to see this logging as it could help narrow down the problem.


dsctl testinst stop

rm -f /var/log/dirsrv/slapd-testinst/*
rm -f /etc/dirsrv/slapd-testinst/certs/{cert9.db,key4.db,pkcs11.txt}

tree /var/log/dirsrv/slapd-testinst /etc/dirsrv/slapd-testinst
	/var/log/dirsrv/slapd-testinst
	/etc/dirsrv/slapd-testinst
		├── certmap.conf
		├── certs
		│   ├── noise.txt
		│   ├── pin.txt
		│   └── pwdfile.txt
		├── dse.ldif
		├── dse.ldif.bak
		├── dse.ldif.startOK
		├── schema
		│   └── 99user.ldif
		└── slapd-collations.conf

		2 directories, 12 files

dsctl testinst tls import-server-key-cert \
 /etc/ssl/testinst.server.EC.crt.pem \
 /etc/ssl/testinst.server.EC.key.pem

tree /var/log/dirsrv/slapd-testinst /etc/dirsrv/slapd-testinst
	/var/log/dirsrv/slapd-testinst
	/etc/dirsrv/slapd-testinst
>>>	├── cert9.db
	├── certmap.conf
	├── certs
	│   ├── noise.txt
	│   ├── pin.txt
	│   └── pwdfile.txt
	├── dse.ldif
	├── dse.ldif.bak
	├── dse.ldif.startOK
>>>	├── key4.db
>>>	├── pkcs11.txt
	├── schema
	│   └── 99user.ldif
	└── slapd-collations.conf

dsctl testinst start
journalctl -f -u dirsrv@testinst.service

	Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.429465758 -0700] - CRIT - Security Initialization - warn_if_no_cert_file - Certificate DB file cert8.db nor cert9.db exists in [/etc/dirsrv/slapd-testinst/certs] - SSL initialization will likely fail
	Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.431266675 -0700] - CRIT - Security Initialization - warn_if_no_key_file - Key DB file key3.db nor key4.db exists in [/etc/dirsrv/slapd-testinst/certs] - SSL initialization will likely fail
	Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.469911561 -0700] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password.
	Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.470543103 -0700] - ERR - Security Initialization - slapd_ssl_init - Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.)
	Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.470988905 -0700] - ERR - force_to_disable_security - ERROR: SSL Initialization Failed.  Disabling SSL.
	Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.471534047 -0700] - INFO - main - 389-Directory/1.4.3.12 B2020.213.0000 starting up
	Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.471982899 -0700] - INFO - main - Setting the maximum file descriptor limit to: 524288
	Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.281841989 -0700] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds
	Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.285150261 -0700] - NOTICE - ldbm_back_start - found 8143628k physical memory
	Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.285636673 -0700] - NOTICE - ldbm_back_start - found 5759888k available
	Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.286082825 -0700] - NOTICE - ldbm_back_start - cache autosizing: db cache: 508976k
	Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.286526296 -0700] - NOTICE - ldbm_back_start - total cache size: 416953753 B;
	Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.362425203 -0700] - INFO - slapd_daemon - slapd started.  Listening on All Interfaces port 389 for LDAP requests

tree /var/log/dirsrv/slapd-testinst /etc/dirsrv/slapd-testinst
	/var/log/dirsrv/slapd-testinst
	├── access
	├── access.rotationinfo
	├── audit
	├── audit.rotationinfo
	├── errors
	└── errors.rotationinfo
	/etc/dirsrv/slapd-testinst
	├── cert9.db
	├── certmap.conf
	├── certs
	│   ├── cert9.db
	│   ├── key4.db
	│   ├── noise.txt
	│   ├── pin.txt
	│   ├── pkcs11.txt
	│   └── pwdfile.txt
	├── dse.ldif
	├── dse.ldif.bak
	├── dse.ldif.startOK
	├── key4.db
	├── pkcs11.txt
	├── schema
	│   └── 99user.ldif
	└── slapd-collations.conf


cat /var/log/dirsrv/slapd-testinst/errors
	        389-Directory/1.4.3.12 B2020.213.0000
	        ldap.example.com:636 (/etc/dirsrv/slapd-testinst)

