FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 08-01-2012, 04:17 PM
Rich Megginson
 
Default dirsrv-admin startup issues with SSL/TLS configuration

On 08/01/2012 08:17 AM, Arnold Werschky wrote:

Good
morning,



I'm
trying to set up a new install LDAP server with self signed
TLS/SSL on CentOS 6.2



My
install using*setup-ds-admin.pl*was
typical, and I was able to login to the 389-Console after
installation.



At
that point I downloaded the script from richm :*https://github.com/richm/scripts/blob/master/setupssl2.sh



I
received two errors during its run (full output is at the
bottom).




pk12util: Failed to authenticate to PKCS11 slot: The
security password entered is incorrect.
pk12util: Failed to authenticate to "NSS User Private Key
and Certificate Services": The user pressed cancel.




start-ds-admin
now fails to start, with the following error messages in
/var/log/dirsrv/admin-serv/error




[Tue Jul 31 16:34:09 2012] [error] Password for slot
internal is incorrect.
[Tue Jul 31 16:34:09 2012] [error] NSS initialization
failed. Certificate database: /etc/dirsrv/admin-serv.
[Tue Jul 31 16:34:09 2012] [error] SSL Library Error: -8177
The security password entered is incorrect:




I've
searched for the SSL Library error to no avail. *If anyone can
give me a starting point I'd appreciate it.






************************************************** *************************
setupssl2.sh
output

************************************************** *************************




Using /etc/dirsrv/slapd-ldap-xxxxx as sec directory
No CA certificate found - will create new one
No Server Cert found - will create new one
No Admin Server Cert found - will create new one
Creating password file for security token
Creating noise file
Creating new key and cert db
Creating encryption key for CA






Generating key. *This may take a few moments...



Creating self-signed CA certificate






Generating key. *This may take a few moments...



Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for
unlimited path]: > Is this a critical extension [y/N]?
Exporting the CA certificate to cacert.asc
Generating server certificate for 389 Directory Server on
host*ldap.xxxxx.com
Using fully qualified hostname*ldap.xxxxx.com*for the
server name in the server cert subject DN
Note: If you do not want to use this hostname, edit this
script to change myhost to the
real hostname you want to use






Generating key. *This may take a few moments...



Creating the admin server certificate






Generating key. *This may take a few moments...



Exporting the admin server certificate pk12 file
pk12util: PKCS12 EXPORT SUCCESSFUL
Creating pin file for directory server
Importing the admin server key and cert (created above)
Incorrect password/PIN entered.
pk12util: Failed to authenticate to PKCS11 slot: The
security password entered is incorrect.
pk12util: Failed to authenticate to "NSS User Private Key
and Certificate Services": The user pressed cancel.


Hmm - this is really strange.

ls -al /etc/dirsrv/slapd-*

ls -al /etc/dirsrv/admin-serv



Importing the CA certificate from cacert.asc
Enabling the use of a password file in admin server
Turning on NSSEngine
Use ldaps for config ds connections
Enabling SSL in the directory server
when prompted, provide the directory manager password
Password:modifying entry "cn=encryption,cn=config"



modifying entry "cn=config"



adding new entry "cn=RSA,cn=encryption,cn=config"



Enabling SSL in the admin server
modifying entry "cn=slapd-ldap-xxxxx,cn=389 Directory
Server,cn=Server Group,cn=ldap.xxxxx.com,ou=xxxxx,o=NetscapeRoot"



modifying entry "cn=configuration,cn=admin-serv-ldap,cn=389
Administration Server,cn=Server Group,cn=ldap.xxxxx.com,ou=xxxxx,o=NetscapeRoot"



Done. *You must restart the directory server and the admin
server for the changes to take effect.






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 08-01-2012, 04:27 PM
Arnold Werschky
 
Default dirsrv-admin startup issues with SSL/TLS configuration

As an aside, I can get rid of the errors on the setupssl2.sh script by making the following change...but I don't know if its a change I should be making.
[root@ldap ~]# diff setupssl2.sh setupssl2.sh.orig*
185c185< * * pk12util -d $secdir -n server-cert -i $secdir/adminserver.p12 -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt---> * * pk12util -d $assecdir -n server-cert -i $secdir/adminserver.p12 -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt

************************************************** *******************results of commands requested:**************************************** *****************************
root@ldap ~]# ls -al /etc/dirsrv/slapd-*total 472drwxrwx--- 3 ldap ldap *4096 Jul 31 15:01 .drwxrwxr-x 7 root ldap *4096 Jul 31 14:03 ..-r-------- 1 ldap ldap *2114 Jul 31 14:36 adminserver.p12
-rw-r--r-- 1 ldap root * 647 Jul 31 14:36 cacert.asc-rw------- 1 ldap ldap 65536 Jul 31 16:23 cert8.db-r--r----- 1 ldap ldap *3595 Jul 31 13:19 certmap.conf-rw------- 1 ldap ldap 71692 Jul 31 15:01 dse.ldif
-rw------- 1 ldap ldap 71174 Jul 31 15:01 dse.ldif.bak-rw------- 1 ldap ldap 71917 Jul 31 15:00 dse.ldif.startOK-r--r----- 1 ldap ldap 32836 Jul 31 13:19 dse_original.ldif-rw------- 1 ldap ldap 16384 Jul 31 16:23 key3.db
-r-------- 1 ldap ldap * *41 Jul 31 14:36 noise.txt-rw-rw---- 1 ldap ldap 65536 Jul 31 15:00 orig-cert8.db-rw-rw---- 1 ldap ldap 16384 Jul 31 15:00 orig-key3.db-r-------- 1 ldap ldap * *67 Jul 31 14:36 pin.txt
-r-------- 1 ldap ldap * *41 Jul 31 14:36 pwdfile.txtdrwxrwx--- 2 ldap ldap *4096 Jul 31 15:01 schema-rw-rw---- 1 ldap ldap 16384 Jul 31 15:01 secmod.db-r--r----- 1 ldap ldap *5366 Jul 31 13:19 slapd-collations.conf
[root@ldap ~]# ls -al /etc/dirsrv/admin-servtotal 196drwx------ 2 ldap root *4096 Jul 31 15:27 .drwxrwxr-x 7 root ldap *4096 Jul 31 14:03 ..-rw------- 1 ldap ldap * 498 Jul 31 14:36 adm.conf
-rw------- 1 ldap root * *40 Jul 31 13:19 admpw-rw-r--r-- 1 root root *3936 Mar 27 08:33 admserv.conf-rw------- 1 ldap root 65536 Jul 31 16:05 cert8.db-rw------- 1 ldap ldap *4467 Jul 31 14:36 console.conf
-rw------- 1 ldap root *4467 Jul 27 18:42 console.conf.rpmsave-rw-r--r-- 1 root root 26302 Mar 27 08:33 httpd.conf-rw------- 1 ldap root 16384 Jul 31 16:05 key3.db-rw------- 1 ldap root 13343 Jul 31 13:19 local.conf
-r-------- 1 ldap ldap *4535 Jul 31 14:36 nss.conf-rw------- 1 ldap root *4535 Jul 27 16:20 nss.conf.rpmsave-rw------- 1 ldap root * *50 Jul 31 15:27 password.conf-rw------- 1 ldap root 16384 Jul 27 14:21 secmod.db

On Wed, Aug 1, 2012 at 10:17 AM, Rich Megginson <rmeggins@redhat.com> wrote:






On 08/01/2012 08:17 AM, Arnold Werschky wrote:

Good
morning,



I'm
trying to set up a new install LDAP server with self signed
TLS/SSL on CentOS 6.2



My
install using*setup-ds-admin.pl*was
typical, and I was able to login to the 389-Console after
installation.



At
that point I downloaded the script from richm :*https://github.com/richm/scripts/blob/master/setupssl2.sh




I
received two errors during its run (full output is at the
bottom).




pk12util: Failed to authenticate to PKCS11 slot: The
security password entered is incorrect.
pk12util: Failed to authenticate to "NSS User Private Key
and Certificate Services": The user pressed cancel.




start-ds-admin
now fails to start, with the following error messages in
/var/log/dirsrv/admin-serv/error




[Tue Jul 31 16:34:09 2012] [error] Password for slot
internal is incorrect.
[Tue Jul 31 16:34:09 2012] [error] NSS initialization
failed. Certificate database: /etc/dirsrv/admin-serv.
[Tue Jul 31 16:34:09 2012] [error] SSL Library Error: -8177
The security password entered is incorrect:




I've
searched for the SSL Library error to no avail. *If anyone can
give me a starting point I'd appreciate it.






************************************************** *************************
setupssl2.sh
output

************************************************** *************************




Using /etc/dirsrv/slapd-ldap-xxxxx as sec directory
No CA certificate found - will create new one
No Server Cert found - will create new one
No Admin Server Cert found - will create new one
Creating password file for security token
Creating noise file
Creating new key and cert db
Creating encryption key for CA






Generating key. *This may take a few moments...



Creating self-signed CA certificate






Generating key. *This may take a few moments...



Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for
unlimited path]: > Is this a critical extension [y/N]?
Exporting the CA certificate to cacert.asc
Generating server certificate for 389 Directory Server on
host*ldap.xxxxx.com
Using fully qualified hostname*ldap.xxxxx.com*for the
server name in the server cert subject DN
Note: If you do not want to use this hostname, edit this
script to change myhost to the
real hostname you want to use






Generating key. *This may take a few moments...



