i've installed
ns-slapd -v 389 Project 389-Directory/1.4.3.12 B2020.213.0000
on
grep PRETTY /etc/os-release PRETTY_NAME="Fedora 32 (Server Edition)"
a server instance is up
dsctl testinst status Instance "testinst" is running
i check for cipher support
dsconf -D "cn=Directory Manager" testinst security ciphers list --supported | grep -i cha TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
setup security, enabling those ciphers
dsconf -D "cn=Directory Manager" testinst security set \ --security on \ --listen-host ldap.testinst.example.com \ --secure-port 636 \ --tls-protocol-min 3.3 \ --allow-insecure-ciphers off \ --allow-weak-dh-param off \ --cipher-pref +TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
dsconf -D "cn=Directory Manager" testinst security ciphers list +TLS_CHACHA20_POLY1305_SHA256 +TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
bundle my EC cert & key into a pkcs12
openssl pkcs12 -export \ -in testinst.server.EC.crt \ -inkey testinst.server.EC.key \ -out testinst.server.EC.p12 \ -name Server-Cert
verify it
openssl pkcs12 -info -in testinst.server.EC.p12 Enter Import Password: MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Bag Attributes localKeyID: 52 ... E3 friendlyName: Server-Cert subject=...
-----BEGIN CERTIFICATE----- MII...dBn -----END CERTIFICATE----- PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 Bag Attributes localKeyID: 52 ... E3 friendlyName: Server-Cert Key Attributes: <No Attributes> Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -----BEGIN ENCRYPTED PRIVATE KEY----- MII...6Fa -----END ENCRYPTED PRIVATE KEY-----
add my CA cert
dsconf -D "cn=Directory Manager" testinst security ca-certificate add \ --file /src/ssl/myCA.chain.crt \ --name myCA.chain.crt
and, finally, attempt to add my just-created .p12
dsconf -D "cn=Directory Manager" testinst security certificate add \ --file /src/ssl/testinst.server.EC.p12 \ --name ldap.testinst.server.p12 \ --primary-cert
the attempt FAILs,
Error: Command '['/usr/bin/certutil', '-A', '-d', '/etc/dirsrv/slapd-testinst/certs', '-n', 'ldap.testinst.server.p12', '-t', ',,', '-i', '/src/ssl/testinst.server.EC.p12', '-a', '-f', '/etc/dirsrv/slapd-testinst/certs/pwdfile.txt']' returned non-zero exit status 255.
manually exec'ing that^ failed cmd
/usr/bin/certutil \ -A \ -d /etc/dirsrv/slapd-testinst/certs \ -n ldap.testinst.server.p12 \ -t,, \ -i /src/ssl/testinst.server.EC.p12 \ -a \ -f /etc/dirsrv/slapd-testinst/certs/pwdfile.txt
returns
certutil: could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error.
my cert/key are good, .p12 verification passes ... I'm not sure which 'security library' is being referenced here.
what's the cause of the problem here?
my usage? 389ds capabilities/support?
On 8/27/20 1:17 PM, PGNet Dev wrote:
i've installed
ns-slapd -v 389 Project 389-Directory/1.4.3.12 B2020.213.0000
on
grep PRETTY /etc/os-release PRETTY_NAME="Fedora 32 (Server Edition)"
a server instance is up
dsctl testinst status Instance "testinst" is running
i check for cipher support
dsconf -D "cn=Directory Manager" testinst security ciphers list --supported | grep -i cha TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
setup security, enabling those ciphers
dsconf -D "cn=Directory Manager" testinst security set \ --security on \ --listen-host ldap.testinst.example.com \ --secure-port 636 \ --tls-protocol-min 3.3 \ --allow-insecure-ciphers off \ --allow-weak-dh-param off \ --cipher-pref +TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
dsconf -D "cn=Directory Manager" testinst security ciphers list +TLS_CHACHA20_POLY1305_SHA256 +TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
bundle my EC cert & key into a pkcs12
openssl pkcs12 -export \ -in testinst.server.EC.crt \ -inkey testinst.server.EC.key \ -out testinst.server.EC.p12 \ -name Server-Cert
verify it
openssl pkcs12 -info -in testinst.server.EC.p12 Enter Import Password: MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Bag Attributes localKeyID: 52 ... E3 friendlyName: Server-Cert subject=...
