Hello Noriko,

Same problem unfortunately :(

Thanks, Phil

----- On 4 Jan, 2016, at 20:54, Noriko Hosoi <nhosoi@redhat.com> wrote:

Hello Phil,
 
 We are working on the issue, but not sure what the root cause is yet.
 
 If you could try the new installer I have just uploaded, it would be a
 big help for us.  (Please note that the version remains the same 1.1.15.)
 http://www.port389.org/docs/389ds/download.html#windows-console
 
 Thank you,
 --noriko
 
 On 01/04/2016 09:22 AM, Phil Daws wrote:

----- On 4 Jan, 2016, at 16:45, Rich Megginson rmeggins@redhat.com wrote:

On 01/04/2016 09:23 AM, Phil Daws wrote:

Hello Rich,

 Have ran in debug mode and connected to the admin interface which has been
 secured with a cert:

 {SUBJECT_DN=CN=ads01-admin.lab, SUBJECT={CN=ads01-admin},
 SERIAL=8741097289627376099, AFTERDATE=Tue Dec 19 14:05:35 2017,
 ISSUER={CN=LAB-CA, O=LAB, C=GB}, SIGNATURE=SHA256withRSA, BEFOREDATE=Sun Dec 20
 14:05:35 2015, KEYTYPE=RSA, REASONS={}, VERSION=3, ISSUER_DN=C=GB, O=LAB,
 CN=LAB-CA}
 JButtonFactory: button width = 54
 JButtonFactory: button height = 20
 JButtonFactory: button width = 54
 JButtonFactory: button height = 20
 JButtonFactory: button width = 72
 JButtonFactory: button height = 20
 JButtonFactory: button width = 72
 JButtonFactory: button height = 20
 JButtonFactory: button width = 54
 JButtonFactory: button height = 20
 JButtonFactory: button width = 72certain
 HttpsChannel::select(...) - SELECT CERTIFICATE
 Unable to create ssl socket
 org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8186)
 security library: invalid algorithm.
         at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method)
         at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source)
         at com.netscape.management.client.comm.CommManager.send(Unknown Source)
         at com.netscape.management.client.comm.HttpManager.get(Unknown Source)
         at com.netscape.management.client.console.Console.invoke_task(Unknown Source)
         at com.netscape.management.client.console.Console.authenticate_user(Unknown
         Source)
         at com.netscape.management.client.console.Console.<init>(Unknown Source)
         at com.netscape.management.client.console.Console.main(Unknown Source)certain

 So it accepts the admin certificate fine but then shows an empty selection box
 for a certificate ?

 Not sure what it means by "invalid algorithm" but it looks as though
 that is the root cause. The console doesn't know what to do with that
 error, so it asks you to select another cert, which is just a
 distraction at that point.  Please open a ticket.

 Hmm, but that "invalid algorithm" message only appeared when I clicked on
 continue with no certificate showing in the selection dropdown list.  The admin
 certificate was accepted fine and then it showed the empty selection list.

Thanks, Phil

 ----- On 4 Jan, 2016, at 15:50, Rich Megginson rmeggins@redhat.com wrote:

On 01/04/2016 01:11 AM, Phil Daws wrote:

Any thoughts on this please ?

 ----- On 20 Dec, 2015, at 16:02, Phil Daws uxbod@splatnix.net wrote:

Hello,

 Have now got to the point where it says "Select a certificate to authenticate"
 yet the drop down box is empty.

 Can you run the console with -D 9 -f console.log, then check console.log
 to remove any sensitive information, then post that to this list?  The
 easiest way to do this is to make a copy of the .bat file that runs the
 console, then add those arguments to the command line in the copy of the
 .bat file.

 I'm assuming you have not configured the admin server/directory server
 to require client cert authentication.  If you don't know, then you
 probably haven't.

If I check the NSS database it looks okay ?

 D:\Scratch\firefox_add-certs\bin>certutil.exe -d "c:\Documents and
 Settings\pmdaws\.389-console" -L

 Certificate Nickname                                         Trust Attributes
                                                                SSL,S/MIME,JAR/XPI

 LAB CA Certificate                                           CT,,
 Phil Daws                                                    p,p,p

 Seems as though the console is not picking them up :(

 Thanks, Phil
 ----- On 15 Dec, 2015, at 20:35, Noriko Hosoi nhosoi@redhat.com wrote:

On 12/15/2015 11:40 AM, Phil Daws wrote:

Hello,

 Unfortunately I do not have a console under Fedora/RHEL.

 I can log into the Administration console fine, but when I click on Server
 Group, and then double click on the Directory Server it prompts me for the
 Distinguished name and password.  The status is showing as:

 Server status: Stopped
 Port: 636

 The ports are listening fine:

 Active Internet connections (only servers)
 Proto Recv-Q Send-Q Local Address           Foreign Address         State
 PID/Program name
 tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
 301/sshd
 tcp        0      0 0.0.0.0:9830            0.0.0.0:*               LISTEN
 1261/httpd
 tcp6       0      0 :::22                   :::*                    LISTEN
 301/sshd
 tcp6       0      0 :::636                  :::*                    LISTEN
 1196/ns-slapd
 tcp6       0      0 :::389                  :::*                    LISTEN
 1196/ns-slapd

 So am guessing it's probably due to when I enabled "Secure Connection" in the
 console :(

 Any thoughts please ?

 Not sure yet, but did you have a chance to see this section?
 http://www.port389.org/docs/389ds/howto/howto-ssl.html#admin-server-tlsssl-information

Thanks, Phil



 ----- On 15 Dec, 2015, at 19:01, Noriko Hosoi nhosoi@redhat.com wrote:

On 12/15/2015 09:51 AM, Phil Daws wrote:

Hello,

 I have 389 up and running in my lab, with encryption enabled, but when I connect
 too the Administration panel and double click on the Directory Server it just
 hangs.  The CA certificate has been imported using:

 d:\Scratch\firefox_add-certs\bin>certutil -A -d "C:\Documents and
 Settings\phild\.389-console" -n "CA Certificate" -t CT,, -i
 d:\Downloads\CA-chain.pem -a

 Am I missing something obvious please ?

 Thanks, Phil

 --
 389 users mailing list
 389-users@%(host_name)s
 http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

 Administration URL starts with https?

 If you use Console on Fedora/RHEL, you have no problem?

 Thanks.
 --
 389 users mailing list
 389-users@%(host_name)s
 http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

 --
 389 users mailing list
 389-users@%(host_name)s
 http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

 --
 389 users mailing list
 389-users@%(host_name)s
 http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

 --
 389 users mailing list
 389-users@%(host_name)s
 http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

 --
 389 users mailing list
 389-users@%(host_name)s
 http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

 --
 389 users mailing list
 389-users@%(host_name)s
 http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

 --
 389 users mailing list
 389-users@%(host_name)s
 http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

 --
 389 users mailing list
 389-users@%(host_name)s
 http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

 --
 389 users mailing list
 389-users@%(host_name)s
 http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

 --
 389 users mailing list
 389-users@%(host_name)s
 http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org