----- On 14 Dec, 2015, at 22:01, William Brown wibrown(a)redhat.com wrote:
On Mon, 2015-12-14 at 15:23 +0000, Phil Daws wrote:
> Hello,
>
> Am trying to enable SSL on my 389 lab instance but having real
> issues.
>
> I imported the CA certificate chain, created a CSR, signed and
> installed the certificate. Then went into Directory Server ->
> Configuration and enabled SSL. Restarted the directory server but now
> get this error in the log:
>
> [12/Dec/2015:11:51:02 +0000] - SSL alert: Security Initialization:
> Unable to authenticate (Netscape Portable Runtime error -8177 - The
> security password entered is incorrect.)
> [12/Dec/2015:11:51:02 +0000] - ERROR: SSL Initialization Failed.
> Disabling SSL.
>
>
> When I issue systemctl restart dirsrv@lab389 it does not prompt for a
> password, and if I create a pin.txt that does not work. Yet if I use
> certutil that all looks good:
>
> [root@ads01 slapd-lab389]# certutil -d /etc/dirsrv/slapd-lab389/ -K
> certutil: Checking token "NSS Certificate DB" in slot "NSS User
> Private Key and Certificate Services"
> Enter Password or Pin for "NSS Certificate DB":
> < 0> rsa 725d885b5d0a1ce92babc48d230108e46dd44866 server-cert
>
Okay, lets go through my standard SSL checklist:
First, check cn=config: nsslapd-certdir
Does the value match where you have put your certificates?
Now, check cn=config: nsslapd-security=on
Do a certutil -d /path -L. Write down the alias name of the cert. I
call mine Server-Cert
Next, check cn=RSA,cn=encryption,cn=config. My template is:
dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
nsSSLPersonalitySSL: Server-Cert #Should match your -L output
nsSSLActivation: on
nsSSLToken: internal (software) # Write this down!!!
cn: RSA
Now, check your pin.txt. It should be in the folder listed in
nsslapd-certdir, and the line should be title casing of the line
nsSSLToken with the word " Token" after it. For example:
from dse.ldif
nsSSLToken: internal (software)
pin.txt
Internal (Software) Token:<pin>
Finally, make sure the <pin> can be used to look at the certs:
certutil -d /path -K
In my experience I tend to see most mistakes are in cn=RSA, so it's
well worth checking this to make sure it all looks correct. There are
gaps in the documentation around the ssl section, so I hope this helps.
--
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane
Thank you William this appears to be working now :)