2010/12/14 Rich Megginson <rmeggins@xxxxxxxxxx>
389-ds-base-1.2.7.2-1.fc13.x86_64
Fedora 13
Linux 2.6.34.7-56.fc13.x86_64 #1 SMP
I changed the name of "myhost" to put a "real hostname" corresponding to my domain. I will try to insert a space before each line.
On 12/14/2010 01:51 AM, remy d1 wrote:What version of 389-ds-base? What platform?Hi list,
I have followed the instructions of the SSL Howto, but I am still stick at the SSL activation.
From a clean installation, I try to launch the setupssl.sh script, but at the end, I haveldapmodify: invalid format (line 11) entry: "cn=encryption,cn=config"
There is not specific configuration except that I use the port 9831 for my DS instead of 389 (I already use the standard LDAP port for OpenLDAP and I do not want to migrate (it is for testing)). I have modified the setupssl script to execute on this port.
389-ds-base-1.2.7.2-1.fc13.x86_64
Fedora 13
Linux 2.6.34.7-56.fc13.x86_64 #1 SMP
If I just try the end of the script, you can see the error :
ldapmodify -x -h localhost -p 9831 -D "cn=Directory Manager" -W <<EOFdn: cn=encryption,cn=configchangetype: modifyreplace: nsSSL3nsSSL3: on-replace: nsSSLClientAuthnsSSLClientAuth: allowed-add: nsSSL3CiphersnsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_qsha
Did you modify the script in any other way, other than changing the port number? Because the Ciphers attribute LDIF does not look correct. Each of the continuation lines should begin with a single space character - these continuation lines look left justified.
I changed the name of "myhost" to put a "real hostname" corresponding to my domain. I will try to insert a space before each line.
If you do not successfully complete TLS/SSL configuration, you will almost always find that TLS/SSL is not working correctly.
dn: cn=configchangetype: modifyadd: nsslapd-securitynsslapd-security: on-replace: nsslapd-ssl-check-hostnamensslapd-ssl-check-hostname: off-replace: nsslapd-secureportnsslapd-secureport: 636
dn: cn=RSA,cn=encryption,cn=configchangetype: addobjectclass: topobjectclass: nsEncryptionModulecn: RSAnsSSLPersonalitySSL: Server-CertnsSSLToken: internal (software)nsSSLActivation: on
EOF
Enter LDAP Password:ldapmodify: invalid format (line 11) entry: "cn=encryption,cn=config"
I have checked every part of these ldif data. The error is here :nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_qsha
But if I do the modifications except this piece of code, ldaps can be started on the port 636, but the cert files could not be loaded from dirsrv, so I can not do any request in SSL...
What errors do you get? Error codes?
Red Hat Link with error codes "14.2.7.ÂUpdating Attribute Encryption for New SSL/TLS Certificates"Â:
Another error :
Starting dirsrv:
ÂÂ ÂKingKong...[16/Dec/2010:13:52:16 +0100] SSL Initialization - Warning: certificate DB file cert8.db nor cert7.db exists in [/etc/dirsrv/slapd-KingKong] - SSL initialization will likely fail
[16/Dec/2010:13:52:16 +0100] SSL Initialization - Warning: key DB file /etc/dirsrv/slapd-KingKong/key3.db does not exist - SSL initialization will likely fail
[16/Dec/2010:13:52:16 +0100] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.)
[16/Dec/2010:13:52:16 +0100] - ERROR: SSL Initialization Failed.
Since you did not successfully complete TLS/SSL configuration, you will find that TLS/SSL is not working correctly.
I also try to :Â- edit dse.ldif file in the dirsrv DS configuration directory and delete the line corresponding to the cert files as Red Hat documentation tells (after stoping dirsrv service).
Can you provide a link to the Red Hat docs?Including all of the ciphers in the Ciphers attribute?
We can see that dirsrv reload the cert files in the dse.ldif file, but it changed nothing.Â- delete every *.db and *.txt files and cacert.csa. Then, if I reexecute setupssl.sh, it generates the cert files, but (again), there is no changes...
Obviously, if I open 389-console, I could see this string in the properties of "cn=encryption,cn=config".
Yes !Â
********
Following the debugging :
Finally, it works... !
I have downloaded setupssl2.sh again with good spaces (for ciphers), and execute it. After removing the cert files (cacert, db, txt files) in /etc/dirsrv/slapd-instance/ I could launch ldaps correctly.
#./setupssl2.sh /etc/dirsrv/slapd-KingKong/ 9831
-> Here, I could launch dirsrv (in another window shell).Using /etc/dirsrv/slapd-KingKong/ as sec directoryNo CA certificate found - will create new oneNo Server Cert found - will create new oneNo Admin Server Cert found - will create new oneCreating password file for security tokenCreating noise fileCreating new key and cert dbCreating encryption key for CAGenerating key. ÂThis may take a few moments...Creating self-signed CA certificateGenerating key. ÂThis may take a few moments...Is this a CA certificate [y/N]?Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?Exporting the CA certificate to cacert.ascGenerating server certificate for 389 Directory Server on host KingKong.mylocaldomain.comUsing fully qualified hostname KingKong.mylocaldomain.comÂfor the server name in the server cert subject DNNote: If you do not want to use this hostname, edit this script to change myhost to thereal hostname you want to useGenerating key. ÂThis may take a few moments...Creating the admin server certificateGenerating key. ÂThis may take a few moments...Exporting the admin server certificate pk12 filepk12util: PKCS12 EXPORT SUCCESSFULCreating pin file for directory serverCreating key and cert db for admin serverImporting the admin server key and cert (created above)pk12util: PKCS12 IMPORT SUCCESSFULImporting the CA certificate from cacert.ascEnabling the use of a password file in admin serverEnabling SSL in the directory server - when prompted, provide the directory manager passwordEnter LDAP Password:
modifying entry "cn=encryption,cn=config"ldap_modify: Type or value exists (20)
# vi ~/.ldaprc # TLS_CACERT <path-to-ca>.pem TLS_REQCERT allow
I could launch ldaps request on my server.
Thanks;
Regards.
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
I have checked my real hostname and other stuffs specified in the documentation... I know that I do not use the standard LDAP port but I do not see why this section could not work... Other ldap request on this port work.
Sorry for my bad english...
Any help would be gracefull !
Regards;
RÃmy
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