	[27/Aug/2020:12:49:14.430826073 -0700] - CRIT - Security Initialization - warn_if_no_cert_file - Certificate DB file cert8.db nor cert9.db exists in [/etc/dirsrv/slapd-testinst/certs] - SSL initialization will likely fail
	[27/Aug/2020:12:49:14.431281245 -0700] - CRIT - Security Initialization - warn_if_no_key_file - Key DB file key3.db nor key4.db exists in [/etc/dirsrv/slapd-testinst/certs] - SSL initialization will likely fail
	[27/Aug/2020:12:49:14.469940641 -0700] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password.
	[27/Aug/2020:12:49:14.470559053 -0700] - ERR - Security Initialization - slapd_ssl_init - Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.)
	[27/Aug/2020:12:49:14.471001315 -0700] - ERR - force_to_disable_security - ERROR: SSL Initialization Failed.  Disabling SSL.
	[27/Aug/2020:12:49:14.471547467 -0700] - INFO - main - 389-Directory/1.4.3.12 B2020.213.0000 starting up
	[27/Aug/2020:12:49:14.471993239 -0700] - INFO - main - Setting the maximum file descriptor limit to: 524288
	[27/Aug/2020:12:49:15.281878669 -0700] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds
	[27/Aug/2020:12:49:15.285170541 -0700] - NOTICE - ldbm_back_start - found 8143628k physical memory
	[27/Aug/2020:12:49:15.285646883 -0700] - NOTICE - ldbm_back_start - found 5759888k available
	[27/Aug/2020:12:49:15.286093875 -0700] - NOTICE - ldbm_back_start - cache autosizing: db cache: 508976k
	[27/Aug/2020:12:49:15.286536256 -0700] - NOTICE - ldbm_back_start - total cache size: 416953753 B;
	[27/Aug/2020:12:49:15.362452333 -0700] - INFO - slapd_daemon - slapd started.  Listening on All Interfaces port 389 for LDAP requests

dsconf -D "cn=Directory Manager" testinst security certificate list
	(empty)

dsctl testinst stop
mv -f \
 /etc/dirsrv/slapd-testinst/{cert9.db,key4.db,pkcs11.txt} \
 /etc/dirsrv/slapd-testinst/certs/

tree /var/log/dirsrv/slapd-testinst /etc/dirsrv/slapd-testinst
	/var/log/dirsrv/slapd-testinst
	├── access
	├── access.rotationinfo
	├── audit
	├── audit.rotationinfo
	├── errors
	└── errors.rotationinfo
	/etc/dirsrv/slapd-testinst
	├── certmap.conf
	├── certs
	│   ├── cert9.db
	│   ├── key4.db
	│   ├── noise.txt
	│   ├── pin.txt
	│   ├── pkcs11.txt
	│   └── pwdfile.txt
	├── dse.ldif
	├── dse.ldif.bak
	├── dse.ldif.startOK
	├── schema
	│   └── 99user.ldif
	└── slapd-collations.conf

dsctl testinst start
	Instance "testinst" has been started
journalctl -f -u dirsrv@testinst.service

	Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.528433965 -0700] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password.
	Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.531337496 -0700] - ERR - extractRSAKeysAndSubject - Failed extract cert with ldap.testinst.server.p12, (0-no error, 0).
	Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.531922688 -0700] - ERR - slapd_extract_key - Unable to export encrypted private key (-8187, 0).
	Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.533254283 -0700] - INFO - Security Initialization - SSL info: Configured NSS Ciphers
	Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.533823726 -0700] - INFO - Security Initialization - SSL info:         TLS_CHACHA20_POLY1305_SHA256: enabled
	Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.534399188 -0700] - INFO - Security Initialization - SSL info:         TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
	Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.535590322 -0700] - WARN - Security Initialization - SSL alert: Can't find certificate (ldap.testinst.server.p12) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -5978 - Network file descriptor is not connected.)
	Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.536136904 -0700] - WARN - Security Initialization - SSL alert: Unable to retrieve private key for cert ldap.testinst.server.p12 of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -5978 - Network file descriptor is not connected.)
	Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.536679436 -0700] - ERR - Security Initialization - SSL failure: None of the cipher are valid
	Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.537202738 -0700] - ERR - force_to_disable_security - ERROR: SSL2 Initialization Failed.  Disabling SSL2.
	Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.537840071 -0700] - INFO - main - 389-Directory/1.4.3.12 B2020.213.0000 starting up
	Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.538396543 -0700] - INFO - main - Setting the maximum file descriptor limit to: 524288
	Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.347878231 -0700] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds
	Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.351455605 -0700] - NOTICE - ldbm_back_start - found 8143628k physical memory
	Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.352434269 -0700] - NOTICE - ldbm_back_start - found 5795920k available
	Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.353173411 -0700] - NOTICE - ldbm_back_start - cache autosizing: db cache: 508976k
	Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.356305113 -0700] - NOTICE - ldbm_back_start - total cache size: 416953753 B;
	Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.433760066 -0700] - INFO - slapd_daemon - slapd started.  Listening on All Interfaces port 389 for LDAP requests

