FDS User
2007-May-10 17:15 UTC
[Fedora-directory-users] Unable to configure admin server with SSL
Hi, I am getting "PSET failure: PSET attribute creation or local cache update failed" when I try to enable SSL for admin server using the encryption tab. I have used it in the past without issues and now for some reason I get this error after doing a re-install of fds. I used the SSL script from the fds site to generate the certs. Admin server log has this error: [error] SSL Library Error: -12271 SSL client cannot verify your certificate Any help is highly appreciated. Thanks.
Richard Megginson
2007-May-10 17:18 UTC
Re: [Fedora-directory-users] Unable to configure admin server with SSL
FDS User wrote:> Hi, > I am getting "PSET failure: PSET attribute creation or local cache > update failed" when I try to enable SSL for admin server using the > encryption tab. > I have used it in the past without issues and now for some reason I > get this error after doing a re-install of fds. > I used the SSL script from the fds site to generate the certs. > > Admin server log has this error: > [error] SSL Library Error: -12271 SSL client cannot verify your > certificate > > Any help is highly appreciated.ls -al /opt/fedora-ds/alias ls -al /opt/fedora-ds/admin-serv/config grep NSS /opt/fedora-ds/admin-serv/config/console.conf> > Thanks. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
Richard Megginson
2007-May-10 17:34 UTC
Re: [Fedora-directory-users] Unable to configure admin server with SSL
FDS User wrote:> Below is the ls and grep output. > > [root@ldap slapd-ldap]# ls -al /opt/fedora-ds/alias > <snip> looks ok > > > [root@ldap slapd-ldap]# ls -al /opt/fedora-ds/admin-serv/config > total 84 > drwxr-xr-x 2 nobody nobody 4096 May 9 10:31 . > drwxr-xr-x 8 root root 4096 May 9 10:32 .. > -rw------- 1 nobody nobody 544 May 10 13:17 adm.conf > -rw------- 1 nobody nobody 39 May 7 18:28 admpw > -rw------- 1 root root 4598 May 7 18:28 admserv.conf > -rw------- 1 nobody nobody 3702 May 10 13:17 console.conf > -rw------- 1 root root 26784 May 7 18:28 httpd.conf > -rw-r--r-- 1 root root 19233 May 7 18:28 local.confThis is the likely culprit. Shut down the admin server, then chown nobody:nobody local.conf, then restart.> -r-------- 1 nobody nobody 4604 May 7 18:29 nss.conf > > > [root@ldap slapd-ldap]# grep NSS > /opt/fedora-ds/admin-serv/config/console.conf > NSSEngine on > NSSNickname server-cert > # The NSS security database directory that holds the certificates and > NSSCertificateDatabase /opt/fedora-ds/alias > NSSDBPrefix admin-serv-ldap- > NSSCipherSuite > +des,+rc2export,+rc4export,+desede3,+rc4,+rc2,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5 > NSSVerifyClient none > > > > Richard Megginson wrote: >> >> >> FDS User wrote: >>> Hi, >>> I am getting "PSET failure: PSET attribute creation or local cache >>> update failed" when I try to enable SSL for admin server using the >>> encryption tab. >>> I have used it in the past without issues and now for some reason I >>> get this error after doing a re-install of fds. >>> I used the SSL script from the fds site to generate the certs. >>> >>> Admin server log has this error: >>> [error] SSL Library Error: -12271 SSL client cannot verify your >>> certificate >>> >>> Any help is highly appreciated. >> ls -al /opt/fedora-ds/alias >> ls -al /opt/fedora-ds/admin-serv/config >> >> grep NSS /opt/fedora-ds/admin-serv/config/console.conf >>> >>> Thanks. >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
FDS User
2007-May-10 17:34 UTC
Re: [Fedora-directory-users] Unable to configure admin server with SSL
