Hi,
We're preparing to upgrade from the initial DS release to 1.0.4-1 on our RHEL4 servers. In testing, we've hit a brick wall while trying to set up SSL. We can install the server just fine, but when clicking on "Manage Certificates" in the console we get the following:
could not open file slapd-$hostname-cert8.db
We get the same type of error when trying to manage the admin server certs.
This is a completely fresh install, and we've double checked file ownership, so permissions are not an issue. After working on this for a while, I tried installing the FC6 rpm on my FC6 desktop with the same settings and JVM, which worked just fine...so its something specific about the RHEL4 version or its dependencies.
I found one other post about this kind of issue (From Nov 2006 by Graham Leggett), but I never saw a solution. I have even tried initializing the DBs by hand with certutil, but this does not appear to make a difference.
Any advice?
Thanks,
Travis
Travis wrote:
Hi,
We're preparing to upgrade from the initial DS release to 1.0.4-1 on our RHEL4 servers. In testing, we've hit a brick wall while trying to set up SSL. We can install the server just fine, but when clicking on "Manage Certificates" in the console we get the following:
could not open file slapd-$hostname-cert8.db
We get the same type of error when trying to manage the admin server certs.
This is a completely fresh install, and we've double checked file ownership, so permissions are not an issue. After working on this for a while, I tried installing the FC6 rpm on my FC6 desktop with the same settings and JVM, which worked just fine...so its something specific about the RHEL4 version or its dependencies.
I found one other post about this kind of issue (From Nov 2006 by Graham Leggett), but I never saw a solution. I have even tried initializing the DBs by hand with certutil, but this does not appear to make a difference.
Any advice?
Permissions perhaps?
rob
Hi,
No, as noted it is a completely new install, and I've already ddouble checked permissions.
Regardless - I've also tried chowning the entire tree to ldap (yes, this is the user privs are being dropped to), as well as setting a+rw on the entire /opt/fedora-ds tree.
Thanks,
Travis
On Tue, 2007-10-02 at 17:30 -0400, Rob Crittenden wrote:
Travis wrote:
Hi,
We're preparing to upgrade from the initial DS release to 1.0.4-1 on our RHEL4 servers. In testing, we've hit a brick wall while trying to set up SSL. We can install the server just fine, but when clicking on "Manage Certificates" in the console we get the following:
could not open file slapd-$hostname-cert8.db
We get the same type of error when trying to manage the admin server certs.
This is a completely fresh install, and we've double checked file ownership, so permissions are not an issue. After working on this for a while, I tried installing the FC6 rpm on my FC6 desktop with the same settings and JVM, which worked just fine...so its something specific about the RHEL4 version or its dependencies.
I found one other post about this kind of issue (From Nov 2006 by Graham Leggett), but I never saw a solution. I have even tried initializing the DBs by hand with certutil, but this does not appear to make a difference.
Any advice?
Permissions perhaps?
rob !DSPAM:10001,4702b89655891583291669!
I agree with Graham's original idea - its almost as if the server is not looking in the proper location for the database. Does anyone know where this is set?
Thanks,
Travis
On Tue, 2007-10-02 at 18:25 -0400, Travis wrote:
Hi,
No, as noted it is a completely new install, and I've already ddouble checked permissions.
Regardless - I've also tried chowning the entire tree to ldap (yes, this is the user privs are being dropped to), as well as setting a+rw on the entire /opt/fedora-ds tree.
Thanks,
Travis
On Tue, 2007-10-02 at 17:30 -0400, Rob Crittenden wrote:
Travis wrote:
Hi,
We're preparing to upgrade from the initial DS release to 1.0.4-1 on our RHEL4 servers. In testing, we've hit a brick wall while trying to set up SSL. We can install the server just fine, but when clicking on "Manage Certificates" in the console we get the following:
could not open file slapd-$hostname-cert8.db
We get the same type of error when trying to manage the admin server certs.
This is a completely fresh install, and we've double checked file ownership, so permissions are not an issue. After working on this for a while, I tried installing the FC6 rpm on my FC6 desktop with the same settings and JVM, which worked just fine...so its something specific about the RHEL4 version or its dependencies.
I found one other post about this kind of issue (From Nov 2006 by Graham Leggett), but I never saw a solution. I have even tried initializing the DBs by hand with certutil, but this does not appear to make a difference.
Any advice?
Permissions perhaps?
rob
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
!DSPAM:10001,4702c57f55891133320659!
Travis wrote:
I agree with Graham's original idea - its almost as if the server is not looking in the proper location for the database. Does anyone know where this is set?
It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also grep -i nscert /opt/fedora-ds/slapd-instancename/config/dse.ldif
Thanks,
Travis
On Tue, 2007-10-02 at 18:25 -0400, Travis wrote:
Hi,
No, as noted it is a completely new install, and I've already ddouble checked permissions.
Regardless - I've also tried chowning the entire tree to ldap (yes, this is the user privs are being dropped to), as well as setting a+rw on the entire /opt/fedora-ds tree.
Thanks,
Travis
On Tue, 2007-10-02 at 17:30 -0400, Rob Crittenden wrote:
Travis wrote:
Hi,
We're preparing to upgrade from the initial DS release to 1.0.4-1 on our RHEL4 servers. In testing, we've hit a brick wall while trying to set up SSL. We can install the server just fine, but when clicking on "Manage Certificates" in the console we get the following:
could not open file slapd-$hostname-cert8.db
We get the same type of error when trying to manage the admin server certs.
This is a completely fresh install, and we've double checked file ownership, so permissions are not an issue. After working on this for a while, I tried installing the FC6 rpm on my FC6 desktop with the same settings and JVM, which worked just fine...so its something specific about the RHEL4 version or its dependencies.
I found one other post about this kind of issue (From Nov 2006 by Graham Leggett), but I never saw a solution. I have even tried initializing the DBs by hand with certutil, but this does not appear to make a difference.
Any advice?
Permissions perhaps?
rob
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
!DSPAM:10001,4702c57f55891133320659!
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Thanks Richard and Richard - Tried to post last night by my home mail server is blocked as a spammer for some reason (a bad spammer *is* on my subnet somewhere...)
I had a long think about what was different between the working installs and non-working installs and realized the one that wasn't working had a "." in the name due to our naming convention. I tried substituting a "-" for the "." and it worked like a charm. :-)
Thanks for the help folks. I'll file a bug report - the installer should at least prevent you from using periods in instance names.
Travis
On Tue, 2007-10-02 at 17:04 -0600, Richard Megginson wrote:
Travis wrote:
I agree with Graham's original idea - its almost as if the server is not looking in the proper location for the database. Does anyone know where this is set?
It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also grep -i nscert /opt/fedora-ds/slapd-instancename/config/dse.ldif
Thanks,
Travis
On Tue, 2007-10-02 at 18:25 -0400, Travis wrote:
Hi,
No, as noted it is a completely new install, and I've already ddouble checked permissions.
Regardless - I've also tried chowning the entire tree to ldap (yes, this is the user privs are being dropped to), as well as setting a+rw on the entire /opt/fedora-ds tree.
Thanks,
Travis
On Tue, 2007-10-02 at 17:30 -0400, Rob Crittenden wrote:
Travis wrote:
Hi,
We're preparing to upgrade from the initial DS release to 1.0.4-1 on our RHEL4 servers. In testing, we've hit a brick wall while trying to set up SSL. We can install the server just fine, but when clicking on "Manage Certificates" in the console we get the following:
could not open file slapd-$hostname-cert8.db
We get the same type of error when trying to manage the admin server certs.
This is a completely fresh install, and we've double checked file ownership, so permissions are not an issue. After working on this for a while, I tried installing the FC6 rpm on my FC6 desktop with the same settings and JVM, which worked just fine...so its something specific about the RHEL4 version or its dependencies.
I found one other post about this kind of issue (From Nov 2006 by Graham Leggett), but I never saw a solution. I have even tried initializing the DBs by hand with certutil, but this does not appear to make a difference.
Any advice?
Permissions perhaps?
rob
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
!DSPAM:10001,4702c57f55891133320659!
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
!DSPAM:10001,4702cfc155891054640233!
Travis - I had this problem with new installations and clean re- installations. The installation of Fedora Directory did not create the certificate database. I solved it by creating the appropriately-named certificate database in the correct location using certutil. -Glenn.
---------- Original Message ----------- From: Richard Megginson rmeggins@redhat.com To: tag@netfoo.org, "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Sent: Tue, 02 Oct 2007 17:04:33 -0600 Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable?
Travis wrote:
I agree with Graham's original idea - its almost as if the server is not looking in the proper location for the database. Does anyone know where this is set?
It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also grep -i nscert /opt/fedora-ds/slapd-instancename/config/dse.ldif
Glenn wrote:
Travis - I had this problem with new installations and clean re- installations. The installation of Fedora Directory did not create the certificate database. I solved it by creating the appropriately-named certificate database in the correct location using certutil. -Glenn.
Is there any sort of pattern to when it does or does not create the key/cert databases? When the server starts up, it is supposed to create them if they are not there. This means that /opt/fedora-ds/alias must be writable by the server user id (default nobody).
When you uninstall the server, it does not remove the key and cert databases, because this could be potentially devastating if you had not backed them up first.
---------- Original Message ----------- From: Richard Megginson rmeggins@redhat.com To: tag@netfoo.org, "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Sent: Tue, 02 Oct 2007 17:04:33 -0600 Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable?
Travis wrote:
I agree with Graham's original idea - its almost as if the server is not looking in the proper location for the database. Does anyone know where this is set?
It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also grep -i nscert /opt/fedora-ds/slapd-instancename/config/dse.ldif
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Richard - It has been months since I did this, and I don't remember each detail of the installation. I did not use the default server user ID; I changed it when given the opportunity during installation. Maybe this caused a permissions problem? -Glenn.
---------- Original Message ----------- From: Richard Megginson rmeggins@redhat.com To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Sent: Wed, 03 Oct 2007 08:02:15 -0600 Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable?
Glenn wrote:
Travis - I had this problem with new installations and clean re- installations. The installation of Fedora Directory did not create the certificate database. I solved it by creating the appropriately-named certificate database in the correct location using certutil. -Glenn.
Is there any sort of pattern to when it does or does not create the key/cert databases? When the server starts up, it is supposed to create them if they are not there. This means that /opt/fedora- ds/alias must be writable by the server user id (default nobody).
Hi Glen,
That was not the problem - the DB was there after install (though not the admin server DB), it just couldn't parse the "." in the instance name.
Travis
On Wed, 2007-10-03 at 08:48 -0500, Glenn wrote:
Travis - I had this problem with new installations and clean re- installations. The installation of Fedora Directory did not create the certificate database. I solved it by creating the appropriately-named certificate database in the correct location using certutil. -Glenn.
---------- Original Message ----------- From: Richard Megginson rmeggins@redhat.com To: tag@netfoo.org, "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Sent: Tue, 02 Oct 2007 17:04:33 -0600 Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable?
Travis wrote:
I agree with Graham's original idea - its almost as if the server is not looking in the proper location for the database. Does anyone know where this is set?
It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also grep -i nscert /opt/fedora-ds/slapd-instancename/config/dse.ldif
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
!DSPAM:10001,47039db155899083919185!
could not open file slapd-$hostname-cert8.db
Does $hostname match the slapd instance name? For example, is the path to your slapd directory /opt/fedora-ds/slapd-$hostname? Or is it slapd-$somethingelse?
-richard
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Rob Crittenden Sent: Tuesday, October 02, 2007 2:31 PM To: tag@netfoo.org; General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable?
Travis wrote:
Hi,
We're preparing to upgrade from the initial DS release to 1.0.4-1 on our RHEL4 servers. In testing, we've hit a brick wall while trying to set up SSL. We can install the server just fine, but when clicking on "Manage Certificates" in the console we get the following:
could not open file slapd-$hostname-cert8.db
We get the same type of error when trying to manage the admin server certs.
This is a completely fresh install, and we've double checked file ownership, so permissions are not an issue. After working on this for a while, I tried installing the FC6 rpm on my FC6 desktop with the same settings and JVM, which worked just fine...so its something specific about the RHEL4 version or its dependencies.
I found one other post about this kind of issue (From Nov 2006 by Graham Leggett), but I never saw a solution. I have even tried initializing the DBs by hand with certutil, but this does not appear to make a difference.
Any advice?
Permissions perhaps?
rob
389-users@lists.fedoraproject.org
-
Glenn -
Rich Megginson -
Richard Hesse -
Rob Crittenden -
Travis