On 8/27/20 3:10 PM, PGNet Dev wrote:
On 8/27/20 11:27 AM, Mark Reynolds wrote:
> This is the old "archived" link - it is definitely outdated. Here's a
newer one:
>
>
https://www.port389.org/docs/389ds/howto/howto-ssl.html
>
> Or better yet check out the official docs which tells you how to use dsconf and set
all of this up:
>
>
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11...
for future reference, _which_ is the "official/current documentation" site for
Fedora-pkg'd 389ds?
https://access.redhat.com/documentation/en-us/red_hat_directory_server
https://directory.fedoraproject.org/docs/389ds
or
https://www.port389.org/docs/389ds
?
per,
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11...
"This section describes how to import both a private key and Certificate Signing
Request (CSR), if you did not create them in the NSS database using an external
tool."
which _is_ my case (though, i think "import ... Certificate Signing Request
(CSR)" is a typo here)
so NOT dsconf either ... but dsctl.
You can do it with dsconf, see: "dsconf INST security --help", and
"dsconf INST security certificate --help"
checking,
dsctl testinst tls import-server-key-cert -h
usage: dsctl [instance] tls import-server-key-cert [-h] cert_path key_path
positional arguments:
cert_path The path to the x509 cert to import as Server-Cert
key_path The path to the x509 key to import atestinstciated to Server-Cert
optional arguments:
-h, --help show this help message and exit
exec
dsctl testinst tls import-server-key-cert \
/etc/ssl/ldap.testinst.server.crt.pem \
/etc/ssl/ldap.testinst.server.key.pem
_appears_ 'happy' to add the server cert, with no error returned
verifying
cat des.ldif
....
dn: cn=RSA,cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: ldap.testinst.server.p12
nsSSLActivation: on
nsSSLToken: internal (software)
modifiersName: cn=directory manager
modifyTimestamp: 20200827175643Z
...
but per,
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11...
"Display the name of the server certificate in the NSS database: "
checking
dsctl testinst restart
dsconf -D "cn=Directory Manager" testinst security certificate list
returns
(empty)
where'd it go?
checking
tree /usr/local/etc/dirsrv/slapd-testinst/
/usr/local/etc/dirsrv/slapd-testinst/
>>> ├── cert9.db
├── certmap.conf
├── certs
??? │ ├── cert9.db
??? │ ├── key4.db
│ ├── noise.txt
│ ├── pin.txt
??? │ ├── pkcs11.txt
│ └── pwdfile.txt
├── dse.ldif
├── dse.ldif.bak
├── dse.ldif.startOK
>>> ├── key4.db
>>> ├── pkcs11.txt
├── schema
│ └── 99user.ldif
└── slapd-collations.conf
it appears to have _ignored_ my instance's cert_dir spec'n
nsslapd-certdir: /usr/local/etc/dirsrv/slapd-testinst/certs
if I manually
cd /usr/local/etc/dirsrv/slapd-testinst/
mv -f cert9.db key4.db pkcs11.txt certs/
NOW,
dsconf -D "cn=Directory Manager" testinst security certificate list
correctly sees/lists the cert
Certificate Name: Server-Cert
Subject DN: ...
the instance-specific
dsctl testinst tls import-server-key-cert
_should_ respect the instance config, no?
If you had to copy the cert and key files into /certs for it to work
then there is a bug in the server(or maybe the CLI) when it is creating
the NSS database. What is in the errors log? At server startup it logs
a lot of information about the security configuration. It would be
great to see this logging as it could help narrow down the problem.
Thanks,
Mark
--
389 Directory Server Development Team