Creating the admin server certificate






Generating key. *This may take a few moments...



Exporting the admin server certificate pk12 file
pk12util: PKCS12 EXPORT SUCCESSFUL
Creating pin file for directory server
Importing the admin server key and cert (created above)
Incorrect password/PIN entered.
pk12util: Failed to authenticate to PKCS11 slot: The
security password entered is incorrect.
pk12util: Failed to authenticate to "NSS User Private Key
and Certificate Services": The user pressed cancel.


Hmm - this is really strange.

ls -al /etc/dirsrv/slapd-*

ls -al /etc/dirsrv/admin-serv



Importing the CA certificate from cacert.asc
Enabling the use of a password file in admin server
Turning on NSSEngine
Use ldaps for config ds connections
Enabling SSL in the directory server
when prompted, provide the directory manager password
Password:modifying entry "cn=encryption,cn=config"



modifying entry "cn=config"



adding new entry "cn=RSA,cn=encryption,cn=config"



Enabling SSL in the admin server
modifying entry "cn=slapd-ldap-xxxxx,cn=389 Directory
Server,cn=Server Group,cn=ldap.xxxxx.com,ou=xxxxx,o=NetscapeRoot"



modifying entry "cn=configuration,cn=admin-serv-ldap,cn=389
Administration Server,cn=Server Group,cn=ldap.xxxxx.com,ou=xxxxx,o=NetscapeRoot"



Done. *You must restart the directory server and the admin
server for the changes to take effect.






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users







--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 08-01-2012, 07:12 PM
Rich Megginson
 
Default dirsrv-admin startup issues with SSL/TLS configuration

On 08/01/2012 10:27 AM, Arnold Werschky wrote:

As an aside, I can get rid of the errors on the setupssl2.sh
script by making the following change...but I don't know if its
a change I should be making.

Yes, that looks correct.* Not sure when/how that was broken.






[root@ldap ~]# diff setupssl2.sh setupssl2.sh.orig*
185c185
< * * pk12util -d $secdir -n server-cert -i
$secdir/adminserver.p12 -w $secdir/pwdfile.txt -k
$secdir/pwdfile.txt
---
> * * pk12util -d $assecdir -n server-cert -i
$secdir/adminserver.p12 -w $secdir/pwdfile.txt -k
$secdir/pwdfile.txt




************************************************** *******************
results of commands requested:
************************************************** *******************
root@ldap ~]# ls -al /etc/dirsrv/slapd-*
total 472
drwxrwx--- 3 ldap ldap *4096 Jul 31 15:01 .
drwxrwxr-x 7 root ldap *4096 Jul 31 14:03 ..
-r-------- 1 ldap ldap *2114 Jul 31 14:36 adminserver.p12
-rw-r--r-- 1 ldap root * 647 Jul 31 14:36 cacert.asc
-rw------- 1 ldap ldap 65536 Jul 31 16:23 cert8.db
-r--r----- 1 ldap ldap *3595 Jul 31 13:19 certmap.conf
-rw------- 1 ldap ldap 71692 Jul 31 15:01 dse.ldif
-rw------- 1 ldap ldap 71174 Jul 31 15:01 dse.ldif.bak
-rw------- 1 ldap ldap 71917 Jul 31 15:00 dse.ldif.startOK
-r--r----- 1 ldap ldap 32836 Jul 31 13:19 dse_original.ldif
-rw------- 1 ldap ldap 16384 Jul 31 16:23 key3.db
-r-------- 1 ldap ldap * *41 Jul 31 14:36 noise.txt
-rw-rw---- 1 ldap ldap 65536 Jul 31 15:00 orig-cert8.db
-rw-rw---- 1 ldap ldap 16384 Jul 31 15:00 orig-key3.db
-r-------- 1 ldap ldap * *67 Jul 31 14:36 pin.txt
-r-------- 1 ldap ldap * *41 Jul 31 14:36 pwdfile.txt
drwxrwx--- 2 ldap ldap *4096 Jul 31 15:01 schema
-rw-rw---- 1 ldap ldap 16384 Jul 31 15:01 secmod.db
-r--r----- 1 ldap ldap *5366 Jul 31 13:19
slapd-collations.conf
[root@ldap ~]# ls -al /etc/dirsrv/admin-serv
total 196
drwx------ 2 ldap root *4096 Jul 31 15:27 .
drwxrwxr-x 7 root ldap *4096 Jul 31 14:03 ..
-rw------- 1 ldap ldap * 498 Jul 31 14:36 adm.conf
-rw------- 1 ldap root * *40 Jul 31 13:19 admpw
-rw-r--r-- 1 root root *3936 Mar 27 08:33 admserv.conf
-rw------- 1 ldap root 65536 Jul 31 16:05 cert8.db
-rw------- 1 ldap ldap *4467 Jul 31 14:36 console.conf
-rw------- 1 ldap root *4467 Jul 27 18:42
console.conf.rpmsave
-rw-r--r-- 1 root root 26302 Mar 27 08:33 httpd.conf
-rw------- 1 ldap root 16384 Jul 31 16:05 key3.db
-rw------- 1 ldap root 13343 Jul 31 13:19 local.conf
-r-------- 1 ldap ldap *4535 Jul 31 14:36 nss.conf
-rw------- 1 ldap root *4535 Jul 27 16:20 nss.conf.rpmsave
-rw------- 1 ldap root * *50 Jul 31 15:27 password.conf
-rw------- 1 ldap root 16384 Jul 27 14:21 secmod.db


