with installed /usr/sbin/ns-slapd -v 389 Project 389-Directory/1.4.3.12 B2020.213.0000 running instancename == 'sso' systemctl status dirsrv@sso.service -ln0 ● dirsrv@sso.service - 389 Directory Server sso. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled) Drop-In: /usr/lib/systemd/system/dirsrv@.service.d └─custom.conf /etc/systemd/system/dirsrv@sso.service.d └─override.conf Active: active (running) since Thu 2020-08-27 16:11:16 PDT; 6min ago Process: 24861 ExecStartPre=/usr/libexec/dirsrv/ds_systemd_ask_password_acl /etc/dirsrv/slapd-sso/dse.ldif (code=exited, status=0/SUCCESS) Main PID: 24866 (ns-slapd) Status: "slapd started: Ready to process requests" Tasks: 25 (limit: 9500) Memory: 50.7M CPU: 2.832s CGroup: /system.slice/system-dirsrv.slice/dirsrv@sso.service └─24866 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-sso -i /run/dirsrv/slapd-sso.pid dsctl sso status Instance "sso" is running checking _supported_ ciphers dsconf -D "cn=ds" sso security ciphers list --supported | grep -i cha TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 setting initial security dsconf -D "cn=ds" sso security set \ --security on \ --listen-host ldap.example.com \ --secure-port 636 \ --tls-protocol-min 1.2 \ --allow-insecure-ciphers off \ --allow-weak-dh-param off \ --cipher-pref "+TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" stopping server dsctl sso stop importing CA, OK dsctl sso tls import-ca \ /src/ssl/myCA.CHAIN.crt.pem \ ldap.sso.CA.crt importing cert/key, OK dsctl sso tls import-server-key-cert \ /src/ssl/ldap.server.EC.crt \ /src/ssl/ldap.server.EC.key importing client-CA, **FAILS** dsctl sso tls import-client-ca \ /src/ssl/myCA.CHAIN.crt.pem \ ldap.sso.clientCA.crt Error: Command '['/usr/bin/certutil', '-M', '-d', '/etc/dirsrv/slapd-sso', '-n', 'ldap.sso.clientCA.crt', '-t', 'T,,', '-f', '/etc/dirsrv/slapd-sso/pwdfile.txt']' returned non-zero exit status 255. restarting server dsctl sso start checking _enabled_ ciphers dsconf -D "cn=ds" sso security ciphers list --enabled TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 *2* certs are listed, dsconf -D "cn=ds" sso security certificate list Certificate Name: ldap.sso.CA.crt Subject DN: E=ssl@xxxxxxxxxxx,CN=myCA_INTERMEDIATE,OU=myCA,O=example.com,ST=CA,C=US Issuer DN: CN=myCA_ROOT,E=ssl@xxxxxxxxxxx,C=US,ST=CA,L=city,OU=myCA,O=example.com Expires: 2027-06-02 21:41:51 Trust Flags: ,, Certificate Name: Server-Cert Subject DN: E=ssl@xxxxxxxxxxx,CN=ldap.example.com,OU=myCA,O=example.com,L=city,ST=CA,C=US Issuer DN: E=ssl@xxxxxxxxxxx,CN=myCA_INTERMEDIATE,OU=myCA,O=example.com,ST=CA,C=US Expires: 2030-08-25 00:50:38 Trust Flags: u,u,u only one should be listed 'just' as a cert, dsctl sso tls show-server-cert Certificate: Data: Version: 3 (0x2) Serial Number: 4666 (0x123a) Signature Algorithm: X9.62 ECDSA signature with SHA256 Issuer: "E=ssl@xxxxxxxxxxx,CN=myCA_INTER MEDIATE,OU=myCA,O=example.com,ST=CA,C=US" Validity: Not Before: Thu Aug 27 00:50:38 2020 Not After : Sun Aug 25 00:50:38 2030 Subject: "E=ssl@xxxxxxxxxxx,CN=ldap.example.com,OU=pr esence-group.net_CA,O=example.com,L=city,ST=CA,C= US" Subject Public Key Info: Public Key Algorithm: X9.62 elliptic curve public key Args: 06:05:2b:81:04:00:22 EC Public Key: PublicValue: 04:...:3c Curve: SECG elliptic curve secp384r1 (aka NIST P-384) Signed Extensions: Name: Certificate Basic Constraints Data: Is not a CA. Name: Certificate Type Data: <SSL Server> Name: Certificate Comment Comment: "example.com SERVER Certificate" Name: Certificate Subject Key ID Data: ea:...:78 Name: Certificate Authority Key Identifier Key ID: d0:...:cd Issuer: Directory Name: "CN=myCA_ROOT,E=ssl@exa mple.com,C=US,ST=CA,L=city,OU=my CA,O=example.com" Serial Number: 4096 (0x1000) Name: Certificate Key Usage Critical: True Usages: Digital Signature Name: Extended Key Usage TLS Web Server Authentication Certificate Name: Certificate Subject Alt Name DNS name: "ldap.example.com" DNS name: "www.ldap.example.com" DNS name: "localhost" Signature Algorithm: X9.62 ECDSA signature with SHA256 Signature: 30:...:67 Fingerprint (SHA-256): 22:...:18 Fingerprint (SHA1): 52:...:E3 Mozilla-CA-Policy: false (attribute missing) Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User the other is the ca cert. but ca list reports empty with dsconf dsconf -D "cn=ds" sso security ca-certificate list (empty) as do both of dsctl tls queries dsctl sso tls list-ca (empty) dsctl sso tls list-client-ca (empty) _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
