Hello, I have 389 up and running in my lab, with encryption enabled, but when I connect too the Administration panel and double click on the Directory Server it just hangs. The CA certificate has been imported using: d:\Scratch\firefox_add-certs\bin>certutil -A -d "C:\Documents and Settings\phild\.389-console" -n "CA Certificate" -t CT,, -i d:\Downloads\CA-chain.pem -a Am I missing something obvious please ? Thanks, Phil -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

Hello, Unfortunately I do not have a console under Fedora/RHEL. I can log into the Administration console fine, but when I click on Server Group, and then double click on the Directory Server it prompts me for the Distinguished name and password. The status is showing as: Server status: Stopped Port: 636 The ports are listening fine: Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 301/sshd tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN 1261/httpd tcp6 0 0 :::22 :::* LISTEN 301/sshd tcp6 0 0 :::636 :::* LISTEN 1196/ns-slapd tcp6 0 0 :::389 :::* LISTEN 1196/ns-slapd So am guessing it's probably due to when I enabled "Secure Connection" in the console :( Any thoughts please ?

Thanks, Phil ----- On 15 Dec, 2015, at 19:01, Noriko Hosoi nhosoi(a)redhat.com wrote: > On 12/15/2015 09:51 AM, Phil Daws wrote: >> Hello, >> >> I have 389 up and running in my lab, with encryption enabled, but when I connect >> too the Administration panel and double click on the Directory Server it just >> hangs. The CA certificate has been imported using: >> >> d:\Scratch\firefox_add-certs\bin>certutil -A -d "C:\Documents and >> Settings\phild\.389-console" -n "CA Certificate" -t CT,, -i >> d:\Downloads\CA-chain.pem -a >> >> Am I missing something obvious please ? >> >> Thanks, Phil >> >> -- >> 389 users mailing list >> 389-users@%(host_name)s >> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org > Administration URL starts with https? > > If you use Console on Fedora/RHEL, you have no problem? > > Thanks. > -- > 389 users mailing list > 389-users@%(host_name)s > http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

Hello, Have now got to the point where it says "Select a certificate to authenticate" yet the drop down box is empty. If I check the NSS database it looks okay ? D:\Scratch\firefox_add-certs\bin>certutil.exe -d "c:\Documents and Settings\pmdaws\.389-console" -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI LAB CA Certificate CT,, Phil Daws p,p,p Seems as though the console is not picking them up :( Thanks, Phil ----- On 15 Dec, 2015, at 20:35, Noriko Hosoi nhosoi(a)redhat.com wrote: > On 12/15/2015 11:40 AM, Phil Daws wrote: >> Hello, >> >> Unfortunately I do not have a console under Fedora/RHEL. >> >> I can log into the Administration console fine, but when I click on Server >> Group, and then double click on the Directory Server it prompts me for the >> Distinguished name and password. The status is showing as: >> >> Server status: Stopped >> Port: 636 >> >> The ports are listening fine: >> >> Active Internet connections (only servers) >> Proto Recv-Q Send-Q Local Address Foreign Address State >> PID/Program name >> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN >> 301/sshd >> tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN >> 1261/httpd >> tcp6 0 0 :::22 :::* LISTEN >> 301/sshd >> tcp6 0 0 :::636 :::* LISTEN >> 1196/ns-slapd >> tcp6 0 0 :::389 :::* LISTEN >> 1196/ns-slapd >> >> So am guessing it's probably due to when I enabled "Secure Connection" in the >> console :( >> >> Any thoughts please ? > Not sure yet, but did you have a chance to see this section? > http://www.port389.org/docs/389ds/howto/howto-ssl.html#admin-server-tlsss... >> >> Thanks, Phil >> >> >> >> ----- On 15 Dec, 2015, at 19:01, Noriko Hosoi nhosoi(a)redhat.com wrote: >> >>> On 12/15/2015 09:51 AM, Phil Daws wrote: >>>> Hello, >>>> >>>> I have 389 up and running in my lab, with encryption enabled, but when I connect >>>> too the Administration panel and double click on the Directory Server it just >>>> hangs. The CA certificate has been imported using: >>>> >>>> d:\Scratch\firefox_add-certs\bin>certutil -A -d "C:\Documents and >>>> Settings\phild\.389-console" -n "CA Certificate" -t CT,, -i >>>> d:\Downloads\CA-chain.pem -a >>>> >>>> Am I missing something obvious please ? >>>> >>>> Thanks, Phil >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users@%(host_name)s >>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>> Administration URL starts with https? >>> >>> If you use Console on Fedora/RHEL, you have no problem? >>> >>> Thanks. >>> -- >>> 389 users mailing list >>> 389-users@%(host_name)s >>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >> -- >> 389 users mailing list >> 389-users@%(host_name)s >> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org > -- > 389 users mailing list > 389-users@%(host_name)s > http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

