Re: Unable to configure admin server with SSL

[Richard Megginson <rmeggins@xxxxxxxxxx>]

FDS User wrote:
> Tried all combinations for the url with and without https and with the 
> right port #:
>
> IP address
> ldap.test.com
> ldap
>
> Still no luck.
>
> adminserv error log:
> [Thu May 10 13:19:36 2007] [warn] NSSProtocols not set; using: SSLv3 
> and TLSv1
> [Thu May 10 13:19:36 2007] [notice] Access Host filter is: *.test.com
> [Thu May 10 13:19:36 2007] [notice] Access Address filter is: *
> [Thu May 10 13:19:37 2007] [warn] NSSProtocols not set; using: SSLv3 
> and TLSv1
> [Thu May 10 13:19:37 2007] [notice] Access Host filter is: *.test.com
> [Thu May 10 13:19:37 2007] [notice] Access Address filter is: *
> [Thu May 10 13:19:37 2007] [notice] Apache/2.2.4 (Unix) mod_nss/2.2.3 
> NSS/3.11.3 configured -- resuming normal operations
> [Thu May 10 13:38:18 2007] [notice] caught SIGTERM, shutting down
> [Thu May 10 13:39:10 2007] [warn] NSSProtocols not set; using: SSLv3 
> and TLSv1
> [Thu May 10 13:39:10 2007] [notice] Access Host filter is: *.test.com
> [Thu May 10 13:39:10 2007] [notice] Access Address filter is: *
> [Thu May 10 13:39:11 2007] [warn] NSSProtocols not set; using: SSLv3 
> and TLSv1
> [Thu May 10 13:39:11 2007] [notice] Access Host filter is: *.test.com
> [Thu May 10 13:39:11 2007] [notice] Access Address filter is: *
> [Thu May 10 13:39:11 2007] [notice] Apache/2.2.4 (Unix) mod_nss/2.2.3 
> NSS/3.11.3 configured -- resuming normal operations
> [Thu May 10 13:40:10 2007] [error] SSL Library Error: -12271 SSL 
> client cannot verify your certificate
cd /opt/fedora-ds/alias
../shared/bin/certutil -L -d . -P admin-serv-ldap-

Do you have a CA certificate in that list?
> Thanks.
>
>
> Richard Megginson wrote:
> > FDS User wrote:
> > > I tried changing the permission for local.conf and restarted both 
> > > admin and dir server. That didn't solve the issue.
> > > Attached is the error I get when the login fails.
> > For the console login dialog, for the admin url field, did you use 
> > https://host:port/ ?
> > tail admin-serv/logs/error
> > > Thanks.
> > >
> > > Richard Megginson wrote:
> > > > FDS User wrote:
> > > > > Below is the ls and grep output.
> > > > >
> > > > > [root@ldap slapd-ldap]# ls -al /opt/fedora-ds/alias
> > > > > <snip> looks ok
> > > > >
> > > > >
> > > > > [root@ldap slapd-ldap]# ls -al /opt/fedora-ds/admin-serv/config
> > > > > total 84
> > > > > drwxr-xr-x 2 nobody nobody  4096 May  9 10:31 .
> > > > > drwxr-xr-x 8 root   root    4096 May  9 10:32 ..
> > > > > -rw------- 1 nobody nobody   544 May 10 13:17 adm.conf
> > > > > -rw------- 1 nobody nobody    39 May  7 18:28 admpw
> > > > > -rw------- 1 root   root    4598 May  7 18:28 admserv.conf
> > > > > -rw------- 1 nobody nobody  3702 May 10 13:17 console.conf
> > > > > -rw------- 1 root   root   26784 May  7 18:28 httpd.conf
> > > > > -rw-r--r-- 1 root   root   19233 May  7 18:28 local.conf
> > > > This is the likely culprit.  Shut down the admin server, then chown 
> > > > nobody:nobody local.conf, then restart.
> > > > > -r-------- 1 nobody nobody  4604 May  7 18:29 nss.conf
> > > > >
> > > > >
> > > > > [root@ldap slapd-ldap]# grep NSS 
> > > > > /opt/fedora-ds/admin-serv/config/console.conf
> > > > > NSSEngine on
> > > > > NSSNickname server-cert
> > > > > #   The NSS security database directory that holds the 
> > > > > certificates and
> > > > > NSSCertificateDatabase /opt/fedora-ds/alias
> > > > > NSSDBPrefix admin-serv-ldap-
> > > > > NSSCipherSuite 
> > > > > +des,+rc2export,+rc4export,+desede3,+rc4,+rc2,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5 
> > > > >
> > > > > NSSVerifyClient none
> > > > >
> > > > >
> > > > >
> > > > > Richard Megginson wrote:
> > > > > > FDS User wrote:
> > > > > > > Hi,
> > > > > > > I am getting "PSET failure: PSET attribute creation or local 
> > > > > > > cache update failed" when I try to enable SSL for admin server 
> > > > > > > using the encryption tab.
> > > > > > > I have used it in the past without issues and now for some 
> > > > > > > reason I get this error after doing a re-install of fds.
> > > > > > > I used the SSL script from the fds site to generate the certs.
> > > > > > >
> > > > > > > Admin server log has this error:
> > > > > > > [error] SSL Library Error: -12271 SSL client cannot verify your 
> > > > > > > certificate
> > > > > > >
> > > > > > > Any help is highly appreciated.
> > > > > > ls -al /opt/fedora-ds/alias
> > > > > > ls -al /opt/fedora-ds/admin-serv/config
> > > > > >
> > > > > > grep NSS /opt/fedora-ds/admin-serv/config/console.conf
> > > > > > > Thanks.
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Fedora-directory-users mailing list
> > > > > > > Fedora-directory-users@xxxxxxxxxx
> > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > > > ------------------------------------------------------------------------ 
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Fedora-directory-users mailing list
> > > > > > Fedora-directory-users@xxxxxxxxxx
> > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > > >   
> > > > > ------------------------------------------------------------------------ 
> > > > >
> > > > >
> > > > > --
> > > > > Fedora-directory-users mailing list
> > > > > Fedora-directory-users@xxxxxxxxxx
> > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > >

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users