[Fedora-directory-users] question about SSL configuration with IP takeover HA setup

Richard Megginson rmeggins at redhat.com
Fri Sep 21 20:31:43 UTC 2007


Ryan Braun wrote:
> On Friday 21 September 2007 18:27, Richard Megginson wrote:
>   
>>> Rather then run the script,  I tried to run it for one example first
>>>
>>> eastldap0:/opt/fedora-ds/alias#../shared/bin/certutil -d . -S -n
>>> "Server-Cert-eastldap1" -s "cn=eastldap1.test.com" -c "CA certificate" -t
>>> "u,u,u" -m 2000 -v 120 -8 eastldap.test.com,eastldap,eastldap1 -d . -z
>>> noise.txt -f pwdfile.txt Generating key.  This may take a few moments...
>>> eastldap0:/opt/fedora-ds/alias#../shared/bin/pk12util -d . -o
>>> eastldap1.test.com.p12 -n "Server-Cert-eastdap1" -k pwdfile.txt -w
>>> pwdfile.txt pk12util-bin: PKCS12 EXPORT SUCCESSFUL
>>>
>>> So at this point I had the .p12 file and the existing cacert.asc created,
>>>  and sent them over to eastldap1.
>>>
>>>       
>>>> For all of the commands listed above, you may have to specify -P
>>>> slapd-instance- if you are not using cert8.db and key3.db.
>>>>
>>>> Then, copy each file $server.p12 to that $server, along with the
>>>> cacert.asc file
>>>> Then, on each server:
>>>> cd /opt/fedora-ds/alias
>>>> ../shared/bin/pk12util -d . -P slapd-instance- -i $server.p12 -w
>>>> pwdfile.txt -k pwdfile.txt
>>>> # the -w argument is the file containing the password used to encrypt
>>>> the .p12 file
>>>> # the -k argument is the file containing the password for the new key
>>>> database
>>>> # you may use a different password for -k here - this is the same
>>>> password used
>>>> # in your slapd-instance-pin.txt file
>>>>
>>>> ../shared/bin/certutil -A -d . -P slapd-instance- -n "CA certificate" -t
>>>> "CT,," -a -i cacert.asc
>>>>
>>>> # this imports your CA cert
>>>>         
>>> Now the importing,
>>>
>>> eastldap1:/opt/fedora-ds/alias# ../shared/bin/pk12util -d . -P
>>> slapd-eastldap1- -i eastldap1.test.com.p12 -w pwdfile-0.txt -k
>>> pwdfile.txt pk12util-bin: PKCS12 IMPORT SUCCESSFUL
>>> ywgldap1:/opt/fedora-ds/alias# ../shared/bin/certutil -A -d . -P
>>> slapd-eastldap1- -n "CA certificate" -t "CT,," -a -i cacert.asc
>>>
>>>
>>> Send over enable ssl ldif
>>>
>>> ryan at infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory
>>> manager" -W -f ssl_enable.ldif Enter LDAP Password:
>>> modifying entry "cn=encryption,cn=config"
>>>
>>> modifying entry "cn=config"
>>> ryan at infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory
>>> manager" -W -f addrsa.ldif Enter LDAP Password:
>>> adding new entry "cn=RSA,cn=encryption,cn=config"
>>>
>>> But when I restart slapd on eastldap1
>>>
>>> Enter PIN for Internal (Software) Token:
>>> [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Can't
>>> find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config
>>> (Netscape Portable Runtime error -8174 - security library: bad database.)
>>> [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Unable
>>> to retrieve private key for cert Server-Cert of family
>>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
>>> security library: bad database.) [21/Sep/2007:17:52:33 +0000] - SSL
>>> failure: None of the cipher are valid
>>>
>>> Did I miss importing a private key from somewhere?  Do I need to use the
>>> cacert.pfx I created in the basic steps?
>>>       
>> No.  I think the problem is that the name of the server cert in the cert
>> db is Server-Cert-$server not Server-Cert.  I thought there was an
>> option to pk12util to import it and rename it, but apparently not.  To
>> find out what the server cert name is:
>> cd /opt/fedora-ds/alias
>> ../shared/bin/certutil -L -d . -P slapd-eastldap1-
>> I'm assuming it will be Server-Cert-$server
>> Unless someone knows an easy way to rename it, you can just tell slapd
>> to use the new name.
>> stop-slapd
>> edit dse.ldif - look for Server-Cert and change it to whatever the
>> actual name of your server cert is (Server-Cert-$server)
>> save and start-slapd
>>
>>     
>
> Thanks for the help!,  the modifying of dse.ldif did the trick and it all 
> seems to be working.
>
> Now what in the process would I have to change in order to be able to generate 
> the certs with a Server-Cert-$server nickname and have fds recognize the 
> proper name,  without having to edit dse.ldif for each box?
>   
I'm not sure.  There's probably a way to use pk12util to export/import a 
cert with a different name, or use certutil to change the name, but I 
just don't know.
> Ryan
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070921/0bb14d7f/attachment.bin>


More information about the Fedora-directory-users mailing list