On 01/04/2016 01:11 AM, Phil Daws wrote: > Any thoughts on this please ? > > ----- On 20 Dec, 2015, at 16:02, Phil Daws uxbod(a)splatnix.net wrote: > >> Hello, >> >> Have now got to the point where it says "Select a certificate to authenticate" >> yet the drop down box is empty. Can you run the console with -D 9 -f console.log, then check console.log to remove any sensitive information, then post that to this list? The easiest way to do this is to make a copy of the .bat file that runs the console, then add those arguments to the command line in the copy of the .bat file. I'm assuming you have not configured the admin server/directory server to require client cert authentication. If you don't know, then you probably haven't. >> >> If I check the NSS database it looks okay ? >> >> D:\Scratch\firefox_add-certs\bin>certutil.exe -d "c:\Documents and >> Settings\pmdaws\.389-console" -L >> >> Certificate Nickname Trust Attributes >> SSL,S/MIME,JAR/XPI >> >> LAB CA Certificate CT,, >> Phil Daws p,p,p >> >> Seems as though the console is not picking them up :( >> >> Thanks, Phil >> ----- On 15 Dec, 2015, at 20:35, Noriko Hosoi nhosoi(a)redhat.com wrote: >> >>> On 12/15/2015 11:40 AM, Phil Daws wrote: >>>> Hello, >>>> >>>> Unfortunately I do not have a console under Fedora/RHEL. >>>> >>>> I can log into the Administration console fine, but when I click on Server >>>> Group, and then double click on the Directory Server it prompts me for the >>>> Distinguished name and password. The status is showing as: >>>> >>>> Server status: Stopped >>>> Port: 636 >>>> >>>> The ports are listening fine: >>>> >>>> Active Internet connections (only servers) >>>> Proto Recv-Q Send-Q Local Address Foreign Address State >>>> PID/Program name >>>> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN >>>> 301/sshd >>>> tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN >>>> 1261/httpd >>>> tcp6 0 0 :::22 :::* LISTEN >>>> 301/sshd >>>> tcp6 0 0 :::636 :::* LISTEN >>>> 1196/ns-slapd >>>> tcp6 0 0 :::389 :::* LISTEN >>>> 1196/ns-slapd >>>> >>>> So am guessing it's probably due to when I enabled "Secure Connection" in the >>>> console :( >>>> >>>> Any thoughts please ? >>> Not sure yet, but did you have a chance to see this section? >>> http://www.port389.org/docs/389ds/howto/howto-ssl.html#admin-server-tlsss... >>>> Thanks, Phil >>>> >>>> >>>> >>>> ----- On 15 Dec, 2015, at 19:01, Noriko Hosoi nhosoi(a)redhat.com wrote: >>>> >>>>> On 12/15/2015 09:51 AM, Phil Daws wrote: >>>>>> Hello, >>>>>> >>>>>> I have 389 up and running in my lab, with encryption enabled, but when I connect >>>>>> too the Administration panel and double click on the Directory Server it just >>>>>> hangs. The CA certificate has been imported using: >>>>>> >>>>>> d:\Scratch\firefox_add-certs\bin>certutil -A -d "C:\Documents and >>>>>> Settings\phild\.389-console" -n "CA Certificate" -t CT,, -i >>>>>> d:\Downloads\CA-chain.pem -a >>>>>> >>>>>> Am I missing something obvious please ? >>>>>> >>>>>> Thanks, Phil >>>>>> >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users@%(host_name)s >>>>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>>>> Administration URL starts with https? >>>>> >>>>> If you use Console on Fedora/RHEL, you have no problem? >>>>> >>>>> Thanks. >>>>> -- >>>>> 389 users mailing list >>>>> 389-users@%(host_name)s >>>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>>> -- >>>> 389 users mailing list >>>> 389-users@%(host_name)s >>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>> -- >>> 389 users mailing list >>> 389-users@%(host_name)s >>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >> -- >> 389 users mailing list >> 389-users@%(host_name)s >> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org > -- > 389 users mailing list > 389-users@%(host_name)s > http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

On 01/04/2016 09:23 AM, Phil Daws wrote: > Hello Rich, > > Have ran in debug mode and connected to the admin interface which has been > secured with a cert: > > {SUBJECT_DN=CN=ads01-admin.lab, SUBJECT={CN=ads01-admin}, > SERIAL=8741097289627376099, AFTERDATE=Tue Dec 19 14:05:35 2017, > ISSUER={CN=LAB-CA, O=LAB, C=GB}, SIGNATURE=SHA256withRSA, BEFOREDATE=Sun Dec 20 > 14:05:35 2015, KEYTYPE=RSA, REASONS={}, VERSION=3, ISSUER_DN=C=GB, O=LAB, > CN=LAB-CA} > JButtonFactory: button width = 54 > JButtonFactory: button height = 20 > JButtonFactory: button width = 54 > JButtonFactory: button height = 20 > JButtonFactory: button width = 72 > JButtonFactory: button height = 20 > JButtonFactory: button width = 72 > JButtonFactory: button height = 20 > JButtonFactory: button width = 54 > JButtonFactory: button height = 20 > JButtonFactory: button width = 72 > HttpsChannel::select(...) - SELECT CERTIFICATE > Unable to create ssl socket > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8186) > security library: invalid algorithm. > at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method) > at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source) > at com.netscape.management.client.comm.CommManager.send(Unknown Source) > at com.netscape.management.client.comm.HttpManager.get(Unknown Source) > at com.netscape.management.client.console.Console.invoke_task(Unknown Source) > at com.netscape.management.client.console.Console.authenticate_user(Unknown > Source) > at com.netscape.management.client.console.Console.<init>(Unknown Source) > at com.netscape.management.client.console.Console.main(Unknown Source) > > So it accepts the admin certificate fine but then shows an empty selection box > for a certificate ? Not sure what it means by "invalid algorithm" but it looks as though that is the root cause. The console doesn't know what to do with that error, so it asks you to select another cert, which is just a distraction at that point. Please open a ticket.