Below is the ls and grep output. [root@ldap slapd-ldap]# ls -al /opt/fedora-ds/alias total 644 drwxr-xr-x 2 nobody nobody 4096 May 7 18:29 . drwxr-xr-x 15 root root 4096 May 7 18:28 .. -r-------- 1 nobody nobody 2092 May 7 18:29 adminserver.p12 -rw------- 1 nobody nobody 65536 May 9 10:21 admin-serv-ldap-cert8.db -rw------- 1 nobody nobody 16384 May 9 10:21 admin-serv-ldap-key3.db -rw-r--r-- 1 root root 619 May 7 18:29 cacert.asc -rwxr-xr-x 1 root nobody 347368 Dec 4 17:27 libnssckbi.so -r-------- 1 nobody nobody 41 May 7 18:29 noise.txt -r-------- 1 nobody nobody 50 May 7 18:29 password.conf -r-------- 1 nobody nobody 41 May 7 18:29 pwdfile.txt -rw------- 1 nobody nobody 16384 May 10 13:19 secmod.db -rw------- 1 nobody nobody 65536 May 7 18:29 slapd-ldap-cert8.db -rw------- 1 nobody nobody 65536 May 7 18:28 slapd-ldap-cert8.db.bak -rw------- 1 nobody nobody 16384 May 7 18:29 slapd-ldap-key3.db -rw------- 1 nobody nobody 16384 May 7 18:28 slapd-ldap-key3.db.bak -r-------- 1 nobody nobody 67 May 7 18:29 slapd-ldap-pin.txt [root@ldap slapd-ldap]# ls -al /opt/fedora-ds/admin-serv/config total 84 drwxr-xr-x 2 nobody nobody 4096 May 9 10:31 . drwxr-xr-x 8 root root 4096 May 9 10:32 .. -rw------- 1 nobody nobody 544 May 10 13:17 adm.conf -rw------- 1 nobody nobody 39 May 7 18:28 admpw -rw------- 1 root root 4598 May 7 18:28 admserv.conf -rw------- 1 nobody nobody 3702 May 10 13:17 console.conf -rw------- 1 root root 26784 May 7 18:28 httpd.conf -rw-r--r-- 1 root root 19233 May 7 18:28 local.conf -r-------- 1 nobody nobody 4604 May 7 18:29 nss.conf [root@ldap slapd-ldap]# grep NSS /opt/fedora-ds/admin-serv/config/console.conf NSSEngine on NSSNickname server-cert # The NSS security database directory that holds the certificates and NSSCertificateDatabase /opt/fedora-ds/alias NSSDBPrefix admin-serv-ldap- NSSCipherSuite +des,+rc2export,+rc4export,+desede3,+rc4,+rc2,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5 NSSVerifyClient none Richard Megginson wrote:> > > FDS User wrote: >> Hi, >> I am getting "PSET failure: PSET attribute creation or local cache >> update failed" when I try to enable SSL for admin server using the >> encryption tab. >> I have used it in the past without issues and now for some reason I >> get this error after doing a re-install of fds. >> I used the SSL script from the fds site to generate the certs. >> >> Admin server log has this error: >> [error] SSL Library Error: -12271 SSL client cannot verify your >> certificate >> >> Any help is highly appreciated. > ls -al /opt/fedora-ds/alias > ls -al /opt/fedora-ds/admin-serv/config > > grep NSS /opt/fedora-ds/admin-serv/config/console.conf >> >> Thanks. >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
FDS User
2007-May-10 17:52 UTC
Re: [Fedora-directory-users] Unable to configure admin server with SSL
I tried FDS User wrote:> Below is the ls and grep output. > > [root@ldap slapd-ldap]# ls -al /opt/fedora-ds/alias > total 644 > drwxr-xr-x 2 nobody nobody 4096 May 7 18:29 . > drwxr-xr-x 15 root root 4096 May 7 18:28 .. > -r-------- 1 nobody nobody 2092 May 7 18:29 adminserver.p12 > -rw------- 1 nobody nobody 65536 May 9 10:21 admin-serv-ldap-cert8.db > -rw------- 1 nobody nobody 16384 May 9 10:21 admin-serv-ldap-key3.db > -rw-r--r-- 1 root root 619 May 7 18:29 cacert.asc > -rwxr-xr-x 1 root nobody 347368 Dec 4 17:27 libnssckbi.so > -r-------- 1 nobody nobody 41 May 7 18:29 noise.txt > -r-------- 1 nobody nobody 50 May 7 18:29 password.conf > -r-------- 1 nobody nobody 41 May 7 18:29 pwdfile.txt > -rw------- 1 nobody nobody 16384 May 10 13:19 secmod.db > -rw------- 1 nobody nobody 65536 May 7 18:29 slapd-ldap-cert8.db > -rw------- 1 nobody nobody 65536 May 7 18:28 slapd-ldap-cert8.db.bak > -rw------- 1 nobody nobody 16384 