[Fedora-directory-users] Trying to follow the howto ssl from wiki
Edward Capriolo
edlinuxguru at gmail.com
Fri Jun 20 19:40:52 UTC 2008
I was attempting to follow...http://directory.fedoraproject.org/wiki/Howto:SSL
I first ran the script
http://directory.fedoraproject.org/download/setupssl2.sh After
completing fds would not start. I rein
I eventually ended up reading the script and running every operation
stp by step. That was quite an ordeal. All the steps ran however no
errors.
[root at ldapslave1 slapd-ldapslave1]# /etc/init.d/dirsrv start
Starting dirsrv:
ldapslave1...Warning: Incorrect PIN may result in disabling the token
Enter PIN for Internal (Software) Token:
I replaced the data inside pin.txt with :
Internal (Software) Token:dirserv_cert_password
But I am still getting the same message. Is this just a bogus message.
The problem could be elsewhere?
Thanks in advance.
(ps -ef ; w) | sha1sum > /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
chown fds:fds /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
(w ; ps -ef ; date ) | sha1sum | awk '{print $1}' >
/etc/dirsrv/slapd-ldapslave1/noise.txt
chown fds:fds /etc/dirsrv/slapd-ldapslave1/noise.txt
certutil -N -P new- -d /etc/dirsrv/slapd-ldapslave1 -f
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt
chown fds:fds /etc/dirsrv/slapd-ldapslave1/key3.db
chown fds:fds /etc/dirsrv/slapd-ldapslave1/cert8.db
chmod 600 /etc/dirsrv/slapd-ldapslave1/key3.db
chmod 600 /etc/dirsrv/slapd-ldapslave1/cert8.db
certutil -G -P new- -d /etc/dirsrv/slapd-ldapslave1 -z
/etc/dirsrv/slapd-ldapslave1/noise.txt -f
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt
certutil -S -P new- /etc/dirsrv/slapd-ldapslave1/ -n "CA certificate"
-s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d
/etc/dirsrv/slapd-ldapslave1 -z /etc/dirsrv/slapd-ldapslave1/noise.txt
-f /etc/dirsrv/slapd-ldapslave1/pwdfile.txt
certutil -L -P new- -d /etc/dirsrv/slapd-ldapslave1 -n "CA
certificate" -a > /etc/dirsrv/slapd-ldapslave1/cacert.asc
pk12util -d /etc/dirsrv/slapd-ldapslave1 -P new- -o
/etc/dirsrv/slapd-ldapslave1/cacert.p12 -n "CA certificate" -w
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt
certutil -S -P new- -n "Server-Cert" -s
"cn=ldapslave1.ops.ec.com,ou=Fedora Directory Server" -c "CA
certificate" -t "u,u,u" -m 1001 -v 120 -d
/etc/dirsrv/slapd-ldapslave1/ -z
/etc/dirsrv/slapd-ldapslave1/noise.txt -f
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt
certutil -S -P new- -n "server-cert" -s
"cn=ldapslave1.ops.ec.com,ou=Fedora Administration Server" -c "CA
certificate" -t "u,u,u" -m 1002 -v 120 -d
/etc/dirsrv/slapd-ldapslave1/ -z
/etc/dirsrv/slapd-ldapslave1/noise.txt -f
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt
pk12util -d /etc/dirsrv/slapd-ldapslave1 -P new- -o
/etc/dirsrv/slapd-ldapslave1/adminserver.p12 -n server-cert -w
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt
chown fds:fds /etc/dirsrv/slapd-ldapslave1/adminserver.p12
chmod 400 /etc/dirsrv/slapd-ldapslave1/adminserver.p12
cat /etc/dirsrv/slapd-ldapslave1/pwdfile.txt >
/etc/dirsrv/slapd-ldapslave1/pin.txt
chmod 400 /etc/dirsrv/slapd-ldapslave1/pin.txt
mv /etc/dirsrv/slapd-ldapslave1/cert8.db
/etc/dirsrv/slapd-ldapslave1/orig-cert8.db
mv /etc/dirsrv/slapd-ldapslave1/key3.db
/etc/dirsrv/slapd-ldapslave1/orig-key3.db
certutil -N -d /etc/dirsrv/slapd-ldapslave1 -P admin-serv- -f
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt
chown fds:fds /etc/dirsrv/slapd-ldapslave1/admin-serv-*.db
[root at ldapslave1 tmp]# chmod 600 /etc/dirsrv/slapd-ldapslave1/admin-serv-*.db
pk12util -d /etc/dirsrv/slapd-ldapslave1/ -P admin-serv- -n
server-cert -i /etc/dirsrv/slapd-ldapslave1/adminserver.p12 -w
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k
/etc/dirsrv/slapd-ldapslave1/pwdfile.txt
certutil -A -d /etc/dirsrv/slapd-ldapslave1/ -P admin-serv- -n "CA
certificate" -t "CT,," -a -i /etc/dirsrv/slapd-ldapslave1/cacert.asc
cat /etc/dirsrv/slapd-ldapslave1/pwdfile.txt >
/etc/dirsrv/slapd-ldapslave1/password.conf
chmod 400 /etc/dirsrv/slapd-ldapslave1/password.conf
chown fds:fds /etc/dirsrv/slapd-ldapslave1/password.conf
sed -e "s@^NSSPassPhrasDialog .*@NSSPassPhraseDialog
file:/etc/dirsrv/slapd-ldapslave1/password/conf
mv /etc/dirsrv/slapd-ldapslave1/new-key3.db
/etc/dirsrv/slapd-ldapslave1/key3.db
mv /etc/dirsrv/slapd-ldapslave1/new-cert8.db
/etc/dirsrv/slapd-ldapslave1/cert8.db
ldapmodify -x -h localhost -p 389 -D "cn=directory manager" -W <<EOF
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
+tls_rsa_export1024_with_des_cbc_sha
dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off
dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
nsSSLActivation: on
EOF
[root at ldapslave1 slapd-ldapslave1]# /etc/init.d/dirsrv start
Starting dirsrv:
ldapslave1...Warning: Incorrect PIN may result in disabling the token
Enter PIN for Internal (Software) Token:
Any hints thanks!
More information about the Fedora-directory-users
mailing list