inconsistent results & FAILs with dsconf/dsctl cert imports & queries - 389-users - Fedora mailing-lists

27 Aug 2020


      with installed
/usr/sbin/ns-slapd  -v
    	389 Project
    	389-Directory/1.4.3.12 B2020.213.0000
running instancename == 'sso'
systemctl status dirsrv@sso.service -ln0
    	● dirsrv@sso.service - 389 Directory Server sso.
    	     Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled)
    	    Drop-In: /usr/lib/systemd/system/dirsrv@.service.d
    	             └─custom.conf
    	             /etc/systemd/system/dirsrv@sso.service.d
    	             └─override.conf
    	     Active: active (running) since Thu 2020-08-27 16:11:16 PDT; 6min ago
    	    Process: 24861 ExecStartPre=/usr/libexec/dirsrv/ds_systemd_ask_password_acl /etc/dirsrv/slapd-sso/dse.ldif (code=exited, status=0/SUCCESS)
    	   Main PID: 24866 (ns-slapd)
    	     Status: "slapd started: Ready to process requests"
    	      Tasks: 25 (limit: 9500)
    	     Memory: 50.7M
    	        CPU: 2.832s
    	     CGroup: /system.slice/system-dirsrv.slice/dirsrv@sso.service
    	             └─24866 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-sso -i /run/dirsrv/slapd-sso.pid
dsctl sso status
    	Instance "sso" is running
checking _supported_ ciphers
dsconf -D "cn=ds" sso security ciphers list --supported | grep -i cha
    	TLS_CHACHA20_POLY1305_SHA256
    	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    	TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
setting initial security
dsconf -D "cn=ds" sso security set \
     --security on \
     --listen-host ldap.example.com \
     --secure-port 636 \
     --tls-protocol-min 1.2 \
     --allow-insecure-ciphers off \
     --allow-weak-dh-param off \
     --cipher-pref "+TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
stopping server
dsctl sso stop
importing CA, OK
dsctl sso tls import-ca \
     /src/ssl/myCA.CHAIN.crt.pem \
     ldap.sso.CA.crt
importing cert/key, OK
dsctl sso tls import-server-key-cert \
     /src/ssl/ldap.server.EC.crt \
     /src/ssl/ldap.server.EC.key
importing client-CA, **FAILS**
dsctl sso tls import-client-ca \
     /src/ssl/myCA.CHAIN.crt.pem \
     ldap.sso.clientCA.crt
Error: Command '['/usr/bin/certutil', '-M', '-d', '/etc/dirsrv/slapd-sso', '-n', 'ldap.sso.clientCA.crt', '-t', 'T,,', '-f', '/etc/dirsrv/slapd-sso/pwdfile.txt']' returned non-zero exit status 255.
restarting server
dsctl sso start
checking _enabled_ ciphers
dsconf -D "cn=ds" sso security ciphers list --enabled
    	TLS_CHACHA20_POLY1305_SHA256
    	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
*2* certs are listed,
dsconf -D "cn=ds" sso security certificate list
    	Certificate Name: ldap.sso.CA.crt
    	Subject DN: E=ssl@example.com,CN=myCA_INTERMEDIATE,OU=myCA,O=example.com,ST=CA,C=US
    	Issuer DN: CN=myCA_ROOT,E=ssl@example.com,C=US,ST=CA,L=city,OU=myCA,O=example.com
    	Expires: 2027-06-02 21:41:51
    	Trust Flags: ,,
Certificate Name: Server-Cert
    	Subject DN: E=ssl@example.com,CN=ldap.example.com,OU=myCA,O=example.com,L=city,ST=CA,C=US
    	Issuer DN: E=ssl@example.com,CN=myCA_INTERMEDIATE,OU=myCA,O=example.com,ST=CA,C=US
    	Expires: 2030-08-25 00:50:38
    	Trust Flags: u,u,u
only one should be listed 'just' as a cert,
dsctl sso tls show-server-cert
    	Certificate:
    	    Data:
    	        Version: 3 (0x2)
    	        Serial Number: 4666 (0x123a)
    	        Signature Algorithm: X9.62 ECDSA signature with SHA256
    	        Issuer: "E=ssl@example.com,CN=myCA_INTER
    	            MEDIATE,OU=myCA,O=example.com,ST=CA,C=US"
    	        Validity:
    	            Not Before: Thu Aug 27 00:50:38 2020
    	            Not After : Sun Aug 25 00:50:38 2030
    	        Subject: "E=ssl@example.com,CN=ldap.example.com,OU=pr
    	            esence-group.net_CA,O=example.com,L=city,ST=CA,C=
    	            US"
    	        Subject Public Key Info:
    	            Public Key Algorithm: X9.62 elliptic curve public key
    	                Args:
    	                    06:05:2b:81:04:00:22
    	            EC Public Key:
    	                PublicValue:
    	                    04:...:3c
    	                Curve: SECG elliptic curve secp384r1 (aka NIST P-384)
    	        Signed Extensions:
    	            Name: Certificate Basic Constraints
    	            Data: Is not a CA.
Name: Certificate Type
    	            Data: <SSL Server>
Name: Certificate Comment
    	            Comment: "example.com SERVER Certificate"
Name: Certificate Subject Key ID
    	            Data:
    	                ea:...:78
Name: Certificate Authority Key Identifier
    	            Key ID:
    	                d0:...:cd
    	            Issuer: 
    	                Directory Name: "CN=myCA_ROOT,E=ssl@exa
    	                    mple.com,C=US,ST=CA,L=city,OU=my
    	                    CA,O=example.com"
    	            Serial Number: 4096 (0x1000)
Name: Certificate Key Usage
    	            Critical: True
    	            Usages: Digital Signature
Name: Extended Key Usage
    	                TLS Web Server Authentication Certificate
Name: Certificate Subject Alt Name
    	            DNS name: "ldap.example.com"
    	            DNS name: "www.ldap.example.com"
    	            DNS name: "localhost"
Signature Algorithm: X9.62 ECDSA signature with SHA256
    	    Signature:
    	        30:...:67
    	    Fingerprint (SHA-256):
    	        22:...:18
    	    Fingerprint (SHA1):
    	        52:...:E3
Mozilla-CA-Policy: false (attribute missing)
    	    Certificate Trust Flags:
    	        SSL Flags:
    	            User
    	        Email Flags:
    	            User
    	        Object Signing Flags:
    	            User
the other is the ca cert. but ca list reports empty with dsconf
dsconf -D "cn=ds" sso security ca-certificate list
    	(empty)
as do both of dsctl tls queries
dsctl sso tls list-ca
    	(empty)
dsctl sso tls list-client-ca
    	(empty)