May 7 18:29 slapd-ldap-key3.db > -rw------- 1 nobody nobody 16384 May 7 18:28 slapd-ldap-key3.db.bak > -r-------- 1 nobody nobody 67 May 7 18:29 slapd-ldap-pin.txt > > > [root@ldap slapd-ldap]# ls -al /opt/fedora-ds/admin-serv/config > total 84 > drwxr-xr-x 2 nobody nobody 4096 May 9 10:31 . > drwxr-xr-x 8 root root 4096 May 9 10:32 .. > -rw------- 1 nobody nobody 544 May 10 13:17 adm.conf > -rw------- 1 nobody nobody 39 May 7 18:28 admpw > -rw------- 1 root root 4598 May 7 18:28 admserv.conf > -rw------- 1 nobody nobody 3702 May 10 13:17 console.conf > -rw------- 1 root root 26784 May 7 18:28 httpd.conf > -rw-r--r-- 1 root root 19233 May 7 18:28 local.conf > -r-------- 1 nobody nobody 4604 May 7 18:29 nss.conf > > > [root@ldap slapd-ldap]# grep NSS > /opt/fedora-ds/admin-serv/config/console.conf > NSSEngine on > NSSNickname server-cert > # The NSS security database directory that holds the certificates and > NSSCertificateDatabase /opt/fedora-ds/alias > NSSDBPrefix admin-serv-ldap- > NSSCipherSuite > +des,+rc2export,+rc4export,+desede3,+rc4,+rc2,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5 > NSSVerifyClient none > > > > Richard Megginson wrote: >> >> >> FDS User wrote: >>> Hi, >>> I am getting "PSET failure: PSET attribute creation or local cache >>> update failed" when I try to enable SSL for admin server using the >>> encryption tab. >>> I have used it in the past without issues and now for some reason I >>> get this error after doing a re-install of fds. >>> I used the SSL script from the fds site to generate the certs. >>> >>> Admin server log has this error: >>> [error] SSL Library Error: -12271 SSL client cannot verify your >>> certificate >>> >>> Any help is highly appreciated. >> ls -al /opt/fedora-ds/alias >> ls -al /opt/fedora-ds/admin-serv/config >> >> grep NSS /opt/fedora-ds/admin-serv/config/console.conf >>> >>> Thanks. >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
FDS User
2007-May-10 17:56 UTC
Re: [Fedora-directory-users] Unable to configure admin server with SSL
I tried changing the permission for local.conf and restarted both admin and dir server. That didn''t solve the issue. Attached is the error I get when the login fails. Thanks. Richard Megginson wrote:> FDS User wrote: >> Below is the ls and grep output. >> >> [root@ldap slapd-ldap]# ls -al /opt/fedora-ds/alias >> <snip> looks ok >> >> >> [root@ldap slapd-ldap]# ls -al /opt/fedora-ds/admin-serv/config >> total 84 >> drwxr-xr-x 2 nobody nobody 4096 May 9 10:31 . >> drwxr-xr-x 8 root root 4096 May 9 10:32 .. >> -rw------- 1 nobody nobody 544 May 10 13:17 adm.conf >> -rw------- 1 nobody nobody 39 May 7 18:28 admpw >> -rw------- 1 root root 4598 May 7 18:28 admserv.conf >> -rw------- 1 nobody nobody 3702 May 10 13:17 console.conf >> -rw------- 1 root root 26784 May 7 18:28 httpd.conf >> -rw-r--r-- 1 root root 19233 May 7 18:28 local.conf > This is the likely culprit. Shut down the admin server, then chown > nobody:nobody local.conf, then restart. >> -r-------- 1 nobody nobody 4604 May 7 18:29 nss.conf >> >> >> [root@ldap slapd-ldap]# grep NSS >> /opt/fedora-ds/admin-serv/config/console.conf >> NSSEngine on >> NSSNickname server-cert >> # The NSS security database directory that holds the certificates and >> NSSCertificateDatabase /opt/fedora-ds/alias >> NSSDBPrefix admin-serv-ldap- >> NSSCipherSuite >> +des,+rc2export,+rc4export,+desede3,+rc4,+rc2,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5 >> >> NSSVerifyClient none >> >> >> >> Richard Megginson wrote: >>> >>> >>> FDS User wrote: >>>> Hi, >>>> I am getting "PSET failure: PSET attribute creation or local cache >>>> update failed" when I try to enable SSL for