On Wed, Aug 1, 2012 at 10:17 AM, Rich
Megginson <rmeggins@redhat.com>
wrote:




On 08/01/2012 08:17 AM, Arnold Werschky
wrote:

Good

morning,



I'm

trying to set up a new install LDAP server with self
signed TLS/SSL on CentOS 6.2



My

install using*setup-ds-admin.pl*was

typical, and I was able to login to the 389-Console
after installation.



At

that point I downloaded the script from richm :*https://github.com/richm/scripts/blob/master/setupssl2.sh



I
received two errors during its run (full output is
at the bottom).




pk12util: Failed to authenticate to PKCS11
slot: The security password entered is incorrect.
pk12util: Failed to authenticate to "NSS User
Private Key and Certificate Services": The user
pressed cancel.




start-ds-admin

now fails to start, with the following error
messages in /var/log/dirsrv/admin-serv/error




[Tue Jul 31 16:34:09 2012] [error] Password for
slot internal is incorrect.
[Tue Jul 31 16:34:09 2012] [error] NSS
initialization failed. Certificate database:
/etc/dirsrv/admin-serv.
[Tue Jul 31 16:34:09 2012] [error] SSL Library
Error: -8177 The security password entered is
incorrect:




I've

searched for the SSL Library error to no avail. *If
anyone can give me a starting point I'd appreciate
it.






************************************************** *************************
setupssl2.sh

output

************************************************** *************************




Using /etc/dirsrv/slapd-ldap-xxxxx as sec
directory
No CA certificate found - will create new one
No Server Cert found - will create new one
No Admin Server Cert found - will create new
one
Creating password file for security token
Creating noise file
Creating new key and cert db
Creating encryption key for CA






Generating key. *This may take a few moments...



Creating self-signed CA certificate






Generating key. *This may take a few moments...



Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip
[<0 for unlimited path]: > Is this a
critical extension [y/N]?
Exporting the CA certificate to cacert.asc
Generating server certificate for 389 Directory
Server on host*ldap.xxxxx.com
Using fully qualified hostname*ldap.xxxxx.com*for
the server name in the server cert subject DN
Note: If you do not want to use this hostname,
edit this script to change myhost to the
real hostname you want to use






Generating key. *This may take a few moments...



Creating the admin server certificate






Generating key. *This may take a few moments...



Exporting the admin server certificate pk12
file
pk12util: PKCS12 EXPORT SUCCESSFUL
Creating pin file for directory server
Importing the admin server key and cert
(created above)
Incorrect password/PIN entered.
pk12util: Failed to authenticate to PKCS11
slot: The security password entered is incorrect.
pk12util: Failed to authenticate to "NSS User
Private Key and Certificate Services": The user
pressed cancel.




Hmm - this is really strange.

ls -al /etc/dirsrv/slapd-*

ls -al /etc/dirsrv/admin-serv




Importing the CA certificate from cacert.asc
Enabling the use of a password file in admin
server
Turning on NSSEngine
Use ldaps for config ds connections
Enabling SSL in the directory server
when prompted, provide the directory manager
password
Password:modifying entry
"cn=encryption,cn=config"



modifying entry "cn=config"



adding new entry "cn=RSA,cn=encryption,cn=config"



Enabling SSL in the admin server
modifying entry "cn=slapd-ldap-xxxxx,cn=389
Directory Server,cn=Server Group,cn=ldap.xxxxx.com,ou=xxxxx,o=NetscapeRoot"



modifying entry
"cn=configuration,cn=admin-serv-ldap,cn=389
Administration Server,cn=Server Group,cn=ldap.xxxxx.com,ou=xxxxx,o=NetscapeRoot"



Done. *You must restart the directory server and
the admin server for the changes to take effect.








--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users













--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 04:00 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org