FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 09-28-2010, 02:56 PM
Reinhard Nappert
 
Default 389 DS 1.2.6. and certificates

Hi,
I built and
installed the 389 Directory Server 1.2.6 on CentOS 4.4. The server works fine.

Then, I generated
the certs (using certutil) and imported them in the cert-store. The certs are
generated basically generated by the setupssl2.sh script. When I list the certs
afterwards, everything looks fine:
*
certutil -L -d
/etc/dirsrv/<dir-instance>
CA
certificate*************************************** ***
CTu,u,u
<hostname>**************************************** ****
u,u,u

However, when I
restart the server, I get the following error and the server does not come up
anymore:
[28/Sep/2010:10:45:40 -0400] - SSL alert: Security
Initialization: NSS initialization failed (Netscape Portable Runtime error -8174
- security library: bad database.): certdir: /etc/dirsrv/<dir-instance>
*
Not surprisingly,
the certutil -L -d .... comes up with the same error:
certutil: function
failed: security library: bad database.
*
Any idea, what goes
wrong there?
*
Thanks,
-Reinhard


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-28-2010, 03:04 PM
Rich Megginson
 
Default 389 DS 1.2.6. and certificates

Reinhard Nappert wrote:
> Hi,
> I built and installed the 389 Directory Server 1.2.6 on CentOS 4.4.
Do you mean 5.5? Or did you build it yourself?
> The server works fine.
> Then, I generated the certs (using certutil) and imported them in the
> cert-store. The certs are generated basically generated by the
> setupssl2.sh script. When I list the certs afterwards, everything
> looks fine:
>
> certutil -L -d /etc/dirsrv/<dir-instance>
> CA certificate CTu,u,u
> <hostname> u,u,u
> However, when I restart the server, I get the following error and the
> server does not come up anymore:
> [28/Sep/2010:10:45:40 -0400] - SSL alert: Security Initialization: NSS
> initialization failed (Netscape Portable Runtime error -8174 -
> security library: bad database.): certdir: /etc/dirsrv/<dir-instance>
>
> Not surprisingly, the certutil -L -d .... comes up with the same error:
> certutil: function failed: security library: bad database.
>
> Any idea, what goes wrong there?
Not sure. After running the script to generate the certs, can you
change the cert8.db, key3.db, and secmod.db files to be read only (mode
0400), before starting the directory server? Does that help?
>
> Thanks,
> -Reinhard
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-28-2010, 03:24 PM
Reinhard Nappert
 
Default 389 DS 1.2.6. and certificates

Yes, I built it myself on 4.4.

No, it does not make a difference when I change the files to read only, before I restart the server



-----Original Message-----
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Rich Megginson
Sent: Tuesday, September 28, 2010 11:05 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] 389 DS 1.2.6. and certificates

Reinhard Nappert wrote:
> Hi,
> I built and installed the 389 Directory Server 1.2.6 on CentOS 4.4.
Do you mean 5.5? Or did you build it yourself?
> The server works fine.
> Then, I generated the certs (using certutil) and imported them in the
> cert-store. The certs are generated basically generated by the
> setupssl2.sh script. When I list the certs afterwards, everything
> looks fine:
>
> certutil -L -d /etc/dirsrv/<dir-instance>
> CA certificate CTu,u,u
> <hostname> u,u,u
> However, when I restart the server, I get the following error and the
> server does not come up anymore:
> [28/Sep/2010:10:45:40 -0400] - SSL alert: Security Initialization: NSS
> initialization failed (Netscape Portable Runtime error -8174 -
> security library: bad database.): certdir: /etc/dirsrv/<dir-instance>
>
> Not surprisingly, the certutil -L -d .... comes up with the same error:
> certutil: function failed: security library: bad database.
>
> Any idea, what goes wrong there?
Not sure. After running the script to generate the certs, can you change the cert8.db, key3.db, and secmod.db files to be read only (mode 0400), before starting the directory server? Does that help?
>
> Thanks,
> -Reinhard
>
> ----------------------------------------------------------------------
> --
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-28-2010, 06:46 PM
Gerrard Geldenhuis
 
Default 389 DS 1.2.6. and certificates

Hi

I have seen similar problems... in my case the database became corrupt if I changed it while dirsrv were running.