admin server using the >>>> encryption tab. >>>> I have used it in the past without issues and now for some reason I >>>> get this error after doing a re-install of fds. >>>> I used the SSL script from the fds site to generate the certs. >>>> >>>> Admin server log has this error: >>>> [error] SSL Library Error: -12271 SSL client cannot verify your >>>> certificate >>>> >>>> Any help is highly appreciated. >>> ls -al /opt/fedora-ds/alias >>> ls -al /opt/fedora-ds/admin-serv/config >>> >>> grep NSS /opt/fedora-ds/admin-serv/config/console.conf >>>> >>>> Thanks. >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>
Richard Megginson
2007-May-10 17:58 UTC
Re: [Fedora-directory-users] Unable to configure admin server with SSL
FDS User wrote:> I tried changing the permission for local.conf and restarted both > admin and dir server. That didn''t solve the issue. > Attached is the error I get when the login fails.For the console login dialog, for the admin url field, did you use https://host:port/ ? tail admin-serv/logs/error> > Thanks. > > Richard Megginson wrote: >> FDS User wrote: >>> Below is the ls and grep output. >>> >>> [root@ldap slapd-ldap]# ls -al /opt/fedora-ds/alias >>> <snip> looks ok >>> >>> >>> [root@ldap slapd-ldap]# ls -al /opt/fedora-ds/admin-serv/config >>> total 84 >>> drwxr-xr-x 2 nobody nobody 4096 May 9 10:31 . >>> drwxr-xr-x 8 root root 4096 May 9 10:32 .. >>> -rw------- 1 nobody nobody 544 May 10 13:17 adm.conf >>> -rw------- 1 nobody nobody 39 May 7 18:28 admpw >>> -rw------- 1 root root 4598 May 7 18:28 admserv.conf >>> -rw------- 1 nobody nobody 3702 May 10 13:17 console.conf >>> -rw------- 1 root root 26784 May 7 18:28 httpd.conf >>> -rw-r--r-- 1 root root 19233 May 7 18:28 local.conf >> This is the likely culprit. Shut down the admin server, then chown >> nobody:nobody local.conf, then restart. >>> -r-------- 1 nobody nobody 4604 May 7 18:29 nss.conf >>> >>> >>> [root@ldap slapd-ldap]# grep NSS >>> /opt/fedora-ds/admin-serv/config/console.conf >>> NSSEngine on >>> NSSNickname server-cert >>> # The NSS security database directory that holds the certificates and >>> NSSCertificateDatabase /opt/fedora-ds/alias >>> NSSDBPrefix admin-serv-ldap- >>> NSSCipherSuite >>> +des,+rc2export,+rc4export,+desede3,+rc4,+rc2,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5 >>> >>> NSSVerifyClient none >>> >>> >>> >>> Richard Megginson wrote: >>>> >>>> >>>> FDS User wrote: >>>>> Hi, >>>>> I am getting "PSET failure: PSET attribute creation or local cache >>>>> update failed" when I try to enable SSL for admin server using the >>>>> encryption tab. >>>>> I have used it in the past without issues and now for some reason >>>>> I get this error after doing a re-install of fds. >>>>> I used the SSL script from the fds site to generate the certs. >>>>> >>>>> Admin server log has this error: >>>>> [error] SSL Library Error: -12271 SSL client cannot verify your >>>>> certificate >>>>> >>>>> Any help is highly appreciated. >>>> ls -al /opt/fedora-ds/alias >>>> ls -al /opt/fedora-ds/admin-serv/config >>>> >>>> grep NSS /opt/fedora-ds/admin-serv/config/console.conf >>>>> >>>>> Thanks. >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>
FDS User
2007-May-10 20:04 UTC
Re: [Fedora-directory-users] Unable to configure admin server with SSL
Tried all combinations for the url with and without https and with the right port #: IP address ldap.test.com ldap Still no luck. adminserv error log: [Thu May 10 13:19:36 2007] [warn] NSSProtocols not set; using: SSLv3 and TLSv1 [Thu May 10 13:19:36 2007] [notice] Access Host filter is: *.test.com [Thu May 10 13:19:36 2007] [notice] Access Address filter is: * [Thu May 10 13:19:37 2007] [warn] NSSProtocols not set; using: SSLv3 and TLSv1 [Thu May 10 13:19:37 2007] [notice] Access Host filter is: *.test.com [Thu May 10 13:19:37 2007] [notice] Access Address filter is: * [Thu May 10 13:19:37 2007] [notice] Apache/2.2.4 (Unix) mod_nss/2.2.3 NSS/3.11.3 configured -- resuming normal operations [Thu May 10 13:38:18 2007] [notice] caught SIGTERM, shutting down [Thu May 10 13:39:10 2007] [warn] NSSProtocols not set; using: SSLv3 and TLSv1 [Thu May 10 13:39:10 2007] [notice] Access Host filter is: *.test.com [Thu May 10 13:39:10 2007] [notice] Access Address filter is: * [Thu May 10 13:39:11 2007] [warn] NSSProtocols not set; using: SSLv3 and TLSv1 [Thu May 10 13:39:11 2007] [notice] Access Host filter is: *.test.com [Thu May 10 13:39:11 2007] [notice] Access Address filter is: * [Thu May 10 13:39:11 2007] [notice] Apache/2.2.4 (Unix) mod_nss/2.2.3 NSS/3.11.3 configured -- resuming normal operations [Thu May 10 13:40:10 2007] [error] SSL Library Error: -12271 SSL client cannot verify your certificate Thanks. Richard Megginson wrote:> FDS User wrote: >> I tried changing the permission for local.conf and restarted both >> admin and dir server. That didn''t solve the issue. >> Attached is the error I get when the login fails. > For the console login dialog, for the admin url field, did you use > https://host:port/ ? > tail admin-serv/logs/error >> >> Thanks. >> >> Richard Megginson wrote: >>> FDS User wrote: >>>> Below is the ls and grep output. >>>> >>>> [root@ldap slapd-ldap]# ls -al /opt/fedora-ds/alias >>>> <snip> looks ok >>>> >>>> >>>> [root@ldap slapd-ldap]# ls -al /opt/fedora-ds/admin-serv/config >>>> total 84 >>>> drwxr-xr-x 2 nobody nobody 4096 May 9 10:31 . >>>> drwxr-xr-x 8 root root 4096 May 9 10:32 .. >>>> -rw------- 1 nobody nobody 544 May 10 13:17 adm.conf >>>> -rw------- 1 nobody nobody 39 May 7 18:28 admpw >>>> -rw------- 1 root root 4598 May 7 18:28 admserv.conf >>>> -rw------- 1 nobody nobody 3702 May 10 13:17 console.conf >>>> -rw------- 1 root root 26784 May 7 18:28 httpd.conf >>>> -rw-r--r-- 1 root root 19233 May 7 18:28 local.conf >>> This is the likely culprit. Shut down the admin server, then chown >>> nobody:nobody local.conf, then restart. >>>> -r-------- 1 nobody nobody 4604 May 7 18:29 nss.conf >>>> >>>> >>>> [root@ldap slapd-ldap]# grep NSS >>>> /opt/fedora-ds/admin-serv/config/console.conf >>>> NSSEngine on >>>> NSSNickname server-cert >>>> # The NSS security database directory that holds the certificates >>>> and >>>> NSSCertificateDatabase /opt/fedora-ds/alias >>>> NSSDBPrefix admin-serv-ldap- >>>> NSSCipherSuite >>>> +des,+rc2export,+rc4export,+desede3,+rc4,+rc2,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5 >>>> >>>> NSSVerifyClient none >>>> >>>> >>>> >>>> Richard Megginson wrote: >>>>> >>>>> >>>>> FDS User wrote: >>>>>> Hi, >>>>>> I am getting "PSET failure: PSET attribute creation or local >>>>>> cache update failed" when I try to enable SSL for admin server >>>>>> using the encryption tab. >>>>>> I have used it in the past without issues and now for some reason >>>>>> I get this error after doing a re-install of fds. >>>>>> I used the SSL script from the fds site to generate the certs. >>>>>> >>>>>> Admin server log has this error: >>>>>> [error] SSL Library Error: -12271 SSL client cannot verify your >>>>>> certificate >>>>>> >>>>>> Any help is highly appreciated. >>>>> ls -al /opt/fedora-ds/alias >>>>> ls -al /opt/fedora-ds/admin-serv/config >>>>> >>>>> grep NSS /opt/fedora-ds/admin-serv/config/console.conf >>>>>> >>>>>> Thanks. >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users@redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>
