FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 12-14-2010, 07:51 AM
remy d1
 
Default problem with SSL

Hi list,
I have followed the instructions of the SSL Howto, but I am still stick at the SSL activation.
From a clean installation, I try to launch the setupssl.sh script, but at the end, I have
ldapmodify: invalid format (line 11) entry: "cn=encryption,cn=config"
There is not specific configuration except that I use the port 9831 for my DS instead of 389 (I already use the standard LDAP port for OpenLDAP and I do not want to migrate (it is for testing)). I have modified the setupssl script to execute on this port.

If I just try the end of the script, you can see the error :
ldapmodify -x -h localhost -p 9831 -D "cn=Directory Manager" -W <<EOF
dn: cn=encryption,cn=configchangetype: modifyreplace: nsSSL3nsSSL3: on-replace: nsSSLClientAuth
nsSSLClientAuth: allowed-add: nsSSL3CiphersnsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa _rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_ fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+for tezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tl s_rsa_export1024_with_des_cbc_qsha

dn: cn=configchangetype: modifyadd: nsslapd-securitynsslapd-security: on-
replace: nsslapd-ssl-check-hostnamensslapd-ssl-check-hostname: off-replace: nsslapd-secureportnsslapd-secureport: 636

dn: cn=RSA,cn=encryption,cn=configchangetype: addobjectclass: topobjectclass: nsEncryptionModulecn: RSA
nsSSLPersonalitySSL: Server-CertnsSSLToken: internal (software)nsSSLActivation: on
EOF

Enter LDAP Password:ldapmodify: invalid format (line 11) entry: "cn=encryption,cn=config"
I have checked every part of these ldif data. The error is here :
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa _rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3d es_sha,+rsa_fips_3des_sha,+fortezza,
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_expo rt1024_with_rc4_56_sha,+tls_rsa_export1024_with_de s_cbc_qsha
But if I do the modifications except this piece of code, ldaps can be started on the port 636, but the cert files could not be loaded from dirsrv, so I can not do any request in SSL... I also try to :
*- edit dse.ldif file in the dirsrv DS configuration directory and delete the line corresponding to the cert files as Red Hat documentation tells (after stoping dirsrv service). We can see that dirsrv reload the cert files in the dse.ldif file, but it changed nothing.
*- delete every *.db and *.txt files and cacert.csa. Then, if I reexecute setupssl.sh, it generates the cert files, but (again), there is no changes...
Obviously, if I open 389-console, I could see this string in the properties of "cn=encryption,cn=config".

I have checked my real hostname and other stuffs specified in the documentation... I know that I do not use the standard LDAP port but I do not see why this section could not work... Other ldap request on this port work.

Sorry for my bad english...
Any help would be gracefull !
Regards;
Rémy
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 12-14-2010, 02:53 PM
Rich Megginson
 
Default problem with SSL

On 12/14/2010 01:51 AM, remy d1 wrote:
Hi list,



I have followed the instructions of the SSL Howto, but I am
still stick at the SSL activation.



From a clean installation, I try to launch the setupssl.sh
script, but at the end, I have

ldapmodify: invalid format (line 11) entry:
"cn=encryption,cn=config"



There is not specific configuration except that I use the
port 9831 for my DS instead of 389 (I already use the standard
LDAP port for OpenLDAP and I do not want to migrate (it is for
testing)). I have modified the setupssl script to execute on
this port.

What version of 389-ds-base?* What platform?









If I just try the end of the script, you can see the error :





ldapmodify -x -h localhost -p 9831 -D "cn=Directory
Manager" -W <<EOF


dn: cn=encryption,cn=config


changetype: modify


replace: nsSSL3


nsSSL3: on


-


replace: nsSSLClientAuth


nsSSLClientAuth: allowed


-


add: nsSSL3Ciphers


nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa _rc2_40_md5,



+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_ fips_3des_sha,+fortezza,


+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_expo rt1024_with_rc4_56_sha,


+tls_rsa_export1024_with_des_cbc_qsha



Did you modify the script in any other way, other than changing the
port number?* Because the Ciphers attribute LDIF does not look
correct.* Each of the continuation lines should begin with a single
space character - these continuation lines look left justified.











dn: cn=config


changetype: modify


add: nsslapd-security


nsslapd-security: on


-



replace: nsslapd-ssl-check-hostname


nsslapd-ssl-check-hostname: off


-


replace: nsslapd-secureport


nsslapd-secureport: 636







dn: cn=RSA,cn=encryption,cn=config


changetype: add


objectclass: top


objectclass: nsEncryptionModule


cn: RSA


nsSSLPersonalitySSL: Server-Cert


nsSSLToken: internal (software)


nsSSLActivation: on







EOF







Enter LDAP Password:


ldapmodify: invalid format (line 11) entry:
"cn=encryption,cn=config"





I have checked every part of these ldif data. The error is
here :


nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa _rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_ fips_3des_sha,+fortezza,
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_expo rt1024_with_rc4_56_sha,
+tls_rsa_export1024_with_des_cbc_qsha




But if I do the modifications except this piece of code,
ldaps can be started on the port 636, but the cert files could
not be loaded from dirsrv, so I can not do any request in SSL...

If you do not successfully complete TLS/SSL configuration, you will
almost always find that TLS/SSL is not working correctly.



What errors do you get?* Error codes?


I also try to :
*- edit dse.ldif file in the dirsrv DS configuration
directory and delete the line corresponding to the cert files as
Red Hat documentation tells (after stoping dirsrv service).

Since you did not successfully complete TLS/SSL configuration, you
will find that TLS/SSL is not working correctly.



Can you provide a link to the Red Hat docs?


We can see that dirsrv reload the cert files in the dse.ldif
file, but it changed nothing.
*- delete every *.db and *.txt files and cacert.csa. Then, if
I reexecute setupssl.sh, it generates the cert files, but
(again), there is no changes...



Obviously, if I open 389-console, I could see this string in
the properties of "cn=encryption,cn=config".

Including all of the ciphers in the Ciphers attribute?





I have checked my real hostname and other stuffs specified in
the documentation... I know that I do not use the standard LDAP
port but I do not see why this section could not work... Other
ldap request on this port work.



Sorry for my bad english...



Any help would be gracefull !



Regards;



Rémy


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 12-16-2010, 12:58 PM
remy d1
 
Default problem with SSL

2010/12/14 Rich Megginson <rmeggins@redhat.com>








On 12/14/2010 01:51 AM, remy d1 wrote:
Hi list,



I have followed the instructions of the SSL Howto, but I am
still stick at the SSL activation.



From a clean installation, I try to launch the setupssl.sh
script, but at the end, I have

ldapmodify: invalid format (line 11) entry:
"cn=encryption,cn=config"



There is not specific configuration except that I use the
port 9831 for my DS instead of 389 (I already use the standard
LDAP port for OpenLDAP and I do not want to migrate (it is for
testing)). I have modified the setupssl script to execute on
this port.

What version of 389-ds-base?* What platform?

389-ds-base-1.2.7.2-1.fc13.x86_64

Fedora 13
Linux 2.6.34.7-56.fc13.x86_64 #1 SMP










If I just try the end of the script, you can see the error :





ldapmodify -x -h localhost -p 9831 -D "cn=Directory
Manager" -W <<EOF


dn: cn=encryption,cn=config


changetype: modify


replace: nsSSL3


nsSSL3: on


-


replace: nsSSLClientAuth


nsSSLClientAuth: allowed


-


add: nsSSL3Ciphers


nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa _rc2_40_md5,



+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_ fips_3des_sha,+fortezza,


+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_expo rt1024_with_rc4_56_sha,


+tls_rsa_export1024_with_des_cbc_qsha



Did you modify the script in any other way, other than changing the
port number?* Because the Ciphers attribute LDIF does not look
correct.* Each of the continuation lines should begin with a single
space character - these continuation lines look left justified.
I changed the name of "myhost" to put a "real hostname" corresponding to my domain. I will try to insert a space before each line.














dn: cn=config


changetype: modify


add: nsslapd-security


nsslapd-security: on


-



replace: nsslapd-ssl-check-hostname


nsslapd-ssl-check-hostname: off


-


replace: nsslapd-secureport


nsslapd-secureport: 636







dn: cn=RSA,cn=encryption,cn=config


changetype: add


objectclass: top


objectclass: nsEncryptionModule


cn: RSA


nsSSLPersonalitySSL: Server-Cert


nsSSLToken: internal (software)


nsSSLActivation: on







EOF







Enter LDAP Password:


ldapmodify: invalid format (line 11) entry:
"cn=encryption,cn=config"





I have checked every part of these ldif data. The error is
here :


nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa _rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_ fips_3des_sha,+fortezza,
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_expo rt1024_with_rc4_56_sha,
+tls_rsa_export1024_with_des_cbc_qsha




But if I do the modifications except this piece of code,
ldaps can be started on the port 636, but the cert files could
not be loaded from dirsrv, so I can not do any request in SSL...

If you do not successfully complete TLS/SSL configuration, you will
almost always find that TLS/SSL is not working correctly.



What errors do you get?* Error codes?
Red Hat Link with error codes "14.2.7.*Updating Attribute Encryption for New SSL/TLS Certificates"*:

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_SSL.html*

Another error :
Starting dirsrv:** *KingKong...[16/Dec/2010:13:52:16 +0100] SSL Initialization - Warning: certificate DB file cert8.db nor cert7.db exists in [/etc/dirsrv/slapd-KingKong] - SSL initialization will likely fail
[16/Dec/2010:13:52:16 +0100] SSL Initialization - Warning: key DB file /etc/dirsrv/slapd-KingKong/key3.db does not exist - SSL initialization will likely fail[16/Dec/2010:13:52:16 +0100] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.)
[16/Dec/2010:13:52:16 +0100] - ERROR: SSL Initialization Failed.




I also try to :
*- edit dse.ldif file in the dirsrv DS configuration
directory and delete the line corresponding to the cert files as
Red Hat documentation tells (after stoping dirsrv service).

Since you did not successfully complete TLS/SSL configuration, you
will find that TLS/SSL is not working correctly.



Can you provide a link to the Red Hat docs?


We can see that dirsrv reload the cert files in the dse.ldif
file, but it changed nothing.
*- delete every *.db and *.txt files and cacert.csa. Then, if
I reexecute setupssl.sh, it generates the cert files, but
(again), there is no changes...



Obviously, if I open 389-console, I could see this string in
the properties of "cn=encryption,cn=config".

Including all of the ciphers in the Ciphers attribute?

Yes !*


********

Following the debugging :

Finally, it works... !
I have downloaded setupssl2.sh again with good spaces (for ciphers), and execute it. After removing the cert files (cacert, db, txt files) in /etc/dirsrv/slapd-instance/ I could launch ldaps correctly.

#./setupssl2.sh /etc/dirsrv/slapd-KingKong/ 9831
Using /etc/dirsrv/slapd-KingKong/ as sec directoryNo CA certificate found - will create new oneNo Server Cert found - will create new one
No Admin Server Cert found - will create new oneCreating password file for security token
Creating noise fileCreating new key and cert dbCreating encryption key for CA


Generating key. *This may take a few moments...

Creating self-signed CA certificate


Generating key. *This may take a few moments...
Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?Exporting the CA certificate to cacert.asc
Generating server certificate for 389 Directory Server on host KingKong.mylocaldomain.com
Using fully qualified hostname KingKong.mylocaldomain.com*for the server name in the server cert subject DNNote: If you do not want to use this hostname, edit this script to change myhost to the
real hostname you want to use


Generating key. *This may take a few moments...
Creating the admin server certificate


Generating key. *This may take a few moments...

Exporting the admin server certificate pk12 filepk12util: PKCS12 EXPORT SUCCESSFUL
Creating pin file for directory serverCreating key and cert db for admin serverImporting the admin server key and cert (created above)
pk12util: PKCS12 IMPORT SUCCESSFULImporting the CA certificate from cacert.asc
Enabling the use of a password file in admin serverEnabling SSL in the directory server - when prompted, provide the directory manager password
Enter LDAP Password:
-> Here, I could launch dirsrv (in another window shell).


modifying entry "cn=encryption,cn=config"ldap_modify: Type or value exists (20)


Now, after restarting dirsrv server and adding this :
# vi ~/.ldaprc
# TLS_CACERT <path-to-ca>.pem
TLS_REQCERT allow
I could launch ldaps request on my server.
Thanks;
Regards.





I have checked my real hostname and other stuffs specified in
the documentation... I know that I do not use the standard LDAP
port but I do not see why this section could not work... Other
ldap request on this port work.



Sorry for my bad english...



Any help would be gracefull !



Regards;



Rémy

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users






--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 05:00 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org