Also check permissions:

-rw------- 1 nobody root 65536 Aug 12 12:18 cert8.db
-rw------- 1 nobody root 16384 Aug 12 12:18 key3.db
-rw------- 1 nobody root 16384 Sep 28 17:08 secmod.db

and my CA only have CT,,

Not sure that would make a difference but worth checking.

Regards

________________________________________
From: 389-users-bounces@lists.fedoraproject.org [389-users-bounces@lists.fedoraproject.org] on behalf of Reinhard Nappert [rnappert@juniper.net]
Sent: 28 September 2010 16:24
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] 389 DS 1.2.6. and certificates

Yes, I built it myself on 4.4.

No, it does not make a difference when I change the files to read only, before I restart the server



-----Original Message-----
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Rich Megginson
Sent: Tuesday, September 28, 2010 11:05 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] 389 DS 1.2.6. and certificates

Reinhard Nappert wrote:
> Hi,
> I built and installed the 389 Directory Server 1.2.6 on CentOS 4.4.
Do you mean 5.5? Or did you build it yourself?
> The server works fine.
> Then, I generated the certs (using certutil) and imported them in the
> cert-store. The certs are generated basically generated by the
> setupssl2.sh script. When I list the certs afterwards, everything
> looks fine:
>
> certutil -L -d /etc/dirsrv/<dir-instance>
> CA certificate CTu,u,u
> <hostname> u,u,u
> However, when I restart the server, I get the following error and the
> server does not come up anymore:
> [28/Sep/2010:10:45:40 -0400] - SSL alert: Security Initialization: NSS
> initialization failed (Netscape Portable Runtime error -8174 -
> security library: bad database.): certdir: /etc/dirsrv/<dir-instance>
>
> Not surprisingly, the certutil -L -d .... comes up with the same error:
> certutil: function failed: security library: bad database.
>
> Any idea, what goes wrong there?
Not sure. After running the script to generate the certs, can you change the cert8.db, key3.db, and secmod.db files to be read only (mode 0400), before starting the directory server? Does that help?
>
> Thanks,
> -Reinhard
>
> ----------------------------------------------------------------------
> --
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-28-2010, 06:55 PM
Reinhard Nappert
 
Default 389 DS 1.2.6. and certificates

I have the same permissions.

CTu,u,u works with my previous servers. Since I did a certutil -L -d .... before the restart, I know that the database was fine before I restarted the server.

-Reinhard

-----Original Message-----
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Gerrard Geldenhuis
Sent: Tuesday, September 28, 2010 2:47 PM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] 389 DS 1.2.6. and certificates

Hi

I have seen similar problems... in my case the database became corrupt if I changed it while dirsrv were running.

Also check permissions:

-rw------- 1 nobody root 65536 Aug 12 12:18 cert8.db
-rw------- 1 nobody root 16384 Aug 12 12:18 key3.db
-rw------- 1 nobody root 16384 Sep 28 17:08 secmod.db

and my CA only have CT,,

Not sure that would make a difference but worth checking.

Regards

________________________________________
From: 389-users-bounces@lists.fedoraproject.org [389-users-bounces@lists.fedoraproject.org] on behalf of Reinhard Nappert [rnappert@juniper.net]
Sent: 28 September 2010 16:24
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] 389 DS 1.2.6. and certificates

Yes, I built it myself on 4.4.

No, it does not make a difference when I change the files to read only, before I restart the server



-----Original Message-----
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Rich Megginson
Sent: Tuesday, September 28, 2010 11:05 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] 389 DS 1.2.6. and certificates

Reinhard Nappert wrote:
> Hi,
> I built and installed the 389 Directory Server 1.2.6 on CentOS 4.4.
Do you mean 5.5? Or did you build it yourself?
> The server works fine.
> Then, I generated the certs (using certutil) and imported them in the
> cert-store. The certs are generated basically generated by the
> setupssl2.sh script. When I list the certs afterwards, everything
> looks fine:
>
> certutil -L -d /etc/dirsrv/<dir-instance>
> CA certificate CTu,u,u
> <hostname> u,u,u
> However, when I restart the server, I get the following error and the
> server does not come up anymore:
> [28/Sep/2010:10:45:40 -0400] - SSL alert: Security Initialization: NSS
> initialization failed (Netscape Portable Runtime error -8174 -
> security library: bad database.): certdir: /etc/dirsrv/<dir-instance>
>
> Not surprisingly, the certutil -L -d .... comes up with the same error:
> certutil: function failed: security library: bad database.
>
> Any idea, what goes wrong there?
Not sure. After running the script to generate the certs, can you change the cert8.db, key3.db, and secmod.db files to be read only (mode 0400), before starting the directory server? Does that help?
>
> Thanks,
> -Reinhard
>
> ----------------------------------------------------------------------
> --
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-28-2010, 07:12 PM
Rob Crittenden
 
Default 389 DS 1.2.6. and certificates

Reinhard Nappert wrote:
> I have the same permissions.
>
> CTu,u,u works with my previous servers. Since I did a certutil -L -d .... before the restart, I know that the database was fine before I restarted the server.
>

Could this be pin related? Do you have a different password set on the
database than the 389-ds instance is expecting?

rob

> -Reinhard
>
> -----Original Message-----
> From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Gerrard Geldenhuis
> Sent: Tuesday, September 28, 2010 2:47 PM
> To: General discussion list for the 389 Directory server project.
> Subject: Re: [389-users] 389 DS 1.2.6. and certificates
>
> Hi
>
> I have seen similar problems... in my case the database became corrupt if I changed it while dirsrv were running.
>
> Also check permissions:
>
> -rw------- 1 nobody root 65536 Aug 12 12:18 cert8.db
> -rw------- 1 nobody root 16384 Aug 12 12:18 key3.db
> -rw------- 1 nobody root 16384 Sep 28 17:08 secmod.db
>
> and my CA only have CT,,
>
> Not sure that would make a difference but worth checking.
>
> Regards
>
> ________________________________________
> From: 389-users-bounces@lists.fedoraproject.org [389-users-bounces@lists.fedoraproject.org] on behalf of Reinhard Nappert [rnappert@juniper.net]
> Sent: 28 September 2010 16:24
> To: General discussion list for the 389 Directory server project.
> Subject: Re: [389-users] 389 DS 1.2.6. and certificates
>
> Yes, I built it myself on 4.4.
>
> No, it does not make a difference when I change the files to read only, before I restart the server
>
>
>
> -----Original Message-----
> From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Rich Megginson
> Sent: Tuesday, September 28, 2010 11:05 AM
> To: General discussion list for the 389 Directory server project.
> Subject: Re: [389-users] 389 DS 1.2.6. and certificates
>
> Reinhard Nappert wrote:
>> Hi,
>> I built and installed the 389 Directory Server 1.2.6 on CentOS 4.4.
> Do you mean 5.5? Or did you build it yourself?
>> The server works fine.
>> Then, I generated the certs (using certutil) and imported them in the
>> cert-store. The certs are generated basically generated by the
>> setupssl2.sh script. When I list the certs afterwards, everything
>> looks fine:
>>
>> certutil -L -d /etc/dirsrv/<dir-instance>
>> CA certificate CTu,u,u
>> <hostname> u,u,u
>> However, when I restart the server, I get the following error and the
>> server does not come up anymore:
>> [28/Sep/2010:10:45:40 -0400] - SSL alert: Security Initialization: NSS
>> initialization failed (Netscape Portable Runtime error -8174 -
>> security library: bad database.): certdir: /etc/dirsrv/<dir-instance>
>>
>> Not surprisingly, the certutil -L -d .... comes up with the same error:
>> certutil: function failed: security library: bad database.
>>
>> Any idea, what goes wrong there?
> Not sure. After running the script to generate the certs, can you change the cert8.db, key3.db, and secmod.db files to be read only (mode 0400), before starting the directory server? Does that help?
>>
>> Thanks,
>> -Reinhard
>>
>> ----------------------------------------------------------------------
>> --
>>
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> __________________________________________________ ______________________
> In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> __________________________________________________ ______________________
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-28-2010, 07:42 PM
Rob Crittenden
 
Default 389 DS 1.2.6. and certificates

Reinhard Nappert wrote:
> No, this is fine.
>
> Before I restart the server certutil is fine, afterwards, it is not ......

Are both dirsrv and certutil using the same NSS library?

rob

>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten@redhat.com]
> Sent: Tuesday, September 28, 2010 3:13 PM
> To: General discussion list for the 389 Directory server project.
> Cc: Reinhard Nappert
> Subject: Re: [389-users] 389 DS 1.2.6. and certificates
>
> Reinhard Nappert wrote:
>> I have the same permissions.
>>
>> CTu,u,u works with my previous servers. Since I did a certutil -L -d .... before the restart, I know that the database was fine before I restarted the server.
>>
>
> Could this be pin related? Do you have a different password set on the database than the 389-ds instance is expecting?
>
> rob
>
>> -Reinhard
>>
>> -----Original Message-----
>> From: 389-users-bounces@lists.fedoraproject.org
>> [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of
>> Gerrard Geldenhuis
>> Sent: Tuesday, September 28, 2010 2:47 PM
>> To: General discussion list for the 389 Directory server project.
>> Subject: Re: [389-users] 389 DS 1.2.6. and certificates
>>
>> Hi
>>
>> I have seen similar problems... in my case the database became corrupt if I changed it while dirsrv were running.
>>
>> Also check permissions:
>>
>> -rw------- 1 nobody root 65536 Aug 12 12:18 cert8.db
>> -rw------- 1 nobody root 16384 Aug 12 12:18 key3.db
>> -rw------- 1 nobody root 16384 Sep 28 17:08 secmod.db
>>
>> and my CA only have CT,,
>>
>> Not sure that would make a difference but worth checking.
>>
>> Regards
>>
>> ________________________________________
>> From: 389-users-bounces@lists.fedoraproject.org
>> [389-users-bounces@lists.fedoraproject.org] on behalf of Reinhard
>> Nappert [rnappert@juniper.net]
>> Sent: 28 September 2010 16:24
>> To: General discussion list for the 389 Directory server project.
>> Subject: Re: [389-users] 389 DS 1.2.6. and certificates
>>
>> Yes, I built it myself on 4.4.
>>
>> No, it does not make a difference when I change the files to read
>> only, before I restart the server
>>
>>
>>
>> -----Original Message-----
>> From: 389-users-bounces@lists.fedoraproject.org
>> [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Rich
>> Megginson
>> Sent: Tuesday, September 28, 2010 11:05 AM
>> To: General discussion list for the 389 Directory server project.
>> Subject: Re: [389-users] 389 DS 1.2.6. and certificates
>>
>> Reinhard Nappert wrote:
>>> Hi,
>>> I built and installed the 389 Directory Server 1.2.6 on CentOS 4.4.
>> Do you mean 5.5? Or did you build it yourself?
>>> The server works fine.
>>> Then, I generated the certs (using certutil) and imported them in the
>>> cert-store. The certs are generated basically generated by the
>>> setupssl2.sh script. When I list the certs afterwards, everything
>>> looks fine:
>>>
>>> certutil -L -d /etc/dirsrv/<dir-instance>
>>> CA certificate CTu,u,u
>>> <hostname> u,u,u
>>> However, when I restart the server, I get the following error and the
>>> server does not come up anymore:
>>> [28/Sep/2010:10:45:40 -0400] - SSL alert: Security Initialization:
>>> NSS initialization failed (Netscape Portable Runtime error -8174 -
>>> security library: bad database.): certdir: /etc/dirsrv/<dir-instance>
>>>
>>> Not surprisingly, the certutil -L -d .... comes up with the same error:
>>> certutil: function failed: security library: bad database.
>>>
>>> Any idea, what goes wrong there?
>> Not sure. After running the script to generate the certs, can you change the cert8.db, key3.db, and secmod.db files to be read only (mode 0400), before starting the directory server? Does that help?
>>>
>>> Thanks,
>>> -Reinhard
>>>
>>> ---------------------------------------------------------------------
>>> -
>>> --
>>>
>>> --
>>> 389 users mailing list
>>> 389-users@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>> __________________________________________________ ____________________
>> __ In order to protect our email recipients, Betfair Group use SkyScan
>> from MessageLabs to scan all Incoming and Outgoing mail for viruses.
>>
>> __________________________________________________ ____________________
>> __
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 04:47 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org