Hello,
I've been trying to deploy a secure 389 server with TLS/SSL on the port 636. If I do things manually, it works alright.
But using the scripts provided on the website, I run into some troubles.
BACKGROUND INFO: Attached to this mail are the scripts and conf file I use. My setupssl.sh is a modified version of the setupssl2.ssh meant for DS >= 1.1. I changed the cipher suite and I changed the name of the admin cert from server-cert to admin-cert for clarity (I changed manually the name of the certificate in the admin console configuration file accordingly). Reason behind the cipher suite change is that the one in the original script prevents the script from running (AttributeType error) so I used a cipher suite from a working, manually deployed LDAP server. I use the packages provided with RHEL6U5. Here are the components version:
389-ds-base-1.2.11.15-34.el6_5.x86_64 389-ds-1.2.2-1.el6.noarch 389-ds-console-1.2.6-1.el6.noarch 389-adminutil-1.1.19-1.el6.x86_64 389-admin-console-1.1.8-1.el6.noarch 389-dsgw-1.1.11-1.el6.x86_64 389-admin-1.1.35-1.el6.x86_64 389-admin-console-doc-1.1.8-1.el6.noarch 389-ds-console-doc-1.2.6-1.el6.noarch 389-ds-base-libs-1.2.11.15-34.el6_5.x86_64 389-console-1.1.7-1.el6.noarch
openjdk version: java-1.6.0-openjdk-1.6.0.0-6.1.13.4.el6_5.x86_64
PROBLEM DESCRIPTION: Once the scripts are ran, I start 389-console using the https URL. Authentication yields an error message: "Cannot connect..."
Console with debugging enabled shows this error message: Unable to create ssl socket org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8054) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
/var/log/dirsrv/admin-server/error has the following line: [error] SSL Library Error: -12271 SSL client cannot verify your certificate
Certificates list from admin server: admin-cert u,u,u CA certificate CT,,
Certificates list from slapd-myserver7: CA certificate CTu,u,u admin-cert u,u,u Server-Cert u,u,u
My certificates all have different serial numbers: 1000 for CA, 1001 for Server-Cert, 1002 for admin-cert.
If I disable the security for the console by setting NSSEngine to Off, I can log to the console with the normal http URL, but as soon as I access a certificate-related tab (For example "Manage Certificates" or the Encryption tab of the server), I get the following error message:
Unable to create ssl socket org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12263) SSL received a record that exceeded the maximum permissible length.
Has anyone ever experienced these SSL errors ? Is there something I can compare between my working, manually deployed LDAP servers and the one that I try to deploy automatically ?
Thanks in advance.
Regards,
Nicolas Martin
389-users@lists.fedoraproject.org