Fedora directory users - Oct 2007 - RedHat 4/Fedora-DS - SSL Cert DB not readable?

Hi,

We''re preparing to upgrade from the initial DS release to 1.0.4-1 on
our
RHEL4 servers.  In testing, we''ve hit a brick wall while trying to set
up SSL.  We can install the server just fine, but when clicking on
"Manage Certificates" in the console we get the following:

could not open file slapd-$hostname-cert8.db

We get the same type of error when trying to manage the admin server
certs.

This is a completely fresh install, and we''ve double checked file
ownership, so permissions are not an issue.  After working on this for a
while, I tried installing the FC6 rpm on my FC6 desktop with the same
settings and JVM, which worked just fine...so its something specific
about the RHEL4 version or its dependencies.  

I found one other post about this kind of issue (From Nov 2006 by Graham
Leggett), but I never saw a solution.  I have even tried initializing
the DBs by hand with certutil, but this does not appear to make a
difference.

Any advice?

Thanks,

Travis

Travis wrote:
> Hi,
> 
> We''re preparing to upgrade from the initial DS release to 1.0.4-1
on our
> RHEL4 servers.  In testing, we''ve hit a brick wall while trying to
set
> up SSL.  We can install the server just fine, but when clicking on
> "Manage Certificates" in the console we get the following:
> 
> could not open file slapd-$hostname-cert8.db
> 
> We get the same type of error when trying to manage the admin server
> certs.
> 
> This is a completely fresh install, and we''ve double checked file
> ownership, so permissions are not an issue.  After working on this for a
> while, I tried installing the FC6 rpm on my FC6 desktop with the same
> settings and JVM, which worked just fine...so its something specific
> about the RHEL4 version or its dependencies.  
> 
> I found one other post about this kind of issue (From Nov 2006 by Graham
> Leggett), but I never saw a solution.  I have even tried initializing
> the DBs by hand with certutil, but this does not appear to make a
> difference.
> 
> Any advice?
>
Permissions perhaps?

rob

Hi,

No, as noted it is a completely new install, and I''ve already ddouble
checked permissions.

Regardless - I''ve also tried chowning the entire tree to ldap (yes,
this
is the user privs are being dropped to), as well as setting a+rw on the
entire /opt/fedora-ds tree. 

Thanks,

Travis
 

On Tue, 2007-10-02 at 17:30 -0400, Rob Crittenden wrote:
> Travis wrote:
> > Hi,
> > 
> > We''re preparing to upgrade from the initial DS release to
1.0.4-1 on our
> > RHEL4 servers.  In testing, we''ve hit a brick wall while
trying to set
> > up SSL.  We can install the server just fine, but when clicking on
> > "Manage Certificates" in the console we get the following:
> > 
> > could not open file slapd-$hostname-cert8.db
> > 
> > We get the same type of error when trying to manage the admin server
> > certs.
> > 
> > This is a completely fresh install, and we''ve double checked
file
> > ownership, so permissions are not an issue.  After working on this for
a
> > while, I tried installing the FC6 rpm on my FC6 desktop with the same
> > settings and JVM, which worked just fine...so its something specific
> > about the RHEL4 version or its dependencies.  
> > 
> > I found one other post about this kind of issue (From Nov 2006 by
Graham
> > Leggett), but I never saw a solution.  I have even tried initializing
> > the DBs by hand with certutil, but this does not appear to make a
> > difference.
> > 
> > Any advice?
> >
> 
> Permissions perhaps?
> 
> rob
> !DSPAM:10001,4702b89655891583291669!

I agree with Graham''s original idea - its almost as if the server is
not
looking in the proper location for the database.  Does anyone know where
this is set?