Richard Megginson
2007-May-10 20:10 UTC
Re: [Fedora-directory-users] Unable to configure admin server with SSL
FDS User wrote:> Tried all combinations for the url with and without https and with the > right port #: > > IP address > ldap.test.com > ldap > > Still no luck. > > adminserv error log: > [Thu May 10 13:19:36 2007] [warn] NSSProtocols not set; using: SSLv3 > and TLSv1 > [Thu May 10 13:19:36 2007] [notice] Access Host filter is: *.test.com > [Thu May 10 13:19:36 2007] [notice] Access Address filter is: * > [Thu May 10 13:19:37 2007] [warn] NSSProtocols not set; using: SSLv3 > and TLSv1 > [Thu May 10 13:19:37 2007] [notice] Access Host filter is: *.test.com > [Thu May 10 13:19:37 2007] [notice] Access Address filter is: * > [Thu May 10 13:19:37 2007] [notice] Apache/2.2.4 (Unix) mod_nss/2.2.3 > NSS/3.11.3 configured -- resuming normal operations > [Thu May 10 13:38:18 2007] [notice] caught SIGTERM, shutting down > [Thu May 10 13:39:10 2007] [warn] NSSProtocols not set; using: SSLv3 > and TLSv1 > [Thu May 10 13:39:10 2007] [notice] Access Host filter is: *.test.com > [Thu May 10 13:39:10 2007] [notice] Access Address filter is: * > [Thu May 10 13:39:11 2007] [warn] NSSProtocols not set; using: SSLv3 > and TLSv1 > [Thu May 10 13:39:11 2007] [notice] Access Host filter is: *.test.com > [Thu May 10 13:39:11 2007] [notice] Access Address filter is: * > [Thu May 10 13:39:11 2007] [notice] Apache/2.2.4 (Unix) mod_nss/2.2.3 > NSS/3.11.3 configured -- resuming normal operations > [Thu May 10 13:40:10 2007] [error] SSL Library Error: -12271 SSL > client cannot verify your certificatecd /opt/fedora-ds/alias ../shared/bin/certutil -L -d . -P admin-serv-ldap- Do you have a CA certificate in that list?> > Thanks. > > > Richard Megginson wrote: >> FDS User wrote: >>> I tried changing the permission for local.conf and restarted both >>> admin and dir server. That didn''t solve the issue. >>> Attached is the error I get when the login fails. >> For the console login dialog, for the admin url field, did you use >> https://host:port/ ? >> tail admin-serv/logs/error >>> >>> Thanks. >>> >>> Richard Megginson wrote: >>>> FDS User wrote: >>>>> Below is the ls and grep output. >>>>> >>>>> [root@ldap slapd-ldap]# ls -al /opt/fedora-ds/alias >>>>> <snip> looks ok >>>>> >>>>> >>>>> [root@ldap slapd-ldap]# ls -al /opt/fedora-ds/admin-serv/config >>>>> total 84 >>>>> drwxr-xr-x 2 nobody nobody 4096 May 9 10:31 . >>>>> drwxr-xr-x 8 root root 4096 May 9 10:32 .. >>>>> -rw------- 1 nobody nobody 544 May 10 13:17 adm.conf >>>>> -rw------- 1 nobody nobody 39 May 7 18:28 admpw >>>>> -rw------- 1 root root 4598 May 7 18:28 admserv.conf >>>>> -rw------- 1 nobody nobody 3702 May 10 13:17 console.conf >>>>> -rw------- 1 root root 26784 May 7 18:28 httpd.conf >>>>> -rw-r--r-- 1 root root 19233 May 7 18:28 local.conf >>>> This is the likely culprit. Shut down the admin server, then chown >>>> nobody:nobody local.conf, then restart. >>>>> -r-------- 1 nobody nobody 4604 May 7 18:29 nss.conf >>>>> >>>>> >>>>> [root@ldap slapd-ldap]# grep NSS >>>>> /opt/fedora-ds/admin-serv/config/console.conf >>>>> NSSEngine on >>>>> NSSNickname server-cert >>>>> # The NSS security database directory that holds the >>>>> certificates and >>>>> NSSCertificateDatabase /opt/fedora-ds/alias >>>>> NSSDBPrefix admin-serv-ldap- >>>>> NSSCipherSuite >>>>> +des,+rc2export,+rc4export,+desede3,+rc4,+rc2,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5 >>>>> >>>>> NSSVerifyClient none >>>>> >>>>> >>>>> >>>>> Richard Megginson wrote: >>>>>> >>>>>> >>>>>> FDS User wrote: >>>>>>> Hi, >>>>>>> I am getting "PSET failure: PSET attribute creation or local >>>>>>> cache update