cat errors
	        389-Directory/1.4.3.12 B2020.213.0000
	        ldap.example.com:636 (/etc/dirsrv/slapd-testinst)

	[27/Aug/2020:12:55:23.530261492 -0700] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password.
	[27/Aug/2020:12:55:23.531454427 -0700] - ERR - extractRSAKeysAndSubject - Failed extract cert with ldap.testinst.server.p12, (0-no error, 0).
	[27/Aug/2020:12:55:23.532011549 -0700] - ERR - slapd_extract_key - Unable to export encrypted private key (-8187, 0).
	[27/Aug/2020:12:55:23.533352904 -0700] - INFO - Security Initialization - SSL info: Configured NSS Ciphers
	[27/Aug/2020:12:55:23.533914446 -0700] - INFO - Security Initialization - SSL info:     TLS_CHACHA20_POLY1305_SHA256: enabled
	[27/Aug/2020:12:55:23.534495768 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
	[27/Aug/2020:12:55:23.535685673 -0700] - WARN - Security Initialization - SSL alert: Can't find certificate (ldap.testinst.server.p12) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -5978 - Network file descriptor is not connected.)
	[27/Aug/2020:12:55:23.536229615 -0700] - WARN - Security Initialization - SSL alert: Unable to retrieve private key for cert ldap.testinst.server.p12 of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -5978 - Network file descriptor is not connected.)
	[27/Aug/2020:12:55:23.536760917 -0700] - ERR - Security Initialization - SSL failure: None of the cipher are valid
	[27/Aug/2020:12:55:23.537284429 -0700] - ERR - force_to_disable_security - ERROR: SSL2 Initialization Failed.  Disabling SSL2.
	[27/Aug/2020:12:55:23.537932561 -0700] - INFO - main - 389-Directory/1.4.3.12 B2020.213.0000 starting up
	[27/Aug/2020:12:55:23.538492173 -0700] - INFO - main - Setting the maximum file descriptor limit to: 524288
	[27/Aug/2020:12:55:24.348152922 -0700] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds
	[27/Aug/2020:12:55:24.351606535 -0700] - NOTICE - ldbm_back_start - found 8143628k physical memory
	[27/Aug/2020:12:55:24.352537329 -0700] - NOTICE - ldbm_back_start - found 5795920k available
	[27/Aug/2020:12:55:24.353271032 -0700] - NOTICE - ldbm_back_start - cache autosizing: db cache: 508976k
	[27/Aug/2020:12:55:24.356407814 -0700] - NOTICE - ldbm_back_start - total cache size: 416953753 B;
	[27/Aug/2020:12:55:24.433999217 -0700] - INFO - slapd_daemon - slapd started.  Listening on All Interfaces port 389 for LDAP requests

dsconf -D "cn=Directory Manager" testinst security certificate list

	Certificate Name: Server-Cert
	Subject DN: E=ssl@xxxxxxxxxxx,CN=ldap.example.com,OU=myCA,O=example.com,L=city,ST=CA,C=US
	Issuer DN: E=ssl@xxxxxxxxxxx,CN=myCA_INT,OU=myCA,O=example.com,ST=CA,C=US
	Expires: 2030-08-25 00:50:38
	Trust Flags: u,u,u
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux