On Friday, I updated one of several systems that I manage from version 1.2.11.15 to version 1.2.11.25. Thereafter, the service was unable to start. The error indicates a problem with SSL that I don't understand. I've included the relevant section from the "error" log below.
After reverting to the old package, the service starts again.
Does anyone understand this error and have a pointer on resolving it?
yum.log: Sep 20 15:35:43 Updated: 389-ds-base-libs-1.2.11.15-22.el6_4.x86_64 Sep 20 15:36:24 Updated: 389-ds-base-1.2.11.15-22.el6_4.x86_64 Nov 22 15:03:40 Updated: 389-ds-base-libs-1.2.11.25-1.el6.x86_64 Nov 22 15:05:17 Updated: 389-ds-base-1.2.11.25-1.el6.x86_64
error: [22/Nov/2013:15:05:08 -0800] - check_and_set_import_cache: pagesize: 4096, pages: 980670, procpages: 52580 [22/Nov/2013:15:05:08 -0800] - Import allocates 1569072KB import cache. [22/Nov/2013:15:05:08 -0800] Upgrade DN Format - userRoot: Start upgrade dn format. [22/Nov/2013:15:05:08 -0800] Upgrade DN Format - Instance userRoot in /var/lib/dirsrv/slapd-master1/db/userRoot is up-to-date [22/Nov/2013:15:05:14 -0800] - 389-Directory/1.2.11.25 B2013.325.1951 starting up [22/Nov/2013:15:05:15 -0800] slapd_get_unlocked_key_for_cert - Error: could not find any unlocked slots for certificate [E=postmaster@xxx.com,CN=mail.xxx.com,O=xxx, L=Seattle,ST=Washington,C=US,OID.2.5.4.13=5t6jP8FugTLuYrW8]. Please review your TLS/SSL configuration. The following slots were found: [22/Nov/2013:15:05:15 -0800] slapd_get_unlocked_key_for_cert - Slot [NSS User Private Key and Certificate Services] token [Internal (Software) Token] was locked. [22/Nov/2013:15:05:15 -0800] - Can't get private key from cert Server-Cert in attrcrypt_fetch_private_key: -8049 - Unrecognized Object IDentifier. [22/Nov/2013:15:05:15 -0800] - Error: unable to initialize attrcrypt system for userRoot [22/Nov/2013:15:05:16 -0800] - start: Failed to start databases, err=-1 Unknown error: -1 [22/Nov/2013:15:05:16 -0800] - Failed to start database plugin ldbm database [22/Nov/2013:15:05:16 -0800] - WARNING: ldbm instance userRoot already exists [22/Nov/2013:15:05:16 -0800] - ldbm_config_read_instance_entries: failed to add instance entry cn=userRoot,cn=ldbm database,cn=plugins,cn=config [22/Nov/2013:15:05:16 -0800] - ldbm_config_load_dse_info: failed to read instance entries [22/Nov/2013:15:05:16 -0800] - start: Loading database configuration failed [22/Nov/2013:15:05:16 -0800] - Failed to start database plugin ldbm database [22/Nov/2013:15:05:16 -0800] - Error: Failed to resolve plugin dependencies [22/Nov/2013:15:05:16 -0800] - Error: preoperation plugin 7-bit check is not started [22/Nov/2013:15:05:16 -0800] - Error: preoperation plugin Account Usability Plugin is not started [22/Nov/2013:15:05:16 -0800] - Error: accesscontrol plugin ACL Plugin is not started [22/Nov/2013:15:05:16 -0800] - Error: preoperation plugin ACL preoperation is not started [22/Nov/2013:15:05:16 -0800] - Error: preoperation plugin Auto Membership Plugin is not started [22/Nov/2013:15:05:16 -0800] - Error: object plugin Class of Service is not started [22/Nov/2013:15:05:16 -0800] - Error: preoperation plugin deref is not started [22/Nov/2013:15:05:16 -0800] - Error: preoperation plugin HTTP Client is not started [22/Nov/2013:15:05:16 -0800] - Error: database plugin ldbm database is not started [22/Nov/2013:15:05:16 -0800] - Error: object plugin Legacy Replication Plugin is not started [22/Nov/2013:15:05:16 -0800] - Error: preoperation plugin Linked Attributes is not started [22/Nov/2013:15:05:16 -0800] - Error: preoperation plugin Managed Entries is not started [22/Nov/2013:15:05:16 -0800] - Error: object plugin Multimaster Replication Plugin is not started [22/Nov/2013:15:05:16 -0800] - Error: preoperation plugin Pass Through Authentication is not started [22/Nov/2013:15:05:16 -0800] - Error: object plugin Roles Plugin is not started [22/Nov/2013:15:05:16 -0800] - Error: object plugin Views is not started
On 11/25/2013 04:37 PM, Gordon Messmer wrote:
On Friday, I updated one of several systems that I manage from version 1.2.11.15 to version 1.2.11.25. Thereafter, the service was unable to start. The error indicates a problem with SSL that I don't understand. I've included the relevant section from the "error" log below.
After reverting to the old package, the service starts again.
Does anyone understand this error and have a pointer on resolving it?
Is there some reason you need to upgrade from the OS provided official RHEL 6.4 version of 389-ds-base to the non-OS provided version from the rmeggins epel6 repo?
Are you using attribute encryption?
The error message is saying that it cannot find your unlocked server SSL key. I am assuming this all worked before, and you have a pin.txt file and/or you have permanently unlocked your key/cert db.
yum.log: Sep 20 15:35:43 Updated: 389-ds-base-libs-1.2.11.15-22.el6_4.x86_64 Sep 20 15:36:24 Updated: 389-ds-base-1.2.11.15-22.el6_4.x86_64 Nov 22 15:03:40 Updated: 389-ds-base-libs-1.2.11.25-1.el6.x86_64 Nov 22 15:05:17 Updated: 389-ds-base-1.2.11.25-1.el6.x86_64
error: [22/Nov/2013:15:05:08 -0800] - check_and_set_import_cache: pagesize: 4096, pages: 980670, procpages: 52580 [22/Nov/2013:15:05:08 -0800] - Import allocates 1569072KB import cache. [22/Nov/2013:15:05:08 -0800] Upgrade DN Format - userRoot: Start upgrade dn format. [22/Nov/2013:15:05:08 -0800] Upgrade DN Format - Instance userRoot in /var/lib/dirsrv/slapd-master1/db/userRoot is up-to-date [22/Nov/2013:15:05:14 -0800] - 389-Directory/1.2.11.25 B2013.325.1951 starting up [22/Nov/2013:15:05:15 -0800] slapd_get_unlocked_key_for_cert - Error: could not find any unlocked slots for certificate [E=postmaster@xxx.com,CN=mail.xxx.com,O=xxx, L=Seattle,ST=Washington,C=US,OID.2.5.4.13=5t6jP8FugTLuYrW8]. Please review your TLS/SSL configuration. The following slots were found: [22/Nov/2013:15:05:15 -0800] slapd_get_unlocked_key_for_cert - Slot [NSS User Private Key and Certificate Services] token [Internal (Software) Token] was locked. [22/Nov/2013:15:05:15 -0800] - Can't get private key from cert Server-Cert in attrcrypt_fetch_private_key: -8049 - Unrecognized Object IDentifier. [22/Nov/2013:15:05:15 -0800] - Error: unable to initialize attrcrypt system for userRoot [22/Nov/2013:15:05:16 -0800] - start: Failed to start databases, err=-1 Unknown error: -1 [22/Nov/2013:15:05:16 -0800] - Failed to start database plugin ldbm database [22/Nov/2013:15:05:16 -0800] - WARNING: ldbm instance userRoot already exists [22/Nov/2013:15:05:16 -0800] - ldbm_config_read_instance_entries: failed to add instance entry cn=userRoot,cn=ldbm database,cn=plugins,cn=config [22/Nov/2013:15:05:16 -0800] - ldbm_config_load_dse_info: failed to read instance entries [22/Nov/2013:15:05:16 -0800] - start: Loading database configuration failed [22/Nov/2013:15:05:16 -0800] - Failed to start database plugin ldbm database [22/Nov/2013:15:05:16 -0800] - Error: Failed to resolve plugin dependencies [22/Nov/2013:15:05:16 -0800] - Error: preoperation plugin 7-bit check is not started [22/Nov/2013:15:05:16 -0800] - Error: preoperation plugin Account Usability Plugin is not started [22/Nov/2013:15:05:16 -0800] - Error: accesscontrol plugin ACL Plugin is not started [22/Nov/2013:15:05:16 -0800] - Error: preoperation plugin ACL preoperation is not started [22/Nov/2013:15:05:16 -0800] - Error: preoperation plugin Auto Membership Plugin is not started [22/Nov/2013:15:05:16 -0800] - Error: object plugin Class of Service is not started [22/Nov/2013:15:05:16 -0800] - Error: preoperation plugin deref is not started [22/Nov/2013:15:05:16 -0800] - Error: preoperation plugin HTTP Client is not started [22/Nov/2013:15:05:16 -0800] - Error: database plugin ldbm database is not started [22/Nov/2013:15:05:16 -0800] - Error: object plugin Legacy Replication Plugin is not started [22/Nov/2013:15:05:16 -0800] - Error: preoperation plugin Linked Attributes is not started [22/Nov/2013:15:05:16 -0800] - Error: preoperation plugin Managed Entries is not started [22/Nov/2013:15:05:16 -0800] - Error: object plugin Multimaster Replication Plugin is not started [22/Nov/2013:15:05:16 -0800] - Error: preoperation plugin Pass Through Authentication is not started [22/Nov/2013:15:05:16 -0800] - Error: object plugin Roles Plugin is not started [22/Nov/2013:15:05:16 -0800] - Error: object plugin Views is not started -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 11/25/2013 03:54 PM, Rich Megginson wrote:
Is there some reason you need to upgrade from the OS provided official RHEL 6.4 version of 389-ds-base to the non-OS provided version from the rmeggins epel6 repo?
I no longer remember why that's there, actually. I feel like there was a feature not available in the RH packages, but have forgotten exactly what.
Are you using attribute encryption?
No, not as far as I know.
The error message is saying that it cannot find your unlocked server SSL key. I am assuming this all worked before, and you have a pin.txt file and/or you have permanently unlocked your key/cert db.
The key/cert db has one key which requires no passphrase, the corresponding certificate, and the certificates of the CA (StartSSL).
On 11/25/2013 06:26 PM, Gordon Messmer wrote:
On 11/25/2013 03:54 PM, Rich Megginson wrote:
Is there some reason you need to upgrade from the OS provided official RHEL 6.4 version of 389-ds-base to the non-OS provided version from the rmeggins epel6 repo?
I no longer remember why that's there, actually. I feel like there was a feature not available in the RH packages, but have forgotten exactly what.
I would suggest just using the 389-ds-base package that comes with RHEL 6.
Are you using attribute encryption?
No, not as far as I know.
Ok.
The error message is saying that it cannot find your unlocked server SSL key. I am assuming this all worked before, and you have a pin.txt file and/or you have permanently unlocked your key/cert db.
The key/cert db has one key which requires no passphrase, the corresponding certificate, and the certificates of the CA (StartSSL).
If you do
certutil -d /etc/dirsrv/slapd-* -K
does it prompt you for a password/pin?
On 11/25/2013 03:54 PM, Rich Megginson wrote:
Is there some reason you need to upgrade from the OS provided official RHEL 6.4 version of 389-ds-base to the non-OS provided version from the rmeggins epel6 repo?
Now I remember... there's no Windows sync in the RHEL package. We needed that in at least one of our deployments, and we want all of our deployments to be consistent.
The error message is saying that it cannot find your unlocked server SSL key. I am assuming this all worked before, and you have a pin.txt file and/or you have permanently unlocked your key/cert db.
We had the same problem at another site. It looks like all of our sites with third-party certificates -- those signed by a CA whose certificates we also had to add to the database -- are affected by the problem.
On 12/03/2013 03:11 PM, Gordon Messmer wrote:
On 11/25/2013 03:54 PM, Rich Megginson wrote:
Is there some reason you need to upgrade from the OS provided official RHEL 6.4 version of 389-ds-base to the non-OS provided version from the rmeggins epel6 repo?
Now I remember... there's no Windows sync in the RHEL package.
Yes, there is. Do you mean POSIX Windows Sync?
We needed that in at least one of our deployments, and we want all of our deployments to be consistent.
The error message is saying that it cannot find your unlocked server SSL key. I am assuming this all worked before, and you have a pin.txt file and/or you have permanently unlocked your key/cert db.
We had the same problem at another site. It looks like all of our sites with third-party certificates -- those signed by a CA whose certificates we also had to add to the database -- are affected by the problem.
Ok. The problem has been found and fixed - https://fedorahosted.org/389/ticket/47596 - the fix will be in the next 389-ds-base version.
We didn't test using an unlocked key/cert db.
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 12/03/2013 02:19 PM, Rich Megginson wrote:
On 12/03/2013 03:11 PM, Gordon Messmer wrote:
Now I remember... there's no Windows sync in the RHEL package.
Yes, there is. Do you mean POSIX Windows Sync?
I'm uncertain. You mentioned this in 2011: https://lists.fedoraproject.org/pipermail/389-users/2011-August/013462.html
Ok. The problem has been found and fixed - https://fedorahosted.org/389/ticket/47596 - the fix will be in the next 389-ds-base version.
Glad to hear it. Thanks, Rich!
On 12/03/2013 03:25 PM, Gordon Messmer wrote:
On 12/03/2013 02:19 PM, Rich Megginson wrote:
On 12/03/2013 03:11 PM, Gordon Messmer wrote:
Now I remember... there's no Windows sync in the RHEL package.
Yes, there is. Do you mean POSIX Windows Sync?
I'm uncertain. You mentioned this in 2011: https://lists.fedoraproject.org/pipermail/389-users/2011-August/013462.html
389-ds-base in EL6.4 supports winsync.
Ok. The problem has been found and fixed - https://fedorahosted.org/389/ticket/47596 - the fix will be in the next 389-ds-base version.
Glad to hear it. Thanks, Rich!
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org