> > Thanks, Phil > > ----- On 4 Jan, 2016, at 15:50, Rich Megginson rmeggins(a)redhat.com wrote: > >> On 01/04/2016 01:11 AM, Phil Daws wrote: >>> Any thoughts on this please ? >>> >>> ----- On 20 Dec, 2015, at 16:02, Phil Daws uxbod(a)splatnix.net wrote: >>> >>>> Hello, >>>> >>>> Have now got to the point where it says "Select a certificate to authenticate" >>>> yet the drop down box is empty. >> Can you run the console with -D 9 -f console.log, then check console.log >> to remove any sensitive information, then post that to this list? The >> easiest way to do this is to make a copy of the .bat file that runs the >> console, then add those arguments to the command line in the copy of the >> .bat file. >> >> I'm assuming you have not configured the admin server/directory server >> to require client cert authentication. If you don't know, then you >> probably haven't. >> >>>> If I check the NSS database it looks okay ? >>>> >>>> D:\Scratch\firefox_add-certs\bin>certutil.exe -d "c:\Documents and >>>> Settings\pmdaws\.389-console" -L >>>> >>>> Certificate Nickname Trust Attributes >>>> SSL,S/MIME,JAR/XPI >>>> >>>> LAB CA Certificate CT,, >>>> Phil Daws p,p,p >>>> >>>> Seems as though the console is not picking them up :( >>>> >>>> Thanks, Phil >>>> ----- On 15 Dec, 2015, at 20:35, Noriko Hosoi nhosoi(a)redhat.com wrote: >>>> >>>>> On 12/15/2015 11:40 AM, Phil Daws wrote: >>>>>> Hello, >>>>>> >>>>>> Unfortunately I do not have a console under Fedora/RHEL. >>>>>> >>>>>> I can log into the Administration console fine, but when I click on Server >>>>>> Group, and then double click on the Directory Server it prompts me for the >>>>>> Distinguished name and password. The status is showing as: >>>>>> >>>>>> Server status: Stopped >>>>>> Port: 636 >>>>>> >>>>>> The ports are listening fine: >>>>>> >>>>>> Active Internet connections (only servers) >>>>>> Proto Recv-Q Send-Q Local Address Foreign Address State >>>>>> PID/Program name >>>>>> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN >>>>>> 301/sshd >>>>>> tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN >>>>>> 1261/httpd >>>>>> tcp6 0 0 :::22 :::* LISTEN >>>>>> 301/sshd >>>>>> tcp6 0 0 :::636 :::* LISTEN >>>>>> 1196/ns-slapd >>>>>> tcp6 0 0 :::389 :::* LISTEN >>>>>> 1196/ns-slapd >>>>>> >>>>>> So am guessing it's probably due to when I enabled "Secure Connection" in the >>>>>> console :( >>>>>> >>>>>> Any thoughts please ? >>>>> Not sure yet, but did you have a chance to see this section? >>>>> http://www.port389.org/docs/389ds/howto/howto-ssl.html#admin-server-tlsss... >>>>>> Thanks, Phil >>>>>> >>>>>> >>>>>> >>>>>> ----- On 15 Dec, 2015, at 19:01, Noriko Hosoi nhosoi(a)redhat.com wrote: >>>>>> >>>>>>> On 12/15/2015 09:51 AM, Phil Daws wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> I have 389 up and running in my lab, with encryption enabled, but when I connect >>>>>>>> too the Administration panel and double click on the Directory Server it just >>>>>>>> hangs. The CA certificate has been imported using: >>>>>>>> >>>>>>>> d:\Scratch\firefox_add-certs\bin>certutil -A -d "C:\Documents and >>>>>>>> Settings\phild\.389-console" -n "CA Certificate" -t CT,, -i >>>>>>>> d:\Downloads\CA-chain.pem -a >>>>>>>> >>>>>>>> Am I missing something obvious please ? >>>>>>>> >>>>>>>> Thanks, Phil >>>>>>>> >>>>>>>> -- >>>>>>>> 389 users mailing list >>>>>>>> 389-users@%(host_name)s >>>>>>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>>>>>> Administration URL starts with https? >>>>>>> >>>>>>> If you use Console on Fedora/RHEL, you have no problem? >>>>>>> >>>>>>> Thanks. >>>>>>> -- >>>>>>> 389 users mailing list >>>>>>> 389-users@%(host_name)s >>>>>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users@%(host_name)s >>>>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>>>> -- >>>>> 389 users mailing list >>>>> 389-users@%(host_name)s >>>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>>> -- >>>> 389 users mailing list >>>> 389-users@%(host_name)s >>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>> -- >>> 389 users mailing list >>> 389-users@%(host_name)s >>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >> -- >> 389 users mailing list >> 389-users@%(host_name)s >> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org > -- > 389 users mailing list > 389-users@%(host_name)s > http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

