with installed
/usr/sbin/ns-slapd -v 389 Project 389-Directory/1.4.3.12 B2020.213.0000
running instancename == 'sso'
systemctl status dirsrv@sso.service -ln0 ● dirsrv@sso.service - 389 Directory Server sso. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled) Drop-In: /usr/lib/systemd/system/dirsrv@.service.d └─custom.conf /etc/systemd/system/dirsrv@sso.service.d └─override.conf Active: active (running) since Thu 2020-08-27 16:11:16 PDT; 6min ago Process: 24861 ExecStartPre=/usr/libexec/dirsrv/ds_systemd_ask_password_acl /etc/dirsrv/slapd-sso/dse.ldif (code=exited, status=0/SUCCESS) Main PID: 24866 (ns-slapd) Status: "slapd started: Ready to process requests" Tasks: 25 (limit: 9500) Memory: 50.7M CPU: 2.832s CGroup: /system.slice/system-dirsrv.slice/dirsrv@sso.service └─24866 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-sso -i /run/dirsrv/slapd-sso.pid
dsctl sso status Instance "sso" is running
checking _supported_ ciphers
dsconf -D "cn=ds" sso security ciphers list --supported | grep -i cha TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
setting initial security
dsconf -D "cn=ds" sso security set \ --security on \ --listen-host ldap.example.com \ --secure-port 636 \ --tls-protocol-min 1.2 \ --allow-insecure-ciphers off \ --allow-weak-dh-param off \ --cipher-pref "+TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
stopping server
dsctl sso stop
importing CA, OK
dsctl sso tls import-ca \ /src/ssl/myCA.CHAIN.crt.pem \ ldap.sso.CA.crt
importing cert/key, OK
dsctl sso tls import-server-key-cert \ /src/ssl/ldap.server.EC.crt \ /src/ssl/ldap.server.EC.key
importing client-CA, **FAILS**
dsctl sso tls import-client-ca \ /src/ssl/myCA.CHAIN.crt.pem \ ldap.sso.clientCA.crt
Error: Command '['/usr/bin/certutil', '-M', '-d', '/etc/dirsrv/slapd-sso', '-n', 'ldap.sso.clientCA.crt', '-t', 'T,,', '-f', '/etc/dirsrv/slapd-sso/pwdfile.txt']' returned non-zero exit status 255.
restarting server
dsctl sso start
checking _enabled_ ciphers
dsconf -D "cn=ds" sso security ciphers list --enabled TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
*2* certs are listed,
dsconf -D "cn=ds" sso security certificate list Certificate Name: ldap.sso.CA.crt Subject DN: E=ssl@example.com,CN=myCA_INTERMEDIATE,OU=myCA,O=example.com,ST=CA,C=US Issuer DN: CN=myCA_ROOT,E=ssl@example.com,C=US,ST=CA,L=city,OU=myCA,O=example.com Expires: 2027-06-02 21:41:51 Trust Flags: ,,
Certificate Name: Server-Cert Subject DN: E=ssl@example.com,CN=ldap.example.com,OU=myCA,O=example.com,L=city,ST=CA,C=US Issuer DN: E=ssl@example.com,CN=myCA_INTERMEDIATE,OU=myCA,O=example.com,ST=CA,C=US Expires: 2030-08-25 00:50:38 Trust Flags: u,u,u
only one should be listed 'just' as a cert,
dsctl sso tls show-server-cert Certificate: Data: Version: 3 (0x2) Serial Number: 4666 (0x123a) Signature Algorithm: X9.62 ECDSA signature with SHA256 Issuer: "E=ssl@example.com,CN=myCA_INTER MEDIATE,OU=myCA,O=example.com,ST=CA,C=US" Validity: Not Before: Thu Aug 27 00:50:38 2020 Not After : Sun Aug 25 00:50:38 2030 Subject: "E=ssl@example.com,CN=ldap.example.com,OU=pr esence-group.net_CA,O=example.com,L=city,ST=CA,C= US" Subject Public Key Info: Public Key Algorithm: X9.62 elliptic curve public key Args: 06:05:2b:81:04:00:22 EC Public Key: PublicValue: 04:...:3c Curve: SECG elliptic curve secp384r1 (aka NIST P-384) Signed Extensions: Name: Certificate Basic Constraints Data: Is not a CA.
Name: Certificate Type Data: <SSL Server>
Name: Certificate Comment Comment: "example.com SERVER Certificate"
Name: Certificate Subject Key ID Data: ea:...:78
Name: Certificate Authority Key Identifier Key ID: d0:...:cd Issuer: Directory Name: "CN=myCA_ROOT,E=ssl@exa mple.com,C=US,ST=CA,L=city,OU=my CA,O=example.com" Serial Number: 4096 (0x1000)
Name: Certificate Key Usage Critical: True Usages: Digital Signature
Name: Extended Key Usage TLS Web Server Authentication Certificate
Name: Certificate Subject Alt Name DNS name: "ldap.example.com" DNS name: "www.ldap.example.com" DNS name: "localhost"
Signature Algorithm: X9.62 ECDSA signature with SHA256 Signature: 30:...:67 Fingerprint (SHA-256): 22:...:18 Fingerprint (SHA1): 52:...:E3
Mozilla-CA-Policy: false (attribute missing) Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User
the other is the ca cert. but ca list reports empty with dsconf
dsconf -D "cn=ds" sso security ca-certificate list (empty)
as do both of dsctl tls queries
dsctl sso tls list-ca (empty)
dsctl sso tls list-client-ca (empty)
389-users@lists.fedoraproject.org