[Freeipa-users] IPA server certificate update and "Directory Manager" password
Ian Stokes-Rees
ijstokes at hkl.hms.harvard.edu
Fri Jan 21 19:35:41 UTC 2011
Some good news: turning off security has the Directory Server starting
up properly. If the directory server is only accessible within our
small intranet, can we safely run it without security enabled? If this
is theoretically possible it looks like the trick will be to change the
IPA config for Apache to allow non SSL access...
Also, is there any scope to dump the current directory contents and
start from scratch? I feel like I may be near the point where that is
easier.
The main sticking point now is step 5 where "certutil -R -k 'NSS
Certificate DB:Server-Cert' ... " fails because the value specified for
the -k argument is invalid (or there is some other problem with the
certificate DB).
More details below.
> Yes, that was going to be my next question. While throwing any old
> self-signed cert in there might get the server up other things won't
> work, notably replication.
I'm having trouble with accessing the certificate DB. When I try to
connect I'm asked for a password:
# certutil -K -d /etc/dirsrv/slapd-NEBIOGRID-ORG/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
I overwrote the "Directory Manager" password yesterday with "freeipa"
but that isn't working for this.
Also, my self signed cert (PKCS12 format) has *two* encryption passwords
(both the same): one to open the PKCS12 file, and one to access the
private key contained within the file (inherited from the PEM file).
Should I remove the password on the private key PEM file before
generating the PKCS#12 file with the pub/priv key pair?
Or should I just abandon my self signed cert generated by OpenSSL and
persevere with getting one out of FreeIPA?
> Ok, here are some steps I worked out that I think will get you back in
> business. I'm going to try to renew your 389-ds certificate using IPA.
>
> First we need to get 389-ds back up and running.
>
> I'm going to use REALM in place of the instance name for your 399-ds
> install.
>
> 1. Make a backup of /etc/dirsrv.slapd-REALM/dse.ldif
> 2. Make a backup of your dirsrv NSS database (so
> /etc/dirsrv/slapd-REALM/*.db)
> 2. Edit dse.ldif and set nsslapd-security to off
> 3. Try starting dirsrv: service start dirsrv REALM
> 4. Get a kerberos ticket for admin: kinit admin
> 5. Generate a new CSR for your directory server:
> certutil -R -k 'NSS Certificate DB:Server-Cert' -s
> 'cn=nebio-directory.in.hwlab,O=IPA' -d /etc/dirsrv/slapd-REALM/ -f
> /etc/dirsrv/slapd-REALM/pwdfile.txt -a > renew.csr
FAILS - it appears it doesn't know anything about 'NSS Certificate
DB:Server-Cert'
# certutil -R -k 'NSS Certificate DB:Server-Cert' -s
'cn=nebio-directory.in.hwlab,O=IPA' -d /etc/dirsrv/slapd-NEBIOGRID-ORG/
-f /etc/dirsrv/slapd-NEBIOGRID-ORG/pwdfile.txt -a > renew.csr
certutil: NSS Certificate DB:Server-Cert is neither a key-type nor a
nickname: security library: bad database.
The DB files and password file all seem to be there, so I'm not sure
what "bad database" means:
# ls -Fla /etc/dirsrv/slapd-NEBIOGRID-ORG/*.{db,txt}
-rw-------. 1 root root 65536 Jan 10 13:35
/etc/dirsrv/slapd-NEBIOGRID-ORG/cert8.db
-rw-------. 1 root root 16384 Jan 10 13:35
/etc/dirsrv/slapd-NEBIOGRID-ORG/key3.db
-r--------. 1 dirsrv root 90 Jul 21 2010
/etc/dirsrv/slapd-NEBIOGRID-ORG/pin.txt
-rw-------. 1 dirsrv root 77 Jan 10 13:35
/etc/dirsrv/slapd-NEBIOGRID-ORG/pwdfile.txt
-rw-------. 1 root root 16384 Jan 10 13:35
/etc/dirsrv/slapd-NEBIOGRID-ORG/secmod.db
> 6. Get a new certificate:
> ipa cert-request renew.csr --principal=ldap/nebio-directory.in.hwlab >
> 7. Paste the value in the output for Certificate into a file. This is
> a base64-encoded blob of text probably starting with MII and ending
> with ==.
Since I can't get this far, I don't know if this is going to be the
private key or public key, or both (one after the other)
> 8. Add this new cert to your 389-ds database
> certutil -A -d /etc/dirsrv/slapd-REALM -n Server-Cert -t u,u,u -a <
> cert.txt
So I tried doing this, but using the full text output of my self-signed
PKCS#12 file with the base64 encoded public and private keys (since I
can't run the "certutil" or "ipa cert-request" commands). It didn't
complain, but I also don't think it exactly worked. Also, does this
somehow link to the cert used by Apache httpd?
> 9. service dirsrv stop REALM
> 10. edit dse.ldif and set nsslapd-security to on
> 11. service dirsrv start REALM
Can't restart dirsrv after turning nsslapd-security back on. Similar
errors to before:
/var/log/dirsrv/slapd-NEBIOGRID-ORG/errors
[21/Jan/2011:14:30:53 -0500] - SSL alert: Security Initialization: Can't
find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config
(Netscape Portable Runtime error -8174 - security library: bad database.)
[21/Jan/2011:14:30:53 -0500] - SSL alert: Security Initialization:
Unable to retrieve private key for cert Server-Cert of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
security library: bad database.)
[21/Jan/2011:14:30:53 -0500] - SSL failure: None of the cipher are valid
[21/Jan/2011:14:30:53 -0500] - ERROR: SSL Initialization phase 2 Failed.
TIA for any advice on next steps.
Ian
More information about the Freeipa-users
mailing list