Thanks,

Travis

On Tue, 2007-10-02 at 18:25 -0400, Travis wrote:
> Hi,
> 
> No, as noted it is a completely new install, and I''ve already
ddouble
> checked permissions.
> 
> Regardless - I''ve also tried chowning the entire tree to ldap
(yes, this
> is the user privs are being dropped to), as well as setting a+rw on the
> entire /opt/fedora-ds tree. 
> 
> Thanks,
> 
> Travis
>  
> 
> On Tue, 2007-10-02 at 17:30 -0400, Rob Crittenden wrote:
> > Travis wrote:
> > > Hi,
> > > 
> > > We''re preparing to upgrade from the initial DS release
to 1.0.4-1 on our
> > > RHEL4 servers.  In testing, we''ve hit a brick wall while
trying to set
> > > up SSL.  We can install the server just fine, but when clicking
on
> > > "Manage Certificates" in the console we get the
following:
> > > 
> > > could not open file slapd-$hostname-cert8.db
> > > 
> > > We get the same type of error when trying to manage the admin
server
> > > certs.
> > > 
> > > This is a completely fresh install, and we''ve double
checked file
> > > ownership, so permissions are not an issue.  After working on
this for a
> > > while, I tried installing the FC6 rpm on my FC6 desktop with the
same
> > > settings and JVM, which worked just fine...so its something
specific
> > > about the RHEL4 version or its dependencies.  
> > > 
> > > I found one other post about this kind of issue (From Nov 2006 by
Graham
> > > Leggett), but I never saw a solution.  I have even tried
initializing
> > > the DBs by hand with certutil, but this does not appear to make a
> > > difference.
> > > 
> > > Any advice?
> > >
> > 
> > Permissions perhaps?
> > 
> > rob
> > 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 
> 
> !DSPAM:10001,4702c57f55891133320659!
>

> could not open file slapd-$hostname-cert8.db
Does $hostname match the slapd instance name? For example, is the path to your
slapd directory /opt/fedora-ds/slapd-$hostname? Or is it slapd-$somethingelse?

-richard

-----Original Message-----
From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Rob Crittenden
Sent: Tuesday, October 02, 2007 2:31 PM
To: tag@netfoo.org; General discussion list for the Fedora Directory server
project.
Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not
readable?

Travis wrote:
> Hi,
>
> We''re preparing to upgrade from the initial DS release to 1.0.4-1
on
> our
> RHEL4 servers.  In testing, we''ve hit a brick wall while trying to
set
> up SSL.  We can install the server just fine, but when clicking on
> "Manage Certificates" in the console we get the following:
>
> could not open file slapd-$hostname-cert8.db
>
> We get the same type of error when trying to manage the admin server
> certs.
>
> This is a completely fresh install, and we''ve double checked file
> ownership, so permissions are not an issue.  After working on this for
> a while, I tried installing the FC6 rpm on my FC6 desktop with the
> same settings and JVM, which worked just fine...so its something
> specific about the RHEL4 version or its dependencies.
>
> I found one other post about this kind of issue (From Nov 2006 by
> Graham Leggett), but I never saw a solution.  I have even tried
> initializing the DBs by hand with certutil, but this does not appear
> to make a difference.
>
> Any advice?
>
Permissions perhaps?

rob

Travis wrote:
> I agree with Graham''s original idea - its almost as if the server
is not
> looking in the proper location for the database.  Does anyone know where
> this is set?
>   
It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also 
grep -i nscert
/opt/fedora-ds/slapd-instancename/config/dse.ldif
> Thanks,
>
> Travis
>
> On Tue, 2007-10-02 at 18:25 -0400, Travis wrote:
>   
>> Hi,
>>
>> No, as noted it is a completely new install, and I''ve already
ddouble
>> checked permissions.
>>
>> Regardless - I''ve also tried chowning the entire tree to ldap
(yes, this
>> is the user privs are being dropped to), as well as setting a+rw on the
>> entire /opt/fedora-ds tree. 
>>
>> Thanks,
>>
>> Travis
>>  
>>
>> On Tue, 2007-10-02 at 17:30 -0400, Rob Crittenden wrote:
>>     
>>> Travis wrote:
>>>       
>>>> Hi,
>>>>
>>>> We''re preparing to upgrade from the initial DS release
to 1.0.4-1 on our
>>>> RHEL4 servers.  In testing, we''ve hit a brick wall
while trying to set
>>>> up SSL.  We can install the server just fine, but when clicking
on
>>>> "Manage Certificates" in the console we get the
following:
>>>>
>>>> could not open file slapd-$hostname-cert8.db
>>>>
>>>> We get the same type of error when trying to manage the admin
server
>>>> certs.
>>>>
>>>> This is a completely fresh install, and we''ve double
checked file
>>>> ownership, so permissions are not an issue.  After working on
this for a
>>>> while, I tried installing the FC6 rpm on my FC6 desktop with
the same
>>>> settings and JVM, which worked just fine...so its something
specific
>>>> about the RHEL4 version or its dependencies.  
>>>>
>>>> I found one other post about this kind of issue (From Nov 2006
by Graham
>>>> Leggett), but I never saw a solution.  I have even tried
initializing
>>>> the DBs by hand with certutil, but this does not appear to make
a
>>>> difference.
>>>>
>>>> Any advice?
>>>>
>>>>         
>>> Permissions perhaps?
>>>
>>> rob
>>>
>>>       
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>> !DSPAM:10001,4702c57f55891133320659!
>>
>>     
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Thanks Richard and Richard - Tried to post last night by my home mail
server is blocked as a spammer for some reason (a bad spammer *is* on my
subnet somewhere...)

