On 8/14/22 11:10 AM, Daniel Bird wrote:
*>>*I will report back any issues as I test.
So far, no major issues. I’ve set up a supplier replica from our CentOS 7 service running 1.3.10 from EPEL 7 and all seems well. It did require a tweak to some legacy schema files that are still hanging round from when we used the “Sun Directory Server” way back in the day, that has been the case ever since we moved from the Sun DS server and upgraded to 389. At some point I’ll clean up and remove the old data from the directory that references them.
I also had a small issue setting the SSL cert via cockpit, where it would keep reverting to the self-signed “Server-Cert” .
What exactly were you trying to do? Were you trying to change the server certificate name to a different one?
Thanks, Mark
On reflection, it could have been because I was trying to use an expired cert, rather than the current one, but it didn’t say there was a problem. I set it manually via dse.ldif in the end.
Many thanks
Dan
389-users mailing list --389-users@lists.fedoraproject.org To unsubscribe send an email to389-users-leave@lists.fedoraproject.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam, report it:https://pagure.io/fedora-infrastructure/new_issue
What exactly were you trying to do? Were you trying to change the server certificate name to a different one?
Correct, I was trying to set it to use a "proper" cert issued by LetsEncrypt I imported the Lets Encrypt cert, that I had converted to pkcs12. Then tried via cockpit security settings, to select it from the drop down. It was listed, and let me save, but when I restarted the instance and refreshed cockpit it reverted to “Server-Cert" I didn’t notice anything at first in the error log, but after setting in dse.ldif I noticed this in errors.
“CERT_VerifyCertificateNow: verify certificate failed for cert MyCert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired”
This made me realise I’d used the older pkcs12I had lying about. At that point I used certultil to replace (i.e deleted it, and re-added it to the keystore) and restarted without issue.
I thought it may be because it was expired that it wasn't saving, but I’ve just tried doing the same thing with a new cert as a test and get the same result.
1) Covert LE to pkcs12
/usr/bin/openssl pkcs12 -export \ -in $LE_DIR/cert.pem \ -inkey $LE_DIR/privkey.pem \ -out $LE_DIR/$HOSTNAME.p12 -name $HOSTNAME \ -certfile $LE_DIR/chain.pem -caname LE-CHAIN\ -password pass:$P12_PWD
2) Import to keystore pk12util -i $LE_DIR/$HOSTNAME.p12 -d /etc/dirsrv/slapd-<INSTANCE>/ -K $LDAP_STORE_PWD -W $P12_PWD
3) At this point I can see it and select it in cockpit security settings, and save. But after restarting the instance, it reverts to the previous cert that was selected (MyCert)
Tailing the log at the point of saving the setting in cockpit I have found just this
[14/Aug/2022:22:53:08.686135019 +0100] - DEBUG - modify_config_dse - Modification of attribute "modifiersname" is not allowed, ignoring! [14/Aug/2022:22:53:08.687311089 +0100] - DEBUG - modify_config_dse - Modification of attribute "modifytimestamp" is not allowed, ignoring! [14/Aug/2022:22:53:08.687839552 +0100] - DEBUG - modify_config_dse - Modification of attribute "modifiersname" is not allowed, ignoring! [14/Aug/2022:22:53:08.688445652 +0100] - DEBUG - modify_config_dse - Modification of attribute "modifytimestamp" is not allowed, ignoring!
However, checking, I see that when I change other settings (for example Paged Search Size Limit) , but they seem to stick.
All the best Dan
389-users@lists.fedoraproject.org