Ian Holroyd
2007-Jan-02 15:09 UTC
[Fedora-directory-users] FDS dies on SSL - How do I rescue installation?
I have been setting up Fedora Directory Server for use with Samba PDC etc. I had most aspects of this working, with SSL transport operating correctly, having followed the HowTo. However, I have now restarted whole system and the start-slapd will not work, generating the following errors: (retyped as email sent from another system, excuse any typos) [timestamp] - SSL alert: Security Initialization: Can''t find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [timestamp] - SSL alert: Security Initialization: Unable to retrieve private key for ert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [timestamp] - SSL failure: None of the cipher are valid Now, if (big if) I am reading this correctly, this means that it has failed to find the certificate named Server-Cert. I believe that this may be as a result of me having ''used my initiative'' and changed all references to ''Server-Cert'' in the HowTo to a personalised version of this (i.e. I created the certs with my own names). Start-admin fails without leaving any message (I assume because it can''t read config information from the LDAP server). The problem, however, is that ALL documentation I have found on how to solve problems like this (or indeed delete and start over) refers to either using the console (which I cannot start without my slapd-instance running) or utilities like certutil which appear to fail for the same reason. If I understand this correctly, I am in a catch22 - I cannot start the LDAP server until I change the config, but I cannot change the config without the LDAP directory being available. So, is there ANY way to start FDS without SSL support (which I don''t need right now anyway!) so that I can put-right the damage I have done by following the HowTo properly this time??? If not, is there any way to reinstall / reconfigure without scrapping my data (which took some time to build). Thanks for any thoughts, Ian Holroyd
Ulf Weltman
2007-Jan-02 19:08 UTC
Re: [Fedora-directory-users] FDS dies on SSL - How do I rescue installation?
Ian Holroyd wrote:> I have been setting up Fedora Directory Server for use with Samba PDC > etc. I had most aspects of this working, with SSL transport operating > correctly, having followed the HowTo. > > However, I have now restarted whole system and the start-slapd will not > work, generating the following errors: (retyped as email sent from > another system, excuse any typos) > [timestamp] - SSL alert: Security Initialization: Can''t find certificate > (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape > Portable Runtime error -8174 - security library: bad database.) > [timestamp] - SSL alert: Security Initialization: Unable to retrieve > private key for ert Server-Cert of family cn=RSA,cn=encryption,cn=config > (Netscape Portable Runtime error -8174 - security library: bad > database.) > [timestamp] - SSL failure: None of the cipher are valid > > Now, if (big if) I am reading this correctly, this means that it has > failed to find the certificate named Server-Cert. I believe that this > may be as a result of me having ''used my initiative'' and changed all > references to ''Server-Cert'' in the HowTo to a personalised version of > this (i.e. I created the certs with my own names). > > Start-admin fails without leaving any message (I assume because it can''t > read config information from the LDAP server). > > The problem, however, is that ALL documentation I have found on how to > solve problems like this (or indeed delete and start over) refers to > either using the console (which I cannot start without my slapd-instance > running) or utilities like certutil which appear to fail for the same > reason. > > If I understand this correctly, I am in a catch22 - I cannot start the > LDAP server until I change the config, but I cannot change the config > without the LDAP directory being available. So, is there ANY way to > start FDS without SSL support (which I don''t need right now anyway!) so > that I can put-right the damage I have done by following the HowTo > properly this time??? If not, is there any way to reinstall / > reconfigure without scrapping my data (which took some time to build). >The slapd configuration DSE is backed by a flat file which you can edit if the server is not running. Change nsslapd-security to off in the cn=config entry in /opt/fedora-ds/slapd-instance/config/dse.ldif to get it started, or set the nsSSLPersonalitySSL attribute to match your certificate nickname in the cn=RSA,cn=encryption,cn=config entry (should match the one displayed with certutil -L).> Thanks for any thoughts, > > Ian Holroyd > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >