Any further thoughts please or should I just start all over again ? Thanks, Phil
----- On 5 Jan, 2016, at 09:06, Phil Daws <uxbod(a)splatnix.net> wrote:
Hello Noriko,
Same problem unfortunately :(
Thanks, Phil
----- On 4 Jan, 2016, at 20:54, Noriko Hosoi
<nhosoi(a)redhat.com> wrote:
> Hello Phil,
> We are working on the issue, but not sure what the root cause is
yet.
> If you could try the new installer I have just uploaded, it would
be a
> big help for us. (Please note that the version remains the same 1.1.15.)
>
http://www.port389.org/docs/389ds/download.html#windows-console
> Thank you,
> --noriko
> On 01/04/2016 09:22 AM, Phil Daws wrote:
>> ----- On 4 Jan, 2016, at 16:45, Rich Megginson
rmeggins(a)redhat.com wrote:
>>> On 01/04/2016 09:23 AM, Phil Daws wrote:
>>>> Hello Rich,
>>>> Have ran in debug mode and connected to the admin
interface which has been
>>>> secured with a cert:
>>>> {SUBJECT_DN=CN=ads01-admin.lab,
SUBJECT={CN=ads01-admin},
>>>> SERIAL=8741097289627376099, AFTERDATE=Tue Dec 19 14:05:35 2017,
>>>> ISSUER={CN=LAB-CA, O=LAB, C=GB}, SIGNATURE=SHA256withRSA, BEFOREDATE=Sun
Dec 20
>>>> 14:05:35 2015, KEYTYPE=RSA, REASONS={}, VERSION=3, ISSUER_DN=C=GB,
O=LAB,
>>>> CN=LAB-CA}
>>>> JButtonFactory: button width = 54
>>>> JButtonFactory: button height = 20
>>>> JButtonFactory: button width = 54
>>>> JButtonFactory: button height = 20
>>>> JButtonFactory: button width = 72
>>>> JButtonFactory: button height = 20
>>>> JButtonFactory: button width = 72
>>>> JButtonFactory: button height = 20
>>>> JButtonFactory: button width = 54
>>>> JButtonFactory: button height = 20
>>>> JButtonFactory: button width = 72certain
>>>> HttpsChannel::select(...) - SELECT CERTIFICATE
>>>> Unable to create ssl socket
>>>> org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed:
(-8186)
>>>> security library: invalid algorithm.
>>>> at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method)
>>>> at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source)
>>>> at com.netscape.management.client.comm.CommManager.send(Unknown Source)
>>>> at com.netscape.management.client.comm.HttpManager.get(Unknown Source)
>>>> at com.netscape.management.client.console.Console.invoke_task(Unknown
Source)
>>>> at
com.netscape.management.client.console.Console.authenticate_user(Unknown
>>>> Source)
>>>> at com.netscape.management.client.console.Console.<init>(Unknown
Source)
>>>> at com.netscape.management.client.console.Console.main(Unknown
Source)certain
>>>> So it accepts the admin certificate fine but then
shows an empty selection box
>>>> for a certificate ?
>>> Not sure what it means by "invalid algorithm" but it looks as
though
>>> that is the root cause. The console doesn't know what to do with that
>>> error, so it asks you to select another cert, which is just a
>>> distraction at that point. Please open a ticket.
>> Hmm, but that "invalid algorithm" message only appeared when I clicked
on
>> continue with no certificate showing in the selection dropdown list. The admin
>> certificate was accepted fine and then it showed the empty selection list.
>>>>
Thanks, Phil
>>>> ----- On 4 Jan, 2016, at 15:50, Rich Megginson
rmeggins(a)redhat.com wrote:
>>>>> On 01/04/2016 01:11 AM, Phil Daws wrote:
>>>>>> Any thoughts on this please ?
>>>>>> ----- On 20 Dec, 2015, at 16:02, Phil Daws
uxbod(a)splatnix.net wrote:
>>>>>>> Hello,
>>>>>>> Have now got to the point where it says
"Select a certificate to authenticate"
>>>>>>> yet the drop down box is empty.
>>>>> Can you run the console with -D 9 -f console.log, then check
console.log
>>>>> to remove any sensitive information, then post that to this list?
The
>>>>> easiest way to do this is to make a copy of the .bat file that runs
the
>>>>> console, then add those arguments to the command line in the copy of
the
>>>>> .bat file.
>>>>> I'm assuming you have not configured the
admin server/directory server
>>>>> to require client cert authentication. If you don't know, then
you
>>>>> probably haven't.
>>>>>>> If I check the NSS database it looks okay
?
>>>>>>>
D:\Scratch\firefox_add-certs\bin>certutil.exe -d "c:\Documents and
>>>>>>> Settings\pmdaws\.389-console" -L
>>>>>>> Certificate Nickname Trust Attributes
>>>>>>> SSL,S/MIME,JAR/XPI
>>>>>>> LAB CA Certificate CT,,
>>>>>>> Phil Daws p,p,p
>>>>>>> Seems as though the console is not
picking them up :(
>>>>>>>
Thanks, Phil
>>>>>>>> ----- On 15 Dec, 2015, at 20:35, Noriko Hosoi
nhosoi(a)redhat.com wrote:
>>>>>>>> On 12/15/2015 11:40 AM, Phil Daws
wrote:
>>
>>>>>>> Hello,
>>>>>>>>> Unfortunately I do not have a
console under Fedora/RHEL.
>>>>>>>>> I can log into the Administration
console fine, but when I click on Server
>>>>>>>>> Group, and then double click on the Directory Server
it prompts me for the
>>>>>>>>> Distinguished name and password. The status is
showing as:
>>>>>>>>> Server status: Stopped
>>>>>>>>> Port: 636
>>>>>>>>> The ports are listening fine:
>>>>>>>>> Active Internet connections (only
servers)
>>>>>>>>> Proto Recv-Q Send-Q Local Address Foreign Address
State
>>>>>>>>> PID/Program name
>>>>>>>>> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
>>>>>>>>> 301/sshd
>>>>>>>>> tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN
>>>>>>>>> 1261/httpd
>>>>>>>>> tcp6 0 0 :::22 :::* LISTEN
>>>>>>>>> 301/sshd
>>>>>>>>> tcp6 0 0 :::636 :::* LISTEN
>>>>>>>>> 1196/ns-slapd
>>>>>>>>> tcp6 0 0 :::389 :::* LISTEN
>>>>>>>>> 1196/ns-slapd
>>>>>>>>> So am guessing it's probably
due to when I enabled "Secure Connection" in the
>>>>>>>>> console :(
>>>>>>>>> Any thoughts please ?
>>>>>>>> Not sure yet, but did you have a chance to see this
section?
>>>>>>>>
http://www.port389.org/docs/389ds/howto/howto-ssl.html#admin-server-tlsss...
>>>>>>>>>
Thanks, Phil
>>>>>>>>> ----- On 15 Dec, 2015, at 19:01,
Noriko Hosoi nhosoi(a)redhat.com wrote:
>>>>>>>>>> On 12/15/2015 09:51 AM, Phil
Daws wrote:
>>>>
>>>>>>> Hello,
>>>>>>>>>>> I have 389 up and running
in my lab, with encryption enabled, but when I connect
>>>>>>>>>>> too the Administration panel and double click
on the Directory Server it just
>>>>>>>>>>> hangs. The CA certificate has been imported
using:
>>>>>>>>>>>
d:\Scratch\firefox_add-certs\bin>certutil -A -d "C:\Documents and
>>>>>>>>>>> Settings\phild\.389-console" -n "CA
Certificate" -t CT,, -i
>>>>>>>>>>> d:\Downloads\CA-chain.pem -a
>>>>>>>>>>> Am I missing something
obvious please ?
>>>>>>>>>>>
Thanks, Phil
>>>>>>>>>>> --
>>>>>>>>>>> 389 users mailing list
>>>>>>>>>>> 389-users@%(host_name)s
>>>>>>>>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>>>>>>>>> Administration URL starts with https?
>>>>>>>>>> If you use Console on
Fedora/RHEL, you have no problem?
>>>>>>>>>> Thanks.
>>>>>>>>>> --
>>>>>>>>>> 389 users mailing list
>>>>>>>>>> 389-users@%(host_name)s
>>>>>>>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>>>>>>>> --
>>>>>>>>> 389 users mailing list
>>>>>>>>> 389-users@%(host_name)s
>>>>>>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>>>>>>> --
>>>>>>>> 389 users mailing list
>>>>>>>> 389-users@%(host_name)s
>>>>>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>>>>>> --
>>>>>>> 389 users mailing list
>>>>>>> 389-users@%(host_name)s
>>>>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>>>>> --
>>>>>> 389 users mailing list
>>>>>> 389-users@%(host_name)s
>>>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>>>> --
>>>>> 389 users mailing list
>>>>> 389-users@%(host_name)s
>>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>>> --
>>>> 389 users mailing list
>>>> 389-users@%(host_name)s
>>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>> --
>>> 389 users mailing list
>>> 389-users@%(host_name)s
>>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>> --
>> 389 users mailing list
>> 389-users@%(host_name)s
>>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
> --
> 389 users mailing list
> 389-users@%(host_name)s
>
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org