----- On 4 Jan, 2016, at 16:45, Rich Megginson rmeggins(a)redhat.com wrote: > On 01/04/2016 09:23 AM, Phil Daws wrote: >> Hello Rich, >> >> Have ran in debug mode and connected to the admin interface which has been >> secured with a cert: >> >> {SUBJECT_DN=CN=ads01-admin.lab, SUBJECT={CN=ads01-admin}, >> SERIAL=8741097289627376099, AFTERDATE=Tue Dec 19 14:05:35 2017, >> ISSUER={CN=LAB-CA, O=LAB, C=GB}, SIGNATURE=SHA256withRSA, BEFOREDATE=Sun Dec 20 >> 14:05:35 2015, KEYTYPE=RSA, REASONS={}, VERSION=3, ISSUER_DN=C=GB, O=LAB, >> CN=LAB-CA} >> JButtonFactory: button width = 54 >> JButtonFactory: button height = 20 >> JButtonFactory: button width = 54 >> JButtonFactory: button height = 20 >> JButtonFactory: button width = 72 >> JButtonFactory: button height = 20 >> JButtonFactory: button width = 72 >> JButtonFactory: button height = 20 >> JButtonFactory: button width = 54 >> JButtonFactory: button height = 20 >> JButtonFactory: button width = 72certain >> HttpsChannel::select(...) - SELECT CERTIFICATE >> Unable to create ssl socket >> org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8186) >> security library: invalid algorithm. >> at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method) >> at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source) >> at com.netscape.management.client.comm.CommManager.send(Unknown Source) >> at com.netscape.management.client.comm.HttpManager.get(Unknown Source) >> at com.netscape.management.client.console.Console.invoke_task(Unknown Source) >> at com.netscape.management.client.console.Console.authenticate_user(Unknown >> Source) >> at com.netscape.management.client.console.Console.<init>(Unknown Source) >> at com.netscape.management.client.console.Console.main(Unknown Source)certain >> >> So it accepts the admin certificate fine but then shows an empty selection box >> for a certificate ? > Not sure what it means by "invalid algorithm" but it looks as though > that is the root cause. The console doesn't know what to do with that > error, so it asks you to select another cert, which is just a > distraction at that point. Please open a ticket. Hmm, but that "invalid algorithm" message only appeared when I clicked on continue with no certificate showing in the selection dropdown list. The admin certificate was accepted fine and then it showed the empty selection list. > > >> Thanks, Phil >> >> ----- On 4 Jan, 2016, at 15:50, Rich Megginson rmeggins(a)redhat.com wrote: >> >>> On 01/04/2016 01:11 AM, Phil Daws wrote: >>>> Any thoughts on this please ? >>>> >>>> ----- On 20 Dec, 2015, at 16:02, Phil Daws uxbod(a)splatnix.net wrote: >>>> >>>>> Hello, >>>>> >>>>> Have now got to the point where it says "Select a certificate to authenticate" >>>>> yet the drop down box is empty. >>> Can you run the console with -D 9 -f console.log, then check console.log >>> to remove any sensitive information, then post that to this list? The >>> easiest way to do this is to make a copy of the .bat file that runs the >>> console, then add those arguments to the command line in the copy of the >>> .bat file. >>> >>> I'm assuming you have not configured the admin server/directory server >>> to require client cert authentication. If you don't know, then you >>> probably haven't. >>> >>>>> If I check the NSS database it looks okay ? >>>>> >>>>> D:\Scratch\firefox_add-certs\bin>certutil.exe -d "c:\Documents and >>>>> Settings\pmdaws\.389-console" -L >>>>> >>>>> Certificate Nickname Trust Attributes >>>>> SSL,S/MIME,JAR/XPI >>>>> >>>>> LAB CA Certificate CT,, >>>>> Phil Daws p,p,p >>>>> >>>>> Seems as though the console is not picking them up :( >>>>> >>>>> Thanks, Phil >>>>> ----- On 15 Dec, 2015, at 20:35, Noriko Hosoi nhosoi(a)redhat.com wrote: >>>>> >>>>>> On 12/15/2015 11:40 AM, Phil Daws wrote: >>>>>>> Hello, >>>>>>> >>>>>>> Unfortunately I do not have a console under Fedora/RHEL. >>>>>>> >>>>>>> I can log into the Administration console fine, but when I click on Server >>>>>>> Group, and then double click on the Directory Server it prompts me for the >>>>>>> Distinguished name and password. The status is showing as: >>>>>>> >>>>>>> Server status: Stopped >>>>>>> Port: 636 >>>>>>> >>>>>>> The ports are listening fine: >>>>>>> >>>>>>> Active Internet connections (only servers) >>>>>>> Proto Recv-Q Send-Q Local Address Foreign Address State >>>>>>> PID/Program name >>>>>>> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN >>>>>>> 301/sshd >>>>>>> tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN >>>>>>> 1261/httpd >>>>>>> tcp6 0 0 :::22 :::* LISTEN >>>>>>> 301/sshd >>>>>>> tcp6 0 0 :::636 :::* LISTEN >>>>>>> 1196/ns-slapd >>>>>>> tcp6 0 0 :::389 :::* LISTEN >>>>>>> 1196/ns-slapd >>>>>>> >>>>>>> So am guessing it's probably due to when I enabled "Secure Connection" in the >>>>>>> console :( >>>>>>> >>>>>>> Any thoughts please ? >>>>>> Not sure yet, but did you have a chance to see this section? >>>>>> http://www.port389.org/docs/389ds/howto/howto-ssl.html#admin-server-tlsss... >>>>>>> Thanks, Phil >>>>>>> >>>>>>> >>>>>>> >>>>>>> ----- On 15 Dec, 2015, at 19:01, Noriko Hosoi nhosoi(a)redhat.com wrote: >>>>>>> >>>>>>>> On 12/15/2015 09:51 AM, Phil Daws wrote: >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I have 389 up and running in my lab, with encryption enabled, but when I connect >>>>>>>>> too the Administration panel and double click on the Directory Server it just >>>>>>>>> hangs. The CA certificate has been imported using: >>>>>>>>> >>>>>>>>> d:\Scratch\firefox_add-certs\bin>certutil -A -d "C:\Documents and >>>>>>>>> Settings\phild\.389-console" -n "CA Certificate" -t CT,, -i >>>>>>>>> d:\Downloads\CA-chain.pem -a >>>>>>>>> >>>>>>>>> Am I missing something obvious please ? >>>>>>>>> >>>>>>>>> Thanks, Phil >>>>>>>>> >>>>>>>>> -- >>>>>>>>> 389 users mailing list >>>>>>>>> 389-users@%(host_name)s >>>>>>>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>>>>>>> Administration URL starts with https? >>>>>>>> >>>>>>>> If you use Console on Fedora/RHEL, you have no problem? >>>>>>>> >>>>>>>> Thanks. >>>>>>>> -- >>>>>>>> 389 users mailing list >>>>>>>> 389-users@%(host_name)s >>>>>>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>>>>>> -- >>>>>>> 389 users mailing list >>>>>>> 389-users@%(host_name)s >>>>>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users@%(host_name)s >>>>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>>>> -- >>>>> 389 users mailing list >>>>> 389-users@%(host_name)s >>>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>>> -- >>>> 389 users mailing list >>>> 389-users@%(host_name)s >>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>> -- >>> 389 users mailing list >>> 389-users@%(host_name)s >>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >> -- >> 389 users mailing list >> 389-users@%(host_name)s >> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org > -- > 389 users mailing list > 389-users@%(host_name)s > http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

