Travis
2007-Oct-02 21:11 UTC
[Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable?
Hi, We''re preparing to upgrade from the initial DS release to 1.0.4-1 on our RHEL4 servers. In testing, we''ve hit a brick wall while trying to set up SSL. We can install the server just fine, but when clicking on "Manage Certificates" in the console we get the following: could not open file slapd-$hostname-cert8.db We get the same type of error when trying to manage the admin server certs. This is a completely fresh install, and we''ve double checked file ownership, so permissions are not an issue. After working on this for a while, I tried installing the FC6 rpm on my FC6 desktop with the same settings and JVM, which worked just fine...so its something specific about the RHEL4 version or its dependencies. I found one other post about this kind of issue (From Nov 2006 by Graham Leggett), but I never saw a solution. I have even tried initializing the DBs by hand with certutil, but this does not appear to make a difference. Any advice? Thanks, Travis
Rob Crittenden
2007-Oct-02 21:30 UTC
Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable?
Travis wrote:> Hi, > > We''re preparing to upgrade from the initial DS release to 1.0.4-1 on our > RHEL4 servers. In testing, we''ve hit a brick wall while trying to set > up SSL. We can install the server just fine, but when clicking on > "Manage Certificates" in the console we get the following: > > could not open file slapd-$hostname-cert8.db > > We get the same type of error when trying to manage the admin server > certs. > > This is a completely fresh install, and we''ve double checked file > ownership, so permissions are not an issue. After working on this for a > while, I tried installing the FC6 rpm on my FC6 desktop with the same > settings and JVM, which worked just fine...so its something specific > about the RHEL4 version or its dependencies. > > I found one other post about this kind of issue (From Nov 2006 by Graham > Leggett), but I never saw a solution. I have even tried initializing > the DBs by hand with certutil, but this does not appear to make a > difference. > > Any advice? >Permissions perhaps? rob
Travis
2007-Oct-02 22:25 UTC
Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable?
Hi, No, as noted it is a completely new install, and I''ve already ddouble checked permissions. Regardless - I''ve also tried chowning the entire tree to ldap (yes, this is the user privs are being dropped to), as well as setting a+rw on the entire /opt/fedora-ds tree. Thanks, Travis On Tue, 2007-10-02 at 17:30 -0400, Rob Crittenden wrote:> Travis wrote: > > Hi, > > > > We''re preparing to upgrade from the initial DS release to 1.0.4-1 on our > > RHEL4 servers. In testing, we''ve hit a brick wall while trying to set > > up SSL. We can install the server just fine, but when clicking on > > "Manage Certificates" in the console we get the following: > > > > could not open file slapd-$hostname-cert8.db > > > > We get the same type of error when trying to manage the admin server > > certs. > > > > This is a completely fresh install, and we''ve double checked file > > ownership, so permissions are not an issue. After working on this for a > > while, I tried installing the FC6 rpm on my FC6 desktop with the same > > settings and JVM, which worked just fine...so its something specific > > about the RHEL4 version or its dependencies. > > > > I found one other post about this kind of issue (From Nov 2006 by Graham > > Leggett), but I never saw a solution. I have even tried initializing > > the DBs by hand with certutil, but this does not appear to make a > > difference. > > > > Any advice? > > > > Permissions perhaps? > > rob > !DSPAM:10001,4702b89655891583291669!
Travis
2007-Oct-02 22:49 UTC
Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable?
I agree with Graham''s original idea - its almost as if the server is not looking in the proper location for the database. Does anyone know where this is set? Thanks, Travis On Tue, 2007-10-02 at 18:25 -0400, Travis wrote:> Hi, > > No, as noted it is a completely new install, and I''ve already ddouble > checked permissions. > > Regardless - I''ve also tried chowning the entire tree to ldap (yes, this > is the user privs are being dropped to), as well as setting a+rw on the > entire /opt/fedora-ds tree. > > Thanks, > > Travis > > > On Tue, 2007-10-02 at 17:30 -0400, Rob Crittenden wrote: > > Travis wrote: > > > Hi, > > > > > > We''re preparing to upgrade from the initial DS release to 1.0.4-1 on our > > > RHEL4 servers. In testing, we''ve hit a brick wall while trying to set > > > up SSL. We can install the server just fine, but when clicking on > > > "Manage Certificates" in the console we get the following: > > > > > > could not open file slapd-$hostname-cert8.db > > > > > > We get the same type of error when trying to manage the admin server > > > certs. > > > > > > This is a completely fresh install, and we''ve double checked file > > > ownership, so permissions are not an issue. After working on this for a > > > while, I tried installing the FC6 rpm on my FC6 desktop with the same > > > settings and JVM, which worked just fine...so its something specific > > > about the RHEL4 version or its dependencies. > > > > > > I found one other post about this kind of issue (From Nov 2006 by Graham > > > Leggett), but I never saw a solution. I have even tried initializing > > > the DBs by hand with certutil, but this does not appear to make a > > > difference. > > > > > > Any advice? > > > > > > > Permissions perhaps? > > > > rob > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > !DSPAM:10001,4702c57f55891133320659! >
Richard Hesse
2007-Oct-02 23:02 UTC
RE: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable?
