#287 dirsrv-admin with existing (remote) configuration server using SSL fails to start
Closed: wontfix None Opened 12 years ago by brett.

389-ds installation when setting the Configuration Server to a remote host over SSL seems to go fine until it tries to start dirsrv-admin.

...
Configuration directory server URL [ldap://<local FQDN>:389/o=NetscapeRoot]: ldaps://<Config Server FQDN>:636/o=NetscapeRoot
...
CA certificate filename: /etc/openldap/cacerts/<base64 cert file>
...

output: Server failed to start !!! Please check errors log for problems
output:                                                    [FAILED]

/var/log/dirsrv/admin-serv/error:

[Wed Feb 08 13:35:26 2012] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Wed Feb 08 13:35:32 2012] [crit] sslinit: NSS is required to use LDAPS, but security initialization failed [-12285:Unable to find the certificate or key necessary for authentication.].  Cannot start server

The server, has however successfully registered itself with the remote Configuration Directory Server.
(shows up in the server group in 389-Console and Directory Server is available).

SELinux Status:

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive

389 RPM's installed:

389-admin-console-doc-1.1.8-1.el6.noarch
389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-adminutil-1.1.14-2.el6.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-ds-1.2.2-1.el6.noarch
389-ds-base-1.2.9.14-1.el6_2.2.x86_64
389-ds-console-doc-1.2.6-1.el6.noarch
389-console-1.1.7-1.el6.noarch
389-admin-1.1.25-1.el6.x86_64
389-dsgw-1.1.7-2.el6.x86_64

Certificate stored during the installation procedure:

[root@<host> admin-serv]# certutil -d . -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA certificate                                               CT,,

Which leads me to believe that it should be able to at least find the certificate...
I also checked file/directory ownership and permissions which match those on the working ‘master’ server.

389-Users mailing list thread http://lists.fedoraproject.org/pipermail/389-users/2012-February/014063.html


set default ticket origin to Community

Added initial screened field value.

Not sure how to reproduce this. I'll note that a couple of NSS problems related to NSS, openldap, and admin server have been fixed in the latest version RHEL 6.4.z. Please try upgrading to the latest RHEL 6.4.z packages.

Since there's no response for more than 10 months, we are closing this ticket for now.

Please reopen the ticket if the issue is still observed on the supported versions.

Metadata Update from @nhosoi:
- Issue assigned to rmeggins
- Issue set to the milestone: 389-admin,console 1.1.36

7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/287

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Invalid)

3 years ago

Login to comment on this ticket.

Metadata