failed" when I try to enable SSL for admin server >>>>>>> using the encryption tab. >>>>>>> I have used it in the past without issues and now for some >>>>>>> reason I get this error after doing a re-install of fds. >>>>>>> I used the SSL script from the fds site to generate the certs. >>>>>>> >>>>>>> Admin server log has this error: >>>>>>> [error] SSL Library Error: -12271 SSL client cannot verify your >>>>>>> certificate >>>>>>> >>>>>>> Any help is highly appreciated. >>>>>> ls -al /opt/fedora-ds/alias >>>>>> ls -al /opt/fedora-ds/admin-serv/config >>>>>> >>>>>> grep NSS /opt/fedora-ds/admin-serv/config/console.conf >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users@redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users@redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>
FDS User
2007-May-10 20:14 UTC
Re: [Fedora-directory-users] Unable to configure admin server with SSL
[root@ldap alias]# ../shared/bin/certutil -L -d . -P admin-serv-ldap- server-cert u,u,u CA certificate CT,, Richard Megginson wrote:> FDS User wrote: >> Tried all combinations for the url with and without https and with >> the right port #: >> >> IP address >> ldap.test.com >> ldap >> >> Still no luck. >> >> adminserv error log: >> [Thu May 10 13:19:36 2007] [warn] NSSProtocols not set; using: SSLv3 >> and TLSv1 >> [Thu May 10 13:19:36 2007] [notice] Access Host filter is: *.test.com >> [Thu May 10 13:19:36 2007] [notice] Access Address filter is: * >> [Thu May 10 13:19:37 2007] [warn] NSSProtocols not set; using: SSLv3 >> and TLSv1 >> [Thu May 10 13:19:37 2007] [notice] Access Host filter is: *.test.com >> [Thu May 10 13:19:37 2007] [notice] Access Address filter is: * >> [Thu May 10 13:19:37 2007] [notice] Apache/2.2.4 (Unix) mod_nss/2.2.3 >> NSS/3.11.3 configured -- resuming normal operations >> [Thu May 10 13:38:18 2007] [notice] caught SIGTERM, shutting down >> [Thu May 10 13:39:10 2007] [warn] NSSProtocols not set; using: SSLv3 >> and TLSv1 >> [Thu May 10 13:39:10 2007] [notice] Access Host filter is: *.test.com >> [Thu May 10 13:39:10 2007] [notice] Access Address filter is: * >> [Thu May 10 13:39:11 2007] [warn] NSSProtocols not set; using: SSLv3 >> and TLSv1 >> [Thu May 10 13:39:11 2007] [notice] Access Host filter is: *.test.com >> [Thu May 10 13:39:11 2007] [notice] Access Address filter is: * >> [Thu May 10 13:39:11 2007] [notice] Apache/2.2.4 (Unix) mod_nss/2.2.3 >> NSS/3.11.3 configured -- resuming normal operations >> [Thu May 10 13:40:10 2007] [error] SSL Library Error: -12271 SSL >> client cannot verify your certificate > cd /opt/fedora-ds/alias > ../shared/bin/certutil -L -d . -P admin-serv-ldap- > > Do you have a CA certificate in that list? >> >> Thanks. >> >> >> Richard Megginson wrote: >>> FDS User wrote: >>>> I tried changing the permission for local.conf and restarted both >>>> admin and dir server. That didn''t solve the issue. >>>> Attached is the error I get when the login fails. >>> For the console login dialog, for the admin url field, did you use >>> https://host:port/ ? >>> tail admin-serv/logs/error >>>> >>>> Thanks. >>>> >>>> Richard Megginson wrote: >>>>> FDS User wrote: >>>>>> Below is the ls and grep output. >>>>>> >>>>>> [root@ldap slapd-ldap]# ls -al /opt/fedora-ds/alias >>>>>> <snip> looks ok >>>>>> >>>>>> >>>>>> [root@ldap slapd-ldap]# ls -al /opt/fedora-ds/admin-serv/config >>>>>> total 84 >>>>>> drwxr-xr-x 2 nobody nobody 4096 May 9 10:31 . >>>>>> drwxr-xr-x 8 root root 4096 May 9 10:32 .. >>>>>> -rw------- 1 nobody nobody 544 May 10 13:17 adm.conf >>>>>> -rw------- 1 nobody nobody 39 May 7 18:28 admpw >>>>>> -rw------- 1 root root 4598 May 7 18:28 admserv.conf >>>>>> -rw------- 1 