Hello Noriko,

Same problem unfortunately :(

Thanks, Phil

----- On 4 Jan, 2016, at 20:54, Noriko Hosoi <nhosoi(a)redhat.com&gt; wrote:

> Hello Phil,

> We are working on the issue, but not sure what the root cause is yet.

> If you could try the new installer I have just uploaded, it would be a > big help for us. (Please note that the version remains the same 1.1.15.) > http://www.port389.org/docs/389ds/download.html#windows-console

> Thank you, > --noriko

> On 01/04/2016 09:22 AM, Phil Daws wrote:

>> ----- On 4 Jan, 2016, at 16:45, Rich Megginson rmeggins(a)redhat.com wrote:

>>> On 01/04/2016 09:23 AM, Phil Daws wrote:

>>>> Hello Rich,

>>>> Have ran in debug mode and connected to the admin interface which has been >>>> secured with a cert:

>>>> {SUBJECT_DN=CN=ads01-admin.lab, SUBJECT={CN=ads01-admin}, >>>> SERIAL=8741097289627376099, AFTERDATE=Tue Dec 19 14:05:35 2017, >>>> ISSUER={CN=LAB-CA, O=LAB, C=GB}, SIGNATURE=SHA256withRSA, BEFOREDATE=Sun Dec 20 >>>> 14:05:35 2015, KEYTYPE=RSA, REASONS={}, VERSION=3, ISSUER_DN=C=GB, O=LAB, >>>> CN=LAB-CA} >>>> JButtonFactory: button width = 54 >>>> JButtonFactory: button height = 20 >>>> JButtonFactory: button width = 54 >>>> JButtonFactory: button height = 20 >>>> JButtonFactory: button width = 72 >>>> JButtonFactory: button height = 20 >>>> JButtonFactory: button width = 72 >>>> JButtonFactory: button height = 20 >>>> JButtonFactory: button width = 54 >>>> JButtonFactory: button height = 20 >>>> JButtonFactory: button width = 72certain >>>> HttpsChannel::select(...) - SELECT CERTIFICATE >>>> Unable to create ssl socket >>>> org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8186) >>>> security library: invalid algorithm. >>>> at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method) >>>> at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source) >>>> at com.netscape.management.client.comm.CommManager.send(Unknown Source) >>>> at com.netscape.management.client.comm.HttpManager.get(Unknown Source) >>>> at com.netscape.management.client.console.Console.invoke_task(Unknown Source) >>>> at com.netscape.management.client.console.Console.authenticate_user(Unknown >>>> Source) >>>> at com.netscape.management.client.console.Console.<init>(Unknown Source) >>>> at com.netscape.management.client.console.Console.main(Unknown Source)certain

>>>> So it accepts the admin certificate fine but then shows an empty selection box >>>> for a certificate ? >>> Not sure what it means by "invalid algorithm" but it looks as though >>> that is the root cause. The console doesn't know what to do with that >>> error, so it asks you to select another cert, which is just a >>> distraction at that point. Please open a ticket. >> Hmm, but that "invalid algorithm" message only appeared when I clicked on >> continue with no certificate showing in the selection dropdown list. The admin >> certificate was accepted fine and then it showed the empty selection list.

Thanks, Phil

>>>> ----- On 4 Jan, 2016, at 15:50, Rich Megginson rmeggins(a)redhat.com wrote:

>>>>> On 01/04/2016 01:11 AM, Phil Daws wrote:

>>>>>> Any thoughts on this please ?

>>>>>> ----- On 20 Dec, 2015, at 16:02, Phil Daws uxbod(a)splatnix.net wrote:

>>>>>>> Hello,

>>>>>>> Have now got to the point where it says "Select a certificate to authenticate" >>>>>>> yet the drop down box is empty. >>>>> Can you run the console with -D 9 -f console.log, then check console.log >>>>> to remove any sensitive information, then post that to this list? The >>>>> easiest way to do this is to make a copy of the .bat file that runs the >>>>> console, then add those arguments to the command line in the copy of the >>>>> .bat file.

>>>>> I'm assuming you have not configured the admin server/directory server >>>>> to require client cert authentication. If you don't know, then you >>>>> probably haven't.

>>>>>>> If I check the NSS database it looks okay ?

>>>>>>> D:\Scratch\firefox_add-certs\bin>certutil.exe -d "c:\Documents and >>>>>>> Settings\pmdaws\.389-console" -L

>>>>>>> Certificate Nickname Trust Attributes >>>>>>> SSL,S/MIME,JAR/XPI

>>>>>>> LAB CA Certificate CT,, >>>>>>> Phil Daws p,p,p

>>>>>>> Seems as though the console is not picking them up :(

Thanks, Phil

>>>>>>>> On 12/15/2015 11:40 AM, Phil Daws wrote:

>>>>>>> Hello,

>>>>>>>>> Unfortunately I do not have a console under Fedora/RHEL.

>>>>>>>>> I can log into the Administration console fine, but when I click on Server >>>>>>>>> Group, and then double click on the Directory Server it prompts me for the >>>>>>>>> Distinguished name and password. The status is showing as:

>>>>>>>>> Server status: Stopped >>>>>>>>> Port: 636

>>>>>>>>> The ports are listening fine:

>>>>>>>>> Active Internet connections (only servers) >>>>>>>>> Proto Recv-Q Send-Q Local Address Foreign Address State >>>>>>>>> PID/Program name >>>>>>>>> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN >>>>>>>>> 301/sshd >>>>>>>>> tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN >>>>>>>>> 1261/httpd >>>>>>>>> tcp6 0 0 :::22 :::* LISTEN >>>>>>>>> 301/sshd >>>>>>>>> tcp6 0 0 :::636 :::* LISTEN >>>>>>>>> 1196/ns-slapd >>>>>>>>> tcp6 0 0 :::389 :::* LISTEN >>>>>>>>> 1196/ns-slapd

>>>>>>>>> So am guessing it's probably due to when I enabled "Secure Connection" in the >>>>>>>>> console :(

>>>>>>>>> Any thoughts please ? >>>>>>>> Not sure yet, but did you have a chance to see this section? >>>>>>>> http://www.port389.org/docs/389ds/howto/howto-ssl.html#admin-server-tlsss...

Thanks, Phil

>>>>>>>>> ----- On 15 Dec, 2015, at 19:01, Noriko Hosoi nhosoi(a)redhat.com wrote:

>>>>>>>>>> On 12/15/2015 09:51 AM, Phil Daws wrote:

>>>>>>> Hello,

>>>>>>>>>>> I have 389 up and running in my lab, with encryption enabled, but when I connect >>>>>>>>>>> too the Administration panel and double click on the Directory Server it just >>>>>>>>>>> hangs. The CA certificate has been imported using:

>>>>>>>>>>> d:\Scratch\firefox_add-certs\bin>certutil -A -d "C:\Documents and >>>>>>>>>>> Settings\phild\.389-console" -n "CA Certificate" -t CT,, -i >>>>>>>>>>> d:\Downloads\CA-chain.pem -a

>>>>>>>>>>> Am I missing something obvious please ?

Thanks, Phil

>>>>>>>>>>> -- >>>>>>>>>>> 389 users mailing list >>>>>>>>>>> 389-users@%(host_name)s >>>>>>>>>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>>>>>>>>> Administration URL starts with https?

>>>>>>>>>> If you use Console on Fedora/RHEL, you have no problem?

>>>>>>>>>> Thanks. >>>>>>>>>> -- >>>>>>>>>> 389 users mailing list >>>>>>>>>> 389-users@%(host_name)s >>>>>>>>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>>>>>>>> -- >>>>>>>>> 389 users mailing list >>>>>>>>> 389-users@%(host_name)s >>>>>>>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>>>>>>> -- >>>>>>>> 389 users mailing list >>>>>>>> 389-users@%(host_name)s >>>>>>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>>>>>> -- >>>>>>> 389 users mailing list >>>>>>> 389-users@%(host_name)s >>>>>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users@%(host_name)s >>>>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>>>> -- >>>>> 389 users mailing list >>>>> 389-users@%(host_name)s >>>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>>> -- >>>> 389 users mailing list >>>> 389-users@%(host_name)s >>>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >>> -- >>> 389 users mailing list >>> 389-users@%(host_name)s >>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org >> -- >> 389 users mailing list >> 389-users@%(host_name)s >> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org > -- > 389 users mailing list > 389-users@%(host_name)s > http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org