-----BEGIN CERTIFICATE----- MII...dBn -----END CERTIFICATE----- PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 Bag Attributes localKeyID: 52 ... E3 friendlyName: Server-Cert Key Attributes: <No Attributes> Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -----BEGIN ENCRYPTED PRIVATE KEY----- MII...6Fa -----END ENCRYPTED PRIVATE KEY-----
add my CA cert
dsconf -D "cn=Directory Manager" testinst security ca-certificate add \ --file /src/ssl/myCA.chain.crt \ --name myCA.chain.crt
and, finally, attempt to add my just-created .p12
dsconf -D "cn=Directory Manager" testinst security certificate add \ --file /src/ssl/testinst.server.EC.p12 \ --name ldap.testinst.server.p12 \ --primary-cert
the attempt FAILs,
Error: Command '['/usr/bin/certutil', '-A', '-d', '/etc/dirsrv/slapd-testinst/certs', '-n', 'ldap.testinst.server.p12', '-t', ',,', '-i', '/src/ssl/testinst.server.EC.p12', '-a', '-f', '/etc/dirsrv/slapd-testinst/certs/pwdfile.txt']' returned non-zero exit status 255.
manually exec'ing that^ failed cmd
/usr/bin/certutil \ -A \ -d /etc/dirsrv/slapd-testinst/certs \ -n ldap.testinst.server.p12 \ -t,, \ -i /src/ssl/testinst.server.EC.p12 \ -a \ -f /etc/dirsrv/slapd-testinst/certs/pwdfile.txt
returns
certutil: could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error.
my cert/key are good, .p12 verification passes ... I'm not sure which 'security library' is being referenced here.
what's the cause of the problem here?
my usage? 389ds capabilities/support?
A few things here. The server's securtity/certificate directory is typically /etc/dirsrv/slapd-INSTANCE, so that is what you should use with the "-d" option with certutil. You listed a subdirectory which is probably not correct and SELinux might not like it. Use the same value for "-d" that is returned by this command:
# dsconf INSTANCE config get nsslapd-certdir ---> if you use the instance name (INSTANCE) then dsconf uses LDAPI to authenticate if you are root (little easier to type)
# dsconf testinst config get nsslapd-certdir
Also the SSL min version should be 1.1, 1.2, or 1.3, yours is set to 3.3 (definitely not valid - it is probably generating an error in the logs, but unrelated to the current problem).
HTH,
Mark
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
hi
On 8/27/20 10:32 AM, Mark Reynolds wrote:
A few things here. The server's securtity/certificate directory is typically /etc/dirsrv/slapd-INSTANCE
mine's
grep nsslapd-certdir /etc/dirsrv/slapd-testinst/dse.ldif nsslapd-certdir: /etc/dirsrv/slapd-testinst/certs
config'd at dscreate/init time
testinst.inf cert_dir = etc/dirsrv/slapd-{instance_name}/certs
tree /etc/dirsrv/slapd-testinst/certs /etc/dirsrv/slapd-testinst/certs ├── cert9.db ├── key4.db ├── noise.txt ├── pin.txt ├── pkcs11.txt └── pwdfile.txt
so it's, here, at least what was intended
so that is what you should use with the "-d" option with certutil.
point is *I* did not 'create' that `certutil ...` cmd line
that's what's returned when I exec
dsconf -D "cn=Directory Manager" testinst security certificate add \ --file /src/ssl/testinst.server.EC.p12 \ --name ldap.testinst.server.p12 \ --primary-cert
iiuc (??), that^^ _should_ source the 'file' from fullpath, and ADD it to the config'd cert-dir, i.e.,
etc/dirsrv/slapd-{instance_name}/certs
Use the same value for "-d" that is returned by this command:
and that _does_ appear to be the case
/usr/bin/certutil \ -A \ -d /etc/dirsrv/slapd-testinst/certs \
...
so it's using the config I provided.
is there a problem with the _provided_ config?
You listed a subdirectory which is probably not correct and SELinux might not like it
selinux is disabled
getenforce Disabled sestatus SELinux status: disabled
Also the SSL min version should be 1.1, 1.2, or 1.3, yours is set to 3.3 (definitely not valid - it is probably generating an error in the logs, but unrelated to the current problem).
I'd gotten that from https://access.redhat.com/articles/1474813 Protocols RawolcTLSProtocolMin: 3.3
and
https://man7.org/linux/man-pages/man5/slapd-config.5.html olcTLSProtocolMin: <major>[.<minor>]Specifies minimum SSL/TLS protocol version that will benegotiated. If the server doesn't support at least thatversion, the SSL handshake will fail. To require TLS 1.x orhigher, set this option to 3.(x+1), e.g.,olcTLSProtocolMin: 3.2would require TLS 1.1. Specifying a minimum that is higherthan that supported by the OpenLDAP implementation will resultin it requiring the highest level that it does support. Thisdirective is ignored with GnuTLS.
which is, admittedly, openldap-centric. since thorough (change) docs have been challenging to find on this ... I'd assumed some consistency 'tween implementations.
seems not! so, for 389ds, pebkac!