I had a long think about what was different between the working installs
and non-working installs and realized the one that wasn''t working had a
"." in the name due to our naming convention.  I tried substituting a
"-" for the "." and it worked like a charm.  :-)

Thanks for the help folks.  I''ll file a bug report - the installer
should at least prevent you from using periods in instance names.

Travis

On Tue, 2007-10-02 at 17:04 -0600, Richard Megginson
wrote:
> Travis wrote:
> > I agree with Graham''s original idea - its almost as if the
server is not
> > looking in the proper location for the database.  Does anyone know
where
> > this is set?
> >   
> It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also 
> grep -i nscert /opt/fedora-ds/slapd-instancename/config/dse.ldif
> > Thanks,
> >
> > Travis
> >
> > On Tue, 2007-10-02 at 18:25 -0400, Travis wrote:
> >   
> >> Hi,
> >>
> >> No, as noted it is a completely new install, and I''ve
already ddouble
> >> checked permissions.
> >>
> >> Regardless - I''ve also tried chowning the entire tree to
ldap (yes, this
> >> is the user privs are being dropped to), as well as setting a+rw
on the
> >> entire /opt/fedora-ds tree. 
> >>
> >> Thanks,
> >>
> >> Travis
> >>  
> >>
> >> On Tue, 2007-10-02 at 17:30 -0400, Rob Crittenden wrote:
> >>     
> >>> Travis wrote:
> >>>       
> >>>> Hi,
> >>>>
> >>>> We''re preparing to upgrade from the initial DS
release to 1.0.4-1 on our
> >>>> RHEL4 servers.  In testing, we''ve hit a brick
wall while trying to set
> >>>> up SSL.  We can install the server just fine, but when
clicking on
> >>>> "Manage Certificates" in the console we get the
following:
> >>>>
> >>>> could not open file slapd-$hostname-cert8.db
> >>>>
> >>>> We get the same type of error when trying to manage the
admin server
> >>>> certs.
> >>>>
> >>>> This is a completely fresh install, and we''ve
double checked file
> >>>> ownership, so permissions are not an issue.  After working
on this for a
> >>>> while, I tried installing the FC6 rpm on my FC6 desktop
with the same
> >>>> settings and JVM, which worked just fine...so its
something specific
> >>>> about the RHEL4 version or its dependencies.  
> >>>>
> >>>> I found one other post about this kind of issue (From Nov
2006 by Graham
> >>>> Leggett), but I never saw a solution.  I have even tried
initializing
> >>>> the DBs by hand with certutil, but this does not appear to
make a
> >>>> difference.
> >>>>
> >>>> Any advice?
> >>>>
> >>>>         
> >>> Permissions perhaps?
> >>>
> >>> rob
> >>>
> >>>       
> >> --
> >> Fedora-directory-users mailing list
> >> Fedora-directory-users@redhat.com
> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>
> >>
> >> !DSPAM:10001,4702c57f55891133320659!
> >>
> >>     
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >   
> 
> !DSPAM:10001,4702cfc155891054640233!

