[389-users] 389 certificate issues...

Marc Sauton msauton at redhat.com
Sat Oct 3 00:30:37 UTC 2009 

Trey Sheldon wrote:
> Hello all,
>
> I've been evaluating and prepping to deploy 389 for a couple months 
> now and while working on my final deployment I've run into a snag...
>
> I created two servers and successfully enabled SSL on them.  I'm 
> attempting to create a third using the exact same procedure and can't 
> seem to get SSL enabled.
>
> I used the admin-gui to install the request / install the certs and 
> roots.
>
> ##WORKING
> #certutil -L -d .
> Certificate Nickname                                         Trust 
> Attributes
>                                                              
> SSL,S/MIME,JAR/XPI
> Metaweb Root Certificate                                     CT,,
> Metaweb Host Root Certificate                                CT,,
> server-cert                                                  u,u,u
>
> # certutil -L -d . -n server-cert
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 88 (0x58)
>         Signature Algorithm: PKCS #1 MD5 With RSA Encryption
>     Issuer: ........ <full certificate>
>
> ## NOT WORKING
> # certutil -L -d .
> Certificate Nickname                                         Trust 
> Attributes
>                                                              
> SSL,S/MIME,JAR/XPI
> Metaweb Root Certificate                                     CT,,
> Metaweb Host Root Certificate                                CT,,
> server-cert                                                  u,u,u
>
> # certutil -L -d . -n server-cert
> certutil: Could not find: server-cert
> : security library: bad database.
>
It means the nick-name provided to certutil does not exist in the NSS db.
Aside cert8.db, key3.db, secmod.db files and directory permissions, 
reading the 2 root certificates from this specific NSS db directory for 
sanity check, is it possible the string "server-cert" that you expect 
for the nickname was stored with some extra spaces appended to it?...
Is the cert visible in the console?
Any specific errors in the console when you try to install the cert or 
enable SSL?
>
> These systems are automatically deployed and configured and should 
> have identical package revisions and configurations.  I'm at a blank 
> to what is causing the problem.   Any insight that people have would 
> be *greatly* appreciated.
>
> Sincerely,
> Trey SHeldon
>
> -- 
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

More information about the Fedora-directory-users mailing list