> could not open file slapd-$hostname-cert8.dbDoes $hostname match the slapd instance name? For example, is the path to your slapd directory /opt/fedora-ds/slapd-$hostname? Or is it slapd-$somethingelse? -richard -----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Rob Crittenden Sent: Tuesday, October 02, 2007 2:31 PM To: tag@netfoo.org; General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable? Travis wrote:> Hi, > > We''re preparing to upgrade from the initial DS release to 1.0.4-1 on > our > RHEL4 servers. In testing, we''ve hit a brick wall while trying to set > up SSL. We can install the server just fine, but when clicking on > "Manage Certificates" in the console we get the following: > > could not open file slapd-$hostname-cert8.db > > We get the same type of error when trying to manage the admin server > certs. > > This is a completely fresh install, and we''ve double checked file > ownership, so permissions are not an issue. After working on this for > a while, I tried installing the FC6 rpm on my FC6 desktop with the > same settings and JVM, which worked just fine...so its something > specific about the RHEL4 version or its dependencies. > > I found one other post about this kind of issue (From Nov 2006 by > Graham Leggett), but I never saw a solution. I have even tried > initializing the DBs by hand with certutil, but this does not appear > to make a difference. > > Any advice? >Permissions perhaps? rob
Richard Megginson
2007-Oct-02 23:04 UTC
Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable?
Travis wrote:> I agree with Graham''s original idea - its almost as if the server is not > looking in the proper location for the database. Does anyone know where > this is set? >It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also grep -i nscert /opt/fedora-ds/slapd-instancename/config/dse.ldif> Thanks, > > Travis > > On Tue, 2007-10-02 at 18:25 -0400, Travis wrote: > >> Hi, >> >> No, as noted it is a completely new install, and I''ve already ddouble >> checked permissions. >> >> Regardless - I''ve also tried chowning the entire tree to ldap (yes, this >> is the user privs are being dropped to), as well as setting a+rw on the >> entire /opt/fedora-ds tree. >> >> Thanks, >> >> Travis >> >> >> On Tue, 2007-10-02 at 17:30 -0400, Rob Crittenden wrote: >> >>> Travis wrote: >>> >>>> Hi, >>>> >>>> We''re preparing to upgrade from the initial DS release to 1.0.4-1 on our >>>> RHEL4 servers. In testing, we''ve hit a brick wall while trying to set >>>> up SSL. We can install the server just fine, but when clicking on >>>> "Manage Certificates" in the console we get the following: >>>> >>>> could not open file slapd-$hostname-cert8.db >>>> >>>> We get the same type of error when trying to manage the admin server >>>> certs. >>>> >>>> This is a completely fresh install, and we''ve double checked file >>>> ownership, so permissions are not an issue. After working on this for a >>>> while, I tried installing the FC6 rpm on my FC6 desktop with the same >>>> settings and JVM, which worked just fine...so its something specific >>>> about the RHEL4 version or its dependencies. >>>> >>>> I found one other post about this kind of issue (From Nov 2006 by Graham >>>> Leggett), but I never saw a solution. I have even tried initializing >>>> the DBs by hand with certutil, but this does not appear to make a >>>> difference. >>>> >>>> Any advice? >>>> >>>> >>> Permissions perhaps? >>> >>> rob >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> !DSPAM:10001,4702c57f55891133320659! >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Travis
2007-Oct-03 13:23 UTC
Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable?
Thanks Richard and Richard - Tried to post last night by my home mail server is blocked as a spammer for some reason (a bad spammer *is* on my subnet somewhere...) I had a long think about what was different between the working installs and non-working installs and realized the one that wasn''t working had a "." in the name due to our naming convention. I tried substituting a "-" for the "." and it worked like a charm. :-) Thanks for the help folks. I''ll file a bug report - the installer should at least prevent you from using periods in instance names. Travis On Tue, 2007-10-02 at 17:04 -0600, Richard Megginson wrote:> Travis wrote: > > I agree with Graham''s original idea - its almost as if the server is not > > looking in the proper location for the database. Does anyone know where > > this is set? > > > It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also > grep -i nscert /opt/fedora-ds/slapd-instancename/config/dse.ldif > > Thanks, > > > > Travis > > > > On Tue, 2007-10-02 at 18:25 -0400, Travis wrote: > > > >> Hi, > >> > >> No, as noted it is a completely new install, and I''ve already ddouble > >> checked permissions. > >> > >> Regardless - I''ve also tried chowning the entire tree to ldap (yes, this > >> is the user privs are being dropped to), as well as setting a+rw on the > >> entire /opt/fedora-ds tree. > >> > >> Thanks, > >> > >> Travis > >> > >> > >> On Tue, 2007-10-02 at 17:30 -0400, Rob Crittenden wrote: > >> > >>> Travis wrote: > >>> > >>>> Hi, > >>>> > >>>> We''re preparing to upgrade from the initial DS release to 1.0.4-1 on our > >>>> RHEL4 servers. In testing, we''ve hit a brick wall while trying to set > >>>> up SSL. We can install the server just fine, but when clicking on > >>>> "Manage Certificates" in the console we get the following: > >>>> > >>>> could not open file slapd-$hostname-cert8.db > >>>> > >>>> We get the same type of error when trying to manage the admin server > >>>> certs. > >>>> > >>>> This is a completely fresh install, and we''ve double checked file > >>>> ownership, so permissions are not an issue. After working on this for a > >>>> while, I tried installing the FC6 rpm on my FC6 desktop with the same > >>>> settings and JVM, which worked just fine...so its something specific > >>>> about the RHEL4 version or its dependencies. > >>>> > >>>> I found one other post about this kind of issue (From Nov 2006 by Graham > >>>> Leggett), but I never saw a solution. I have even tried initializing > >>>> the DBs by hand with certutil, but this does not appear to make a > >>>> difference. > >>>> > >>>> Any advice? > >>>> > >>>> > >>> Permissions perhaps? > >>> > >>> rob > >>> > >>> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users@redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > >> !DSPAM:10001,4702c57f55891133320659! > >> > >> > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > !DSPAM:10001,4702cfc155891054640233!
Glenn
2007-Oct-03 13:48 UTC
Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable?
Travis - I had this problem with new installations and clean re- installations. The installation of Fedora Directory did not create the certificate database. I solved it by creating the appropriately-named certificate database in the correct location using certutil. -Glenn. ---------- Original Message ----------- From: Richard Megginson <rmeggins@redhat.com> To: tag@netfoo.org, "General discussion list for the Fedora Directory server project." <fedora-directory-users@redhat.com> Sent: Tue, 02 Oct 2007 17:04:33 -0600 Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable?> Travis wrote: > > I agree with Graham''s original idea - its almost as if the server is not > > looking in the proper location for the database. Does anyone know where > > this is set? > > > It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also > grep -i nscert /opt/fedora-ds/slapd-instancename/config/dse.ldif
Richard Megginson
2007-Oct-03 14:02 UTC
Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable?
Glenn wrote:> Travis - I had this problem with new installations and clean re- > installations. The installation of Fedora Directory did not create the > certificate database. I solved it by creating the appropriately-named > certificate database in the correct location using certutil. -Glenn. >Is there any sort of pattern to when it does or does not create the key/cert databases? When the server starts up, it is supposed to create them if they are not there. This means that /opt/fedora-ds/alias must be writable by the server user id (default nobody). When you uninstall the server, it does not remove the key and cert databases, because this could be potentially devastating if you had not backed them up first.> ---------- Original Message ----------- > From: Richard Megginson <rmeggins@redhat.com> > To: tag@netfoo.org, "General discussion list for the Fedora Directory server > project." <fedora-directory-users@redhat.com> > Sent: Tue, 02 Oct 2007 17:04:33 -0600 > Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not > readable? > > >> Travis wrote: >> >>> I agree with Graham''s original idea - its almost as if the server is not >>> looking in the proper location for the database. Does anyone know where >>> this is set? >>> >>> >> It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also >> grep -i nscert /opt/fedora-ds/slapd-instancename/config/dse.ldif >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Travis
2007-Oct-03 14:20 UTC
Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable?
Hi Glen, That was not the problem - the DB was there after install (though not the admin server DB), it just couldn''t parse the "." in the instance name. Travis On Wed, 2007-10-03 at 08:48 -0500, Glenn wrote:> Travis - I had this problem with new installations and clean re- > installations. The installation of Fedora Directory did not create the > certificate database. I solved it by creating the appropriately-named > certificate database in the correct location using certutil. -Glenn. > > ---------- Original Message ----------- > From: Richard Megginson <rmeggins@redhat.com> > To: tag@netfoo.org, "General discussion list for the Fedora Directory server > project." <fedora-directory-users@redhat.com> > Sent: Tue, 02 Oct 2007 17:04:33 -0600 > Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not > readable? > > > Travis wrote: > > > I agree with Graham''s original idea - its almost as if the server is not > > > looking in the proper location for the database. Does anyone know where > > > this is set? > > > > > It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also > > grep -i nscert /opt/fedora-ds/slapd-instancename/config/dse.ldif > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > !DSPAM:10001,47039db155899083919185! >
Glenn
2007-Oct-04 14:25 UTC
Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable?
Richard - It has been months since I did this, and I don''t remember each detail of the installation. I did not use the default server user ID; I changed it when given the opportunity during installation. Maybe this caused a permissions problem? -Glenn. ---------- Original Message ----------- From: Richard Megginson <rmeggins@redhat.com> To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@redhat.com> Sent: Wed, 03 Oct 2007 08:02:15 -0600 Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable?> Glenn wrote: > > Travis - I had this problem with new installations and clean re- > > installations. The installation of Fedora Directory did not create the > > certificate database. I solved it by creating the appropriately-named > > certificate database in the correct location using certutil. -Glenn. > > > Is there any sort of pattern to when it does or does not create the > key/cert databases? When the server starts up, it is supposed to > create them if they are not there. This means that /opt/fedora- > ds/alias must be writable by the server user id (default nobody). >