Ski Kacoroski wrote: > Rich, > > Thanks very much for your replies. I tried again with no luck. I had > it working with the self-signed cert using setupssl2.sh. I changed the > password on the database to one I could type and verified that it worked > ok. I then added in my star cert, removed the self-signed certs, and > stopped the services. When I tried to restart I get this error: > > [root@ldaptest slapd-nsd-org]# service dirsrv start > Starting dirsrv: > nsd-org...[03/Mar/2010:09:09:25 -0800] - SSL alert: Security > Initialization: Can't find certificate (CA certificate) for family > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - > security library: bad database.) > [03/Mar/2010:09:09:25 -0800] - SSL alert: Security Initialization: > Unable to retrieve private key for cert CA certificate of family > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - > security library: bad database.) > [03/Mar/2010:09:09:25 -0800] - SSL failure: None of the cipher are valid > [03/Mar/2010:09:09:25 -0800] - ERROR: SSL Initialization phase 2 Failed. > [FAILED] > *** Warning: 1 instance(s) failed to start > > I use digicert as my authority. They have options for the certs when I > get them (e.g. Apache, Tomcat, Java, etc.). I have been choosing Apache > and it seems to install just fine. Perhaps I need to choose a different > type? > > It looks like by adding in my cert and removing my old certs, it trashed > the database somehow. > > certutil -P ldaptest -d . -L > certutil: function failed: security library: bad database. > > I am going to do another reinstall and try again. Do you know of any > documentation for using non-self-signed certs with 389 directory server > all the docs I find are for self-signed certs. The problem is in the error message: Unable to retrieve private key for cert. You need the private key for this certificate. The easiest way to load it into NSS using the PKCS#12 format, as Rich suggested. If you have the key and cert stored as PEM files, common with openssl, see the openssl pkcs12 man page. rob -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