nobody nobody 3702 May 10 13:17 console.conf >>>>>> -rw------- 1 root root 26784 May 7 18:28 httpd.conf >>>>>> -rw-r--r-- 1 root root 19233 May 7 18:28 local.conf >>>>> This is the likely culprit. Shut down the admin server, then >>>>> chown nobody:nobody local.conf, then restart. >>>>>> -r-------- 1 nobody nobody 4604 May 7 18:29 nss.conf >>>>>> >>>>>> >>>>>> [root@ldap slapd-ldap]# grep NSS >>>>>> /opt/fedora-ds/admin-serv/config/console.conf >>>>>> NSSEngine on >>>>>> NSSNickname server-cert >>>>>> # The NSS security database directory that holds the >>>>>> certificates and >>>>>> NSSCertificateDatabase /opt/fedora-ds/alias >>>>>> NSSDBPrefix admin-serv-ldap- >>>>>> NSSCipherSuite >>>>>> +des,+rc2export,+rc4export,+desede3,+rc4,+rc2,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5 >>>>>> >>>>>> NSSVerifyClient none >>>>>> >>>>>> >>>>>> >>>>>> Richard Megginson wrote: >>>>>>> >>>>>>> >>>>>>> FDS User wrote: >>>>>>>> Hi, >>>>>>>> I am getting "PSET failure: PSET attribute creation or local >>>>>>>> cache update failed" when I try to enable SSL for admin server >>>>>>>> using the encryption tab. >>>>>>>> I have used it in the past without issues and now for some >>>>>>>> reason I get this error after doing a re-install of fds. >>>>>>>> I used the SSL script from the fds site to generate the certs. >>>>>>>> >>>>>>>> Admin server log has this error: >>>>>>>> [error] SSL Library Error: -12271 SSL client cannot verify your >>>>>>>> certificate >>>>>>>> >>>>>>>> Any help is highly appreciated. >>>>>>> ls -al /opt/fedora-ds/alias >>>>>>> ls -al /opt/fedora-ds/admin-serv/config >>>>>>> >>>>>>> grep NSS /opt/fedora-ds/admin-serv/config/console.conf >>>>>>>> >>>>>>>> Thanks. >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users@redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users@redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users@redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>
Richard Megginson
2007-May-10 20:20 UTC
Re: [Fedora-directory-users] Unable to configure admin server with SSL
FDS User wrote:> [root@ldap alias]# ../shared/bin/certutil -L -d . -P admin-serv-ldap- > server-cert u,u,u > CA certificate CT,, > > > > Richard Megginson wrote: >> FDS User wrote: >>> <snip> >>> [Thu May 10 13:40:10 2007] [error] SSL Library Error: -12271 SSL >>> client cannot verify your certificateI''m not sure what this means. I believe in this case the SSL client is the console. Try this: rm -rf ~/.fedora-console as the user you run startconsole with. Then try to connect over https. The console should pop up a dialog saying that it doesn''t trust the server cert and ask you what to do. Also try connecting to https://host:adminport/ in your web browser.
FDS User
2007-May-10 20:36 UTC
Re: [Fedora-directory-users] Unable to configure admin server with SSL
removing the .fedora-console prompted for the cert trust and then I was able to login. Thank you very much for the fix and for prompt replies. Richard Megginson wrote:> FDS User wrote: >> [root@ldap alias]# ../shared/bin/certutil -L -d . -P admin-serv-ldap- >> server-cert u,u,u >> CA certificate CT,, >> >> >> >> Richard Megginson wrote: >>> FDS User wrote: >>>> <snip> >>>> [Thu May 10 13:40:10 2007] [error] SSL Library Error: -12271 SSL >>>> client cannot verify your certificate > I''m not sure what this means. I believe in this case the SSL client > is the console. Try this: rm -rf ~/.fedora-console as the user you > run startconsole with. Then try to connect over https. The console > should pop up a dialog saying that it doesn''t trust the server cert > and ask you what to do. > > Also try connecting to https://host:adminport/ in your web browser.