Re: 389-ds-base/cockpit-389-ds on EL9

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> What exactly were you trying to do?  Were you trying to change the server certificate name to a different one?

Correct, I was trying to set it to use a "proper" cert issued by LetsEncrypt
I imported the Lets Encrypt cert, that I had converted to pkcs12.  Then tried via cockpit security settings, to select it from the drop down. It was listed, and let me save, but when I restarted the instance and refreshed cockpit it reverted to “Server-Cert"
I didn’t notice anything at first in the error log, but after setting in dse.ldif I  noticed this in errors.

“CERT_VerifyCertificateNow: verify certificate failed for cert MyCert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired”

This made me realise I’d used the older pkcs12I had lying about. At that point I used certultil to replace (i.e deleted it, and re-added it to the keystore) and restarted without issue.

I thought it may be because it was expired that it wasn't saving, but I’ve just tried doing the same thing with a new cert as a test and get the same result. 


1) Covert LE to pkcs12

/usr/bin/openssl pkcs12 -export \
               -in $LE_DIR/cert.pem \
                -inkey $LE_DIR/privkey.pem  \
                 -out $LE_DIR/$HOSTNAME.p12 -name $HOSTNAME \
                 -certfile $LE_DIR/chain.pem -caname LE-CHAIN\
                 -password pass:$P12_PWD

2) Import to keystore
pk12util -i $LE_DIR/$HOSTNAME.p12 -d /etc/dirsrv/slapd-<INSTANCE>/ -K $LDAP_STORE_PWD -W $P12_PWD

3) At this point I can see it and select it in cockpit security settings, and save. But after restarting the instance, it reverts to the previous cert that was selected (MyCert)

Tailing the log at the point of saving the setting in cockpit I have found just this

[14/Aug/2022:22:53:08.686135019 +0100] - DEBUG - modify_config_dse - Modification of attribute "modifiersname" is not allowed, ignoring!
[14/Aug/2022:22:53:08.687311089 +0100] - DEBUG - modify_config_dse - Modification of attribute "modifytimestamp" is not allowed, ignoring!
[14/Aug/2022:22:53:08.687839552 +0100] - DEBUG - modify_config_dse - Modification of attribute "modifiersname" is not allowed, ignoring!
[14/Aug/2022:22:53:08.688445652 +0100] - DEBUG - modify_config_dse - Modification of attribute "modifytimestamp" is not allowed, ignoring!

However, checking, I see that when I change other settings (for example Paged Search Size Limit) , but they seem to stick. 

All the best
Dan
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux