Hello all:
Have tried to get my lab set up with 389 and secure connections multiple times now with disasterous results; and yes have tried to follow http://www.port389.org/docs/389ds/howto/howto-ssl.html
Here is a very brief walkthrough of what I did:
* from my PKI created four certificates - node1 admin and node2 directory + node2 admin and node2 directory certificates * on both node1 and node2 installed the following packages:
[root@ads01 ~]# rpm -qa | grep 389 389-adminutil-1.1.22-1.el7.x86_64 389-ds-base-1.3.4.0-21.el7_2.x86_64 389-admin-console-1.1.10-1.el7.noarch 389-console-1.1.9-1.el7.noarch 389-ds-base-libs-1.3.4.0-21.el7_2.x86_64 389-admin-1.1.42-1.el7.x86_64 389-ds-console-1.2.12-1.el7.noarch
* on node1 ran setup-ds-admin.pl and configured the initial directory server * on node1 configured the admin to use TLS + the directory server so that it bound to 636 * on node2 ran setup-ds-admin.pl and joined the directory server on node1 * on node2 configured the admin to use TLS * on node2 launch 389-console using https and then try to connect too the directory server on node2 and it just hangs and fails with an SSL error over and over:
[Fri Jan 15 17:22:14.391824 2016] [:crit] [pid 705:tid 140640199088192] sslinit: NSS is required to use LDAPS, but security initialization failed [-8015:The certificate/key database is in an old, unsupported format or failed to open.].
How does one perform an install, with two nodes, that each has an administration instance plus a directory server running TLS on 636 ?? Have not even been able to attempt multi-master replication yet :(
All help appreciated. Thanks, Phil
Phil,
It looks like you are missing a package. Do you have the NSS package installed?
Cheers,
Paul M. Whitney paul.whitney@mac.com
Sent from my Mac Book Pro
On Jan 15, 2016, at 1:03 PM, Phil Daws uxbod@splatnix.net wrote:
Hello all:
Have tried to get my lab set up with 389 and secure connections multiple times now with disasterous results; and yes have tried to follow http://www.port389.org/docs/389ds/howto/howto-ssl.html
Here is a very brief walkthrough of what I did:
- from my PKI created four certificates - node1 admin and node2 directory + node2 admin and node2 directory certificates
- on both node1 and node2 installed the following packages:
[root@ads01 ~]# rpm -qa | grep 389 389-adminutil-1.1.22-1.el7.x86_64 389-ds-base-1.3.4.0-21.el7_2.x86_64 389-admin-console-1.1.10-1.el7.noarch 389-console-1.1.9-1.el7.noarch 389-ds-base-libs-1.3.4.0-21.el7_2.x86_64 389-admin-1.1.42-1.el7.x86_64 389-ds-console-1.2.12-1.el7.noarch
- on node1 ran setup-ds-admin.pl and configured the initial directory server
- on node1 configured the admin to use TLS + the directory server so that it bound to 636
- on node2 ran setup-ds-admin.pl and joined the directory server on node1
- on node2 configured the admin to use TLS
- on node2 launch 389-console using https and then try to connect too the directory server on node2 and it just hangs and fails with an SSL error over and over:
[Fri Jan 15 17:22:14.391824 2016] [:crit] [pid 705:tid 140640199088192] sslinit: NSS is required to use LDAPS, but security initialization failed [-8015:The certificate/key database is in an old, unsupported format or failed to open.].
How does one perform an install, with two nodes, that each has an administration instance plus a directory server running TLS on 636 ?? Have not even been able to attempt multi-master replication yet :(
All help appreciated. Thanks, Phil
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
Packages are same on both node1 and node2:
[root@ads01 admin-serv]# rpm -qa | grep nss nss-softokn-freebl-3.16.2.3-13.el7_1.x86_64 nss-util-3.19.1-4.el7_1.x86_64 nss-3.19.1-19.el7_2.x86_64 openssl-libs-1.0.1e-51.el7_2.2.x86_64 openssh-server-6.6.1p1-23.el7_2.x86_64 openssl-1.0.1e-51.el7_2.2.x86_64 nss-softokn-3.16.2.3-13.el7_1.x86_64 mod_nss-1.0.11-6.el7.x86_64 nss-sysinit-3.19.1-19.el7_2.x86_64 nss-tools-3.19.1-19.el7_2.x86_64 openssh-6.6.1p1-23.el7_2.x86_64 openssh-clients-6.6.1p1-23.el7_2.x86_64
Thanks, Phil
----- On 17 Jan, 2016, at 13:43, Paul Whitney paul.whitney@mac.com wrote:
Phil,
It looks like you are missing a package. Do you have the NSS package installed?
Cheers,
Paul M. Whitney paul.whitney@mac.com
Sent from my Mac Book Pro
On Jan 15, 2016, at 1:03 PM, Phil Daws uxbod@splatnix.net wrote:
Hello all:
Have tried to get my lab set up with 389 and secure connections multiple times now with disasterous results; and yes have tried to follow http://www.port389.org/docs/389ds/howto/howto-ssl.html
Here is a very brief walkthrough of what I did:
- from my PKI created four certificates - node1 admin and node2 directory +
node2 admin and node2 directory certificates
- on both node1 and node2 installed the following packages:
[root@ads01 ~]# rpm -qa | grep 389 389-adminutil-1.1.22-1.el7.x86_64 389-ds-base-1.3.4.0-21.el7_2.x86_64 389-admin-console-1.1.10-1.el7.noarch 389-console-1.1.9-1.el7.noarch 389-ds-base-libs-1.3.4.0-21.el7_2.x86_64 389-admin-1.1.42-1.el7.x86_64 389-ds-console-1.2.12-1.el7.noarch
- on node1 ran setup-ds-admin.pl and configured the initial directory server
- on node1 configured the admin to use TLS + the directory server so that it
bound to 636
- on node2 ran setup-ds-admin.pl and joined the directory server on node1
- on node2 configured the admin to use TLS
- on node2 launch 389-console using https and then try to connect too the
directory server on node2 and it just hangs and fails with an SSL error over and over:
[Fri Jan 15 17:22:14.391824 2016] [:crit] [pid 705:tid 140640199088192] sslinit: NSS is required to use LDAPS, but security initialization failed [-8015:The certificate/key database is in an old, unsupported format or failed to open.].
How does one perform an install, with two nodes, that each has an administration instance plus a directory server running TLS on 636 ?? Have not even been able to attempt multi-master replication yet :(
All help appreciated. Thanks, Phil
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
Phil Daws wrote:
Hello all:
Have tried to get my lab set up with 389 and secure connections multiple times now with disasterous results; and yes have tried to follow http://www.port389.org/docs/389ds/howto/howto-ssl.html
Here is a very brief walkthrough of what I did:
- from my PKI created four certificates - node1 admin and node2 directory + node2 admin and node2 directory certificates
- on both node1 and node2 installed the following packages:
[root@ads01 ~]# rpm -qa | grep 389 389-adminutil-1.1.22-1.el7.x86_64 389-ds-base-1.3.4.0-21.el7_2.x86_64 389-admin-console-1.1.10-1.el7.noarch 389-console-1.1.9-1.el7.noarch 389-ds-base-libs-1.3.4.0-21.el7_2.x86_64 389-admin-1.1.42-1.el7.x86_64 389-ds-console-1.2.12-1.el7.noarch
- on node1 ran setup-ds-admin.pl and configured the initial directory server
- on node1 configured the admin to use TLS + the directory server so that it bound to 636
- on node2 ran setup-ds-admin.pl and joined the directory server on node1
- on node2 configured the admin to use TLS
- on node2 launch 389-console using https and then try to connect too the directory server on node2 and it just hangs and fails with an SSL error over and over:
[Fri Jan 15 17:22:14.391824 2016] [:crit] [pid 705:tid 140640199088192] sslinit: NSS is required to use LDAPS, but security initialization failed [-8015:The certificate/key database is in an old, unsupported format or failed to open.].
Double-check that the user that 389-ds runs as has read permissions to the NSS database.
How does one perform an install, with two nodes, that each has an administration instance plus a directory server running TLS on 636 ?? Have not even been able to attempt multi-master replication yet :(
All help appreciated. Thanks, Phil
----- On 17 Jan, 2016, at 14:48, Rob Crittenden rcritten@redhat.com wrote:
Phil Daws wrote:
Hello all:
Have tried to get my lab set up with 389 and secure connections multiple times now with disasterous results; and yes have tried to follow http://www.port389.org/docs/389ds/howto/howto-ssl.html
Here is a very brief walkthrough of what I did:
- from my PKI created four certificates - node1 admin and node2 directory +
node2 admin and node2 directory certificates
- on both node1 and node2 installed the following packages:
[root@ads01 ~]# rpm -qa | grep 389 389-adminutil-1.1.22-1.el7.x86_64 389-ds-base-1.3.4.0-21.el7_2.x86_64 389-admin-console-1.1.10-1.el7.noarch 389-console-1.1.9-1.el7.noarch 389-ds-base-libs-1.3.4.0-21.el7_2.x86_64 389-admin-1.1.42-1.el7.x86_64 389-ds-console-1.2.12-1.el7.noarch
- on node1 ran setup-ds-admin.pl and configured the initial directory server
- on node1 configured the admin to use TLS + the directory server so that it
bound to 636
- on node2 ran setup-ds-admin.pl and joined the directory server on node1
- on node2 configured the admin to use TLS
- on node2 launch 389-console using https and then try to connect too the
directory server on node2 and it just hangs and fails with an SSL error over and over:
[Fri Jan 15 17:22:14.391824 2016] [:crit] [pid 705:tid 140640199088192] sslinit: NSS is required to use LDAPS, but security initialization failed [-8015:The certificate/key database is in an old, unsupported format or failed to open.].
Double-check that the user that 389-ds runs as has read permissions to the NSS database.
Permissions look fine with 0440 and owned by the user that slapd is running under.
How does one perform an install, with two nodes, that each has an administration instance plus a directory server running TLS on 636 ?? Have not even been able to attempt multi-master replication yet :(
All help appreciated. Thanks, Phil
Phil Daws wrote:
----- On 17 Jan, 2016, at 14:48, Rob Crittenden rcritten@redhat.com wrote:
Phil Daws wrote:
Hello all:
Have tried to get my lab set up with 389 and secure connections multiple times now with disasterous results; and yes have tried to follow http://www.port389.org/docs/389ds/howto/howto-ssl.html
Here is a very brief walkthrough of what I did:
- from my PKI created four certificates - node1 admin and node2 directory +
node2 admin and node2 directory certificates
- on both node1 and node2 installed the following packages:
[root@ads01 ~]# rpm -qa | grep 389 389-adminutil-1.1.22-1.el7.x86_64 389-ds-base-1.3.4.0-21.el7_2.x86_64 389-admin-console-1.1.10-1.el7.noarch 389-console-1.1.9-1.el7.noarch 389-ds-base-libs-1.3.4.0-21.el7_2.x86_64 389-admin-1.1.42-1.el7.x86_64 389-ds-console-1.2.12-1.el7.noarch
- on node1 ran setup-ds-admin.pl and configured the initial directory server
- on node1 configured the admin to use TLS + the directory server so that it
bound to 636
- on node2 ran setup-ds-admin.pl and joined the directory server on node1
- on node2 configured the admin to use TLS
- on node2 launch 389-console using https and then try to connect too the
directory server on node2 and it just hangs and fails with an SSL error over and over:
[Fri Jan 15 17:22:14.391824 2016] [:crit] [pid 705:tid 140640199088192] sslinit: NSS is required to use LDAPS, but security initialization failed [-8015:The certificate/key database is in an old, unsupported format or failed to open.].
Double-check that the user that 389-ds runs as has read permissions to the NSS database.
Permissions look fine with 0440 and owned by the user that slapd is running under.
I'd check directories too then I guess and ensure that the database is in the location specified by nsslapd-certdir.
This is a classic, horrible NSS catch-all error code. It means that NSS wasn't able to initialize the NSS database but doesn't give any reason why. It could be that it isn't there, or isn't readable, or is corrupted, or some ancient format. Who knows. But it usually means that it isn't there or isn't readable.
rob
389-users@lists.fedoraproject.org