1st, switching that to == 1.2, so
dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL3Ciphers: +TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 modifiersName: cn=directory manager modifyTimestamp: 20200827175342Z
sslVersionMin: 1.2
...
, then restarting the instance
unfortunately makes no difference.
on exec
dsconf -D "cn=Directory Manager" testinst security certificate add \ --file /src/ssl/testinst.server.EC.p12 \ --name ldap.testinst.server.p12 \ --primary-cert
still FAILs, returning as above,
Error: Command '['/usr/bin/certutil', '-A', '-d', '/etc/dirsrv/slapd-testinst/certs', '-n', 'ldap.testinst.server.p12', '-t', ',,', '-i', '/src/ssl/testinst.server.EC.p12', '-a', '-f', '/etc/dirsrv/slapd-testinst/certs/pwdfile.txt']' returned non-zero exit status 255.
still missing _something_ :-/
PGNet Dev wrote:
i've installed
ns-slapd -v 389 Project 389-Directory/1.4.3.12 B2020.213.0000
on
grep PRETTY /etc/os-release PRETTY_NAME="Fedora 32 (Server Edition)"
a server instance is up
dsctl testinst status Instance "testinst" is running
i check for cipher support
dsconf -D "cn=Directory Manager" testinst security ciphers list --supported | grep -i cha TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
setup security, enabling those ciphers
dsconf -D "cn=Directory Manager" testinst security set \ --security on \ --listen-host ldap.testinst.example.com \ --secure-port 636 \ --tls-protocol-min 3.3 \ --allow-insecure-ciphers off \ --allow-weak-dh-param off \ --cipher-pref +TLS_CHACHA20_POLY1305_SHA256,+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
dsconf -D "cn=Directory Manager" testinst security ciphers list +TLS_CHACHA20_POLY1305_SHA256 +TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
bundle my EC cert & key into a pkcs12
openssl pkcs12 -export \ -in testinst.server.EC.crt \ -inkey testinst.server.EC.key \ -out testinst.server.EC.p12 \ -name Server-Cert
verify it
openssl pkcs12 -info -in testinst.server.EC.p12 Enter Import Password: MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Bag Attributes localKeyID: 52 ... E3 friendlyName: Server-Cert subject=...
-----BEGIN CERTIFICATE----- MII...dBn -----END CERTIFICATE----- PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 Bag Attributes localKeyID: 52 ... E3 friendlyName: Server-Cert Key Attributes: <No Attributes> Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -----BEGIN ENCRYPTED PRIVATE KEY----- MII...6Fa -----END ENCRYPTED PRIVATE KEY-----
add my CA cert
dsconf -D "cn=Directory Manager" testinst security ca-certificate add \ --file /src/ssl/myCA.chain.crt \ --name myCA.chain.crt
and, finally, attempt to add my just-created .p12
dsconf -D "cn=Directory Manager" testinst security certificate add \ --file /src/ssl/testinst.server.EC.p12 \ --name ldap.testinst.server.p12 \ --primary-cert
the attempt FAILs,
Error: Command '['/usr/bin/certutil', '-A', '-d', '/etc/dirsrv/slapd-testinst/certs', '-n', 'ldap.testinst.server.p12', '-t', ',,', '-i', '/src/ssl/testinst.server.EC.p12', '-a', '-f', '/etc/dirsrv/slapd-testinst/certs/pwdfile.txt']' returned non-zero exit status 255.
manually exec'ing that^ failed cmd
/usr/bin/certutil \ -A \ -d /etc/dirsrv/slapd-testinst/certs \ -n ldap.testinst.server.p12 \ -t,, \ -i /src/ssl/testinst.server.EC.p12 \ -a \ -f /etc/dirsrv/slapd-testinst/certs/pwdfile.txt
returns
certutil: could not decode certificate: SEC_ERROR_INPUT_LEN: security library has experienced an input length error.
my cert/key are good, .p12 verification passes ... I'm not sure which 'security library' is being referenced here.
what's the cause of the problem here?
my usage? 389ds capabilities/support?
I'm no expert but it looks to me like it is expecting a certificate, not a PKCS#12 file. The man page isn't exactly clear on what types are acceptable but based on the certutil error it looks like it only accepts PEM files. It isn't at all clear to me how one passes in the private key or a chain of trust.
rob
I'm no expert but it looks to me like it is expecting a certificate, not a PKCS#12 file. The man page isn't exactly clear on what types are acceptable but based on the certutil error it looks like it only accepts PEM files. It isn't at all clear to me how one passes in the private key or a chain of trust.
this
https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl-archive.html#...
flops back-n-forth 'tween 'pk12util' & 'certutil usage, and manages to completely avoid any mention of dsconf (which appears to use certutil), so ...
... i'll join the confusion!
that said, it _seems_ clear that the .p12 _is_ needed, since there's no other key input mechanism.
it'd certainly be easier it dsconf simply allowed spec'n of
ca_cert cert key
in pem formats without the p12 'hoops' ...
On 8/27/20 2:18 PM, PGNet Dev wrote:
I'm no expert but it looks to me like it is expecting a certificate, not a PKCS#12 file. The man page isn't exactly clear on what types are acceptable but based on the certutil error it looks like it only accepts PEM files. It isn't at all clear to me how one passes in the private key or a chain of trust.
this
https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl-archive.html#...
This is the old "archived" link - it is definitely outdated. Here's a newer one:
https://www.port389.org/docs/389ds/howto/howto-ssl.html
Or better yet check out the official docs which tells you how to use dsconf and set all of this up:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/ht...
HTH, Mark
flops back-n-forth 'tween 'pk12util' & 'certutil usage, and manages to completely avoid any mention of dsconf (which appears to use certutil), so ...
... i'll join the confusion!
that said, it _seems_ clear that the .p12 _is_ needed, since there's no other key input mechanism.
it'd certainly be easier it dsconf simply allowed spec'n of
ca_cert cert key
in pem formats without the p12 'hoops' ...
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
On 8/27/20 11:27 AM, Mark Reynolds wrote:
This is the old "archived" link - it is definitely outdated. Here's a newer one:
https://www.port389.org/docs/389ds/howto/howto-ssl.html
Or better yet check out the official docs which tells you how to use dsconf and set all of this up:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/ht...
for future reference, _which_ is the "official/current documentation" site for Fedora-pkg'd 389ds?
https://access.redhat.com/documentation/en-us/red_hat_directory_server https://directory.fedoraproject.org/docs/389ds
or
https://www.port389.org/docs/389ds
?
per,
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/ht...
"This section describes how to import both a private key and Certificate Signing Request (CSR), if you did not create them in the NSS database using an external tool."
which _is_ my case (though, i think "import ... Certificate Signing Request (CSR)" is a typo here)
so NOT dsconf either ... but dsctl.
checking,
dsctl testinst tls import-server-key-cert -h usage: dsctl [instance] tls import-server-key-cert [-h] cert_path key_path
positional arguments: cert_path The path to the x509 cert to import as Server-Cert key_path The path to the x509 key to import atestinstciated to Server-Cert
optional arguments: -h, --help show this help message and exit
exec
dsctl testinst tls import-server-key-cert \ /etc/ssl/ldap.testinst.server.crt.pem \ /etc/ssl/ldap.testinst.server.key.pem
_appears_ 'happy' to add the server cert, with no error returned
verifying
cat des.ldif .... dn: cn=RSA,cn=encryption,cn=config objectClass: top objectClass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: ldap.testinst.server.p12 nsSSLActivation: on nsSSLToken: internal (software) modifiersName: cn=directory manager modifyTimestamp: 20200827175643Z ...
but per,
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/ht... "Display the name of the server certificate in the NSS database: "
checking
dsctl testinst restart dsconf -D "cn=Directory Manager" testinst security certificate list
returns
(empty)
where'd it go?
checking
tree /usr/local/etc/dirsrv/slapd-testinst/ /usr/local/etc/dirsrv/slapd-testinst/
├── cert9.db
├── certmap.conf ├── certs ??? │ ├── cert9.db ??? │ ├── key4.db │ ├── noise.txt │ ├── pin.txt ??? │ ├── pkcs11.txt │ └── pwdfile.txt ├── dse.ldif ├── dse.ldif.bak ├── dse.ldif.startOK
├── key4.db ├── pkcs11.txt
├── schema │ └── 99user.ldif └── slapd-collations.conf
it appears to have _ignored_ my instance's cert_dir spec'n
nsslapd-certdir: /usr/local/etc/dirsrv/slapd-testinst/certs
if I manually
cd /usr/local/etc/dirsrv/slapd-testinst/ mv -f cert9.db key4.db pkcs11.txt certs/
NOW,
dsconf -D "cn=Directory Manager" testinst security certificate list
correctly sees/lists the cert
Certificate Name: Server-Cert Subject DN: ...
the instance-specific
dsctl testinst tls import-server-key-cert
_should_ respect the instance config, no?
On 8/27/20 3:10 PM, PGNet Dev wrote:
On 8/27/20 11:27 AM, Mark Reynolds wrote:
This is the old "archived" link - it is definitely outdated. Here's a newer one:
https://www.port389.org/docs/389ds/howto/howto-ssl.html
Or better yet check out the official docs which tells you how to use dsconf and set all of this up:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/ht...
for future reference, _which_ is the "official/current documentation" site for Fedora-pkg'd 389ds?
https://access.redhat.com/documentation/en-us/red_hat_directory_server https://directory.fedoraproject.org/docs/389ds
or
https://www.port389.org/docs/389ds
?
per,
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/ht...
"This section describes how to import both a private key and Certificate Signing Request (CSR), if you did not create them in the NSS database using an external tool."
which _is_ my case (though, i think "import ... Certificate Signing Request (CSR)" is a typo here)
so NOT dsconf either ... but dsctl.
You can do it with dsconf, see: "dsconf INST security --help", and "dsconf INST security certificate --help"
checking,
dsctl testinst tls import-server-key-cert -h usage: dsctl [instance] tls import-server-key-cert [-h] cert_path key_path
positional arguments: cert_path The path to the x509 cert to import as Server-Cert key_path The path to the x509 key to import atestinstciated to Server-Cert optional arguments: -h, --help show this help message and exit
exec
dsctl testinst tls import-server-key-cert \ /etc/ssl/ldap.testinst.server.crt.pem \ /etc/ssl/ldap.testinst.server.key.pem
_appears_ 'happy' to add the server cert, with no error returned
verifying
cat des.ldif .... dn: cn=RSA,cn=encryption,cn=config objectClass: top objectClass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: ldap.testinst.server.p12 nsSSLActivation: on nsSSLToken: internal (software) modifiersName: cn=directory manager modifyTimestamp: 20200827175643Z ...
but per,
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/ht... "Display the name of the server certificate in the NSS database: "
checking
dsctl testinst restart dsconf -D "cn=Directory Manager" testinst security certificate list
returns
(empty)
where'd it go?
checking
tree /usr/local/etc/dirsrv/slapd-testinst/ /usr/local/etc/dirsrv/slapd-testinst/
├── cert9.db
├── certmap.conf ├── certs
??? │ ├── cert9.db ??? │ ├── key4.db │ ├── noise.txt │ ├── pin.txt ??? │ ├── pkcs11.txt │ └── pwdfile.txt ├── dse.ldif ├── dse.ldif.bak ├── dse.ldif.startOK
├── key4.db ├── pkcs11.txt
├── schema │ └── 99user.ldif └── slapd-collations.conf
it appears to have _ignored_ my instance's cert_dir spec'n
nsslapd-certdir: /usr/local/etc/dirsrv/slapd-testinst/certs
if I manually
cd /usr/local/etc/dirsrv/slapd-testinst/ mv -f cert9.db key4.db pkcs11.txt certs/
NOW,
dsconf -D "cn=Directory Manager" testinst security certificate list
correctly sees/lists the cert
Certificate Name: Server-Cert Subject DN: ...
the instance-specific
dsctl testinst tls import-server-key-cert
_should_ respect the instance config, no?
If you had to copy the cert and key files into /certs for it to work then there is a bug in the server(or maybe the CLI) when it is creating the NSS database. What is in the errors log? At server startup it logs a lot of information about the security configuration. It would be great to see this logging as it could help narrow down the problem.
Thanks,
Mark
On 8/27/20 12:23 PM, Mark Reynolds wrote:
https://access.redhat.com/documentation/en-us/red_hat_directory_server
^^^ This is the official documentation
noted, thx.
i'm pretty sure I came across something/somewhere recently that explicitly stated red_hat_directory_server
!= fedora directory server.
hence the confusion.
so NOT dsconf either ... but dsctl.
You can do it with dsconf, see: "dsconf INST security --help", and "dsconf INST security certificate --help"
ok, confused more now. that's where I _started_ (up there^), and failed.
_should_ respect the instance config, no?
If you had to copy the cert and key files into /certs for it to work then there is a bug in the server(or maybe the CLI) when it is creating the NSS database. What is in the errors log? At server startup it logs a lot of information about the security configuration. It would be great to see this logging as it could help narrow down the problem.
dsctl testinst stop
rm -f /var/log/dirsrv/slapd-testinst/* rm -f /etc/dirsrv/slapd-testinst/certs/{cert9.db,key4.db,pkcs11.txt}
tree /var/log/dirsrv/slapd-testinst /etc/dirsrv/slapd-testinst /var/log/dirsrv/slapd-testinst /etc/dirsrv/slapd-testinst ├── certmap.conf ├── certs │ ├── noise.txt │ ├── pin.txt │ └── pwdfile.txt ├── dse.ldif ├── dse.ldif.bak ├── dse.ldif.startOK ├── schema │ └── 99user.ldif └── slapd-collations.conf
2 directories, 12 files
dsctl testinst tls import-server-key-cert \ /etc/ssl/testinst.server.EC.crt.pem \ /etc/ssl/testinst.server.EC.key.pem
tree /var/log/dirsrv/slapd-testinst /etc/dirsrv/slapd-testinst /var/log/dirsrv/slapd-testinst /etc/dirsrv/slapd-testinst
├── cert9.db
├── certmap.conf ├── certs │ ├── noise.txt │ ├── pin.txt │ └── pwdfile.txt ├── dse.ldif ├── dse.ldif.bak ├── dse.ldif.startOK
├── key4.db ├── pkcs11.txt
├── schema │ └── 99user.ldif └── slapd-collations.conf
dsctl testinst start journalctl -f -u dirsrv@testinst.service
Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.429465758 -0700] - CRIT - Security Initialization - warn_if_no_cert_file - Certificate DB file cert8.db nor cert9.db exists in [/etc/dirsrv/slapd-testinst/certs] - SSL initialization will likely fail Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.431266675 -0700] - CRIT - Security Initialization - warn_if_no_key_file - Key DB file key3.db nor key4.db exists in [/etc/dirsrv/slapd-testinst/certs] - SSL initialization will likely fail Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.469911561 -0700] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.470543103 -0700] - ERR - Security Initialization - slapd_ssl_init - Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.470988905 -0700] - ERR - force_to_disable_security - ERROR: SSL Initialization Failed. Disabling SSL. Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.471534047 -0700] - INFO - main - 389-Directory/1.4.3.12 B2020.213.0000 starting up Aug 27 12:49:14 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:14.471982899 -0700] - INFO - main - Setting the maximum file descriptor limit to: 524288 Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.281841989 -0700] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.285150261 -0700] - NOTICE - ldbm_back_start - found 8143628k physical memory Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.285636673 -0700] - NOTICE - ldbm_back_start - found 5759888k available Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.286082825 -0700] - NOTICE - ldbm_back_start - cache autosizing: db cache: 508976k Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.286526296 -0700] - NOTICE - ldbm_back_start - total cache size: 416953753 B; Aug 27 12:49:15 svr001 ns-slapd[11055]: [27/Aug/2020:12:49:15.362425203 -0700] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests
tree /var/log/dirsrv/slapd-testinst /etc/dirsrv/slapd-testinst /var/log/dirsrv/slapd-testinst ├── access ├── access.rotationinfo ├── audit ├── audit.rotationinfo ├── errors └── errors.rotationinfo /etc/dirsrv/slapd-testinst ├── cert9.db ├── certmap.conf ├── certs │ ├── cert9.db │ ├── key4.db │ ├── noise.txt │ ├── pin.txt │ ├── pkcs11.txt │ └── pwdfile.txt ├── dse.ldif ├── dse.ldif.bak ├── dse.ldif.startOK ├── key4.db ├── pkcs11.txt ├── schema │ └── 99user.ldif └── slapd-collations.conf
cat /var/log/dirsrv/slapd-testinst/errors 389-Directory/1.4.3.12 B2020.213.0000 ldap.example.com:636 (/etc/dirsrv/slapd-testinst)
[27/Aug/2020:12:49:14.430826073 -0700] - CRIT - Security Initialization - warn_if_no_cert_file - Certificate DB file cert8.db nor cert9.db exists in [/etc/dirsrv/slapd-testinst/certs] - SSL initialization will likely fail [27/Aug/2020:12:49:14.431281245 -0700] - CRIT - Security Initialization - warn_if_no_key_file - Key DB file key3.db nor key4.db exists in [/etc/dirsrv/slapd-testinst/certs] - SSL initialization will likely fail [27/Aug/2020:12:49:14.469940641 -0700] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. [27/Aug/2020:12:49:14.470559053 -0700] - ERR - Security Initialization - slapd_ssl_init - Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) [27/Aug/2020:12:49:14.471001315 -0700] - ERR - force_to_disable_security - ERROR: SSL Initialization Failed. Disabling SSL. [27/Aug/2020:12:49:14.471547467 -0700] - INFO - main - 389-Directory/1.4.3.12 B2020.213.0000 starting up [27/Aug/2020:12:49:14.471993239 -0700] - INFO - main - Setting the maximum file descriptor limit to: 524288 [27/Aug/2020:12:49:15.281878669 -0700] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds [27/Aug/2020:12:49:15.285170541 -0700] - NOTICE - ldbm_back_start - found 8143628k physical memory [27/Aug/2020:12:49:15.285646883 -0700] - NOTICE - ldbm_back_start - found 5759888k available [27/Aug/2020:12:49:15.286093875 -0700] - NOTICE - ldbm_back_start - cache autosizing: db cache: 508976k [27/Aug/2020:12:49:15.286536256 -0700] - NOTICE - ldbm_back_start - total cache size: 416953753 B; [27/Aug/2020:12:49:15.362452333 -0700] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests
dsconf -D "cn=Directory Manager" testinst security certificate list (empty)
dsctl testinst stop mv -f \ /etc/dirsrv/slapd-testinst/{cert9.db,key4.db,pkcs11.txt} \ /etc/dirsrv/slapd-testinst/certs/
tree /var/log/dirsrv/slapd-testinst /etc/dirsrv/slapd-testinst /var/log/dirsrv/slapd-testinst ├── access ├── access.rotationinfo ├── audit ├── audit.rotationinfo ├── errors └── errors.rotationinfo /etc/dirsrv/slapd-testinst ├── certmap.conf ├── certs │ ├── cert9.db │ ├── key4.db │ ├── noise.txt │ ├── pin.txt │ ├── pkcs11.txt │ └── pwdfile.txt ├── dse.ldif ├── dse.ldif.bak ├── dse.ldif.startOK ├── schema │ └── 99user.ldif └── slapd-collations.conf
dsctl testinst start Instance "testinst" has been started journalctl -f -u dirsrv@testinst.service
Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.528433965 -0700] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.531337496 -0700] - ERR - extractRSAKeysAndSubject - Failed extract cert with ldap.testinst.server.p12, (0-no error, 0). Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.531922688 -0700] - ERR - slapd_extract_key - Unable to export encrypted private key (-8187, 0). Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.533254283 -0700] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.533823726 -0700] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.534399188 -0700] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.535590322 -0700] - WARN - Security Initialization - SSL alert: Can't find certificate (ldap.testinst.server.p12) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -5978 - Network file descriptor is not connected.) Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.536136904 -0700] - WARN - Security Initialization - SSL alert: Unable to retrieve private key for cert ldap.testinst.server.p12 of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -5978 - Network file descriptor is not connected.) Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.536679436 -0700] - ERR - Security Initialization - SSL failure: None of the cipher are valid Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.537202738 -0700] - ERR - force_to_disable_security - ERROR: SSL2 Initialization Failed. Disabling SSL2. Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.537840071 -0700] - INFO - main - 389-Directory/1.4.3.12 B2020.213.0000 starting up Aug 27 12:55:23 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:23.538396543 -0700] - INFO - main - Setting the maximum file descriptor limit to: 524288 Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.347878231 -0700] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.351455605 -0700] - NOTICE - ldbm_back_start - found 8143628k physical memory Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.352434269 -0700] - NOTICE - ldbm_back_start - found 5795920k available Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.353173411 -0700] - NOTICE - ldbm_back_start - cache autosizing: db cache: 508976k Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.356305113 -0700] - NOTICE - ldbm_back_start - total cache size: 416953753 B; Aug 27 12:55:24 svr001 ns-slapd[11644]: [27/Aug/2020:12:55:24.433760066 -0700] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests
cat errors 389-Directory/1.4.3.12 B2020.213.0000 ldap.example.com:636 (/etc/dirsrv/slapd-testinst)
[27/Aug/2020:12:55:23.530261492 -0700] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. [27/Aug/2020:12:55:23.531454427 -0700] - ERR - extractRSAKeysAndSubject - Failed extract cert with ldap.testinst.server.p12, (0-no error, 0). [27/Aug/2020:12:55:23.532011549 -0700] - ERR - slapd_extract_key - Unable to export encrypted private key (-8187, 0). [27/Aug/2020:12:55:23.533352904 -0700] - INFO - Security Initialization - SSL info: Configured NSS Ciphers [27/Aug/2020:12:55:23.533914446 -0700] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled [27/Aug/2020:12:55:23.534495768 -0700] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled [27/Aug/2020:12:55:23.535685673 -0700] - WARN - Security Initialization - SSL alert: Can't find certificate (ldap.testinst.server.p12) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -5978 - Network file descriptor is not connected.) [27/Aug/2020:12:55:23.536229615 -0700] - WARN - Security Initialization - SSL alert: Unable to retrieve private key for cert ldap.testinst.server.p12 of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -5978 - Network file descriptor is not connected.) [27/Aug/2020:12:55:23.536760917 -0700] - ERR - Security Initialization - SSL failure: None of the cipher are valid [27/Aug/2020:12:55:23.537284429 -0700] - ERR - force_to_disable_security - ERROR: SSL2 Initialization Failed. Disabling SSL2. [27/Aug/2020:12:55:23.537932561 -0700] - INFO - main - 389-Directory/1.4.3.12 B2020.213.0000 starting up [27/Aug/2020:12:55:23.538492173 -0700] - INFO - main - Setting the maximum file descriptor limit to: 524288 [27/Aug/2020:12:55:24.348152922 -0700] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds [27/Aug/2020:12:55:24.351606535 -0700] - NOTICE - ldbm_back_start - found 8143628k physical memory [27/Aug/2020:12:55:24.352537329 -0700] - NOTICE - ldbm_back_start - found 5795920k available [27/Aug/2020:12:55:24.353271032 -0700] - NOTICE - ldbm_back_start - cache autosizing: db cache: 508976k [27/Aug/2020:12:55:24.356407814 -0700] - NOTICE - ldbm_back_start - total cache size: 416953753 B; [27/Aug/2020:12:55:24.433999217 -0700] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests
dsconf -D "cn=Directory Manager" testinst security certificate list
Certificate Name: Server-Cert Subject DN: E=ssl@example.com,CN=ldap.example.com,OU=myCA,O=example.com,L=city,ST=CA,C=US Issuer DN: E=ssl@example.com,CN=myCA_INT,OU=myCA,O=example.com,ST=CA,C=US Expires: 2030-08-25 00:50:38 Trust Flags: u,u,u
On 8/27/20 3:10 PM, PGNet Dev wrote:
On 8/27/20 11:27 AM, Mark Reynolds wrote:
This is the old "archived" link - it is definitely outdated. Here's a newer one:
https://www.port389.org/docs/389ds/howto/howto-ssl.html
Or better yet check out the official docs which tells you how to use dsconf and set all of this up:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/ht...
for future reference, _which_ is the "official/current documentation" site for Fedora-pkg'd 389ds?
https://access.redhat.com/documentation/en-us/red_hat_directory_server
^^^ This is the official documentation
This is our wiki, it's the same as port389.org - it's an alias
or
This is the link we encourage people to use, but it's the same thing as directory.fedoraproject.org
Mark
?
per,
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/ht...
"This section describes how to import both a private key and Certificate Signing Request (CSR), if you did not create them in the NSS database using an external tool."
which _is_ my case (though, i think "import ... Certificate Signing Request (CSR)" is a typo here)
so NOT dsconf either ... but dsctl.
checking,
dsctl testinst tls import-server-key-cert -h usage: dsctl [instance] tls import-server-key-cert [-h] cert_path key_path
positional arguments: cert_path The path to the x509 cert to import as Server-Cert key_path The path to the x509 key to import atestinstciated to Server-Cert optional arguments: -h, --help show this help message and exit
exec
dsctl testinst tls import-server-key-cert \ /etc/ssl/ldap.testinst.server.crt.pem \ /etc/ssl/ldap.testinst.server.key.pem
_appears_ 'happy' to add the server cert, with no error returned
verifying
cat des.ldif .... dn: cn=RSA,cn=encryption,cn=config objectClass: top objectClass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: ldap.testinst.server.p12 nsSSLActivation: on nsSSLToken: internal (software) modifiersName: cn=directory manager modifyTimestamp: 20200827175643Z ...
but per,
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/ht... "Display the name of the server certificate in the NSS database: "
checking
dsctl testinst restart dsconf -D "cn=Directory Manager" testinst security certificate list
returns
(empty)
where'd it go?
checking
tree /usr/local/etc/dirsrv/slapd-testinst/ /usr/local/etc/dirsrv/slapd-testinst/
├── cert9.db
├── certmap.conf ├── certs
??? │ ├── cert9.db ??? │ ├── key4.db │ ├── noise.txt │ ├── pin.txt ??? │ ├── pkcs11.txt │ └── pwdfile.txt ├── dse.ldif ├── dse.ldif.bak ├── dse.ldif.startOK
├── key4.db ├── pkcs11.txt
├── schema │ └── 99user.ldif └── slapd-collations.conf
it appears to have _ignored_ my instance's cert_dir spec'n
nsslapd-certdir: /usr/local/etc/dirsrv/slapd-testinst/certs
if I manually
cd /usr/local/etc/dirsrv/slapd-testinst/ mv -f cert9.db key4.db pkcs11.txt certs/
NOW,
dsconf -D "cn=Directory Manager" testinst security certificate list
correctly sees/lists the cert
Certificate Name: Server-Cert Subject DN: ...
the instance-specific
dsctl testinst tls import-server-key-cert
_should_ respect the instance config, no? _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users@lists.fedoraproject.org