Travis - I had this problem with new installations and clean re-
installations.  The installation of Fedora Directory did not create the 
certificate database.  I solved it by creating the appropriately-named 
certificate database in the correct location using certutil.   -Glenn. 

---------- Original Message -----------
From: Richard Megginson <rmeggins@redhat.com>
To: tag@netfoo.org, "General discussion list for the Fedora Directory
server
project." <fedora-directory-users@redhat.com>
Sent: Tue, 02 Oct 2007 17:04:33 -0600
Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not 
readable?
> Travis wrote:
> > I agree with Graham''s original idea - its almost as if the
server is not
> > looking in the proper location for the database.  Does anyone know
where
> > this is set?
> >   
> It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also 
> grep -i nscert /opt/fedora-ds/slapd-instancename/config/dse.ldif

Glenn wrote:
> Travis - I had this problem with new installations and clean re-
> installations.  The installation of Fedora Directory did not create the 
> certificate database.  I solved it by creating the appropriately-named 
> certificate database in the correct location using certutil.   -Glenn. 
>   
Is there any sort of pattern to when it does or does not create the 
key/cert databases?  When the server starts up, it is supposed to create 
them if they are not there.  This means that /opt/fedora-ds/alias must 
be writable by the server user id (default nobody).

When you uninstall the server, it does not remove the key and cert 
databases, because this could be potentially devastating if you had not 
backed them up first.
> ---------- Original Message -----------
> From: Richard Megginson <rmeggins@redhat.com>
> To: tag@netfoo.org, "General discussion list for the Fedora Directory
server
> project." <fedora-directory-users@redhat.com>
> Sent: Tue, 02 Oct 2007 17:04:33 -0600
> Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not 
> readable?
>
>   
>> Travis wrote:
>>     
>>> I agree with Graham''s original idea - its almost as if the
server is not
>>> looking in the proper location for the database.  Does anyone know
where
>>> this is set?
>>>   
>>>       
>> It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also 
>> grep -i nscert /opt/fedora-ds/slapd-instancename/config/dse.ldif
>>     
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Hi Glen,

That was not the problem - the DB was there after install (though not
the admin server DB), it just couldn''t parse the "." in the
instance
name.

Travis

On Wed, 2007-10-03 at 08:48 -0500, Glenn wrote:
> Travis - I had this problem with new installations and clean re-
> installations.  The installation of Fedora Directory did not create the 
> certificate database.  I solved it by creating the appropriately-named 
> certificate database in the correct location using certutil.   -Glenn. 
> 
> ---------- Original Message -----------
> From: Richard Megginson <rmeggins@redhat.com>
> To: tag@netfoo.org, "General discussion list for the Fedora Directory
server
> project." <fedora-directory-users@redhat.com>
> Sent: Tue, 02 Oct 2007 17:04:33 -0600
> Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not 
> readable?
> 
> > Travis wrote:
> > > I agree with Graham''s original idea - its almost as if
the server is not
> > > looking in the proper location for the database.  Does anyone
know where
> > > this is set?
> > >   
> > It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also 
> > grep -i nscert /opt/fedora-ds/slapd-instancename/config/dse.ldif
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 
> 
> !DSPAM:10001,47039db155899083919185!
>

Richard - It has been months since I did this, and I don''t remember
each
detail of the installation.  I did not use the default server user ID; I 
changed it when given the opportunity during installation.  Maybe this caused 
a permissions problem?   -Glenn.

---------- Original Message -----------
From: Richard Megginson <rmeggins@redhat.com>
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users@redhat.com>
Sent: Wed, 03 Oct 2007 08:02:15 -0600
Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not 
readable?
> Glenn wrote:
> > Travis - I had this problem with new installations and clean re-
> > installations.  The installation of Fedora Directory did not create
the
> > certificate database.  I solved it by creating the appropriately-named
> > certificate database in the correct location using certutil.   -Glenn.
> >   
> Is there any sort of pattern to when it does or does not create the 
> key/cert databases?  When the server starts up, it is supposed to 
> create them if they are not there.  This means that /opt/fedora-
> ds/alias must be writable by the server user id (default nobody).
>