389-ds-base and 389-admin are using the old format of cert db. NSS recommends to switch to the sql format having the shared DB feature.
git patch file (master) 0001-Ticket-48760-NSS-switching-to-the-sql-db.patch
git patch file (master) -- CI test 0002-Ticket-48760-CI-test-test-cases-for-47536-and-48760.patch
We'll need to update documentation too: I believe that there are environment variables and commandline options that need to change with this.
IE
{{{ export NSS_DEFAULT_DB_TYPE=sql certutil -L -d /tmp/nss }}}
vs
{{{ certutil -L -d sql:/tmp/nss }}}
Replying to [comment:2 firstyear]:
We'll need to update documentation too: I believe that there are environment variables and commandline options that need to change with this. [...] Yes, that's right. Thanks for pointing it out, William.
Metadata Update from @firstyear: - Issue assigned to nhosoi - Issue set to the milestone: 1.3.6 backlog
Metadata Update from @mreynolds: - Custom field component reset (from Security - SSL) - Issue close_status updated to: None - Issue set to the milestone: 1.3.7 backlog (was: 1.3.6 backlog)
In Fedora 27 NSS is switching over to SQL, so this needs to get into 1.3.7.
Metadata Update from @mreynolds: - Issue set to the milestone: 1.3.7.0 (was: 1.3.7 backlog)
@mreynolds I have been running this for a while in test envs, and this made it work for me https://pagure.io/389-ds-base/issue/49041
It looks like @nhosoi patch has been lost to the sands of pagure though :(
It's not lost. If you delete 'files/' from the url, it opens: https://pagure.io/389-ds-base/issue/raw/27db7f791946ab3c099b02d54afc6626111d248b96655d2e3585bf13eb8506a5-0001-Ticket-48760-NSS-switching-to-the-sql-db.patch
I filed a ticket with fedora-infra to fix these links: https://pagure.io/fedora-infrastructure/issue/6091 I'm not sure if a new release was deployed, but looks like we still has this issue.
Okay. Thanks for finding that @vashirov . If @nhosoi doesn't mind, I'll tweak this patch and get it into a committable state.
Metadata Update from @firstyear: - Issue assigned to firstyear (was: nhosoi)
The second part to this would be enabling SQL by default, I assume for 1.4.x. We also need to turn on nss extract pem by default too ....
Metadata Update from @mreynolds: - Custom field component adjusted to None - Custom field reviewstatus adjusted to None - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1485370
For 1.3.7 we need to handle SQL && non-SQL db's.
It looks like this already works.
{root@ldapkdc 14:47} /opt/dirsrv/etc/dirsrv/slapd-localhost I0> ls -al total 296 drwxr-xr-x. 3 dirsrv dirsrv 212 Sep 5 14:47 . drwxr-xr-x. 6 root root 82 Sep 5 14:13 .. -rw-------. 1 dirsrv dirsrv 28672 Sep 5 14:46 cert9.db -rw-r--r--. 1 dirsrv dirsrv 1676 Sep 5 11:08 certmap.conf -rw-------. 1 dirsrv dirsrv 66195 Sep 5 14:47 dse.ldif -rw-------. 1 dirsrv dirsrv 65505 Sep 5 14:47 dse.ldif.bak -rw-------. 1 dirsrv dirsrv 69284 Sep 5 14:47 dse.ldif.startOK -rw-------. 1 dirsrv dirsrv 36864 Sep 5 14:46 key4.db -rw-r--r--. 1 dirsrv root 90 Sep 5 11:11 pin.txt -rw-------. 1 dirsrv dirsrv 567 Sep 5 14:47 pkcs11.txt -rw-r--r--. 1 dirsrv root 64 Sep 5 11:11 pwdfile.txt drwxr-xr-x. 2 dirsrv dirsrv 25 Sep 5 14:47 schema -rw-r--r--. 1 dirsrv dirsrv 15142 Sep 5 11:08 slapd-collations.conf
dsctl localhost start NOTICE: Starting instance with ASAN options This is probably not what you want. Please contact support. ASAN options will be copied from your environment [05/Sep/2017:14:47:40.697868851 +1000] - INFO - Security Initialization - SSL info: Enabling default cipher set. [05/Sep/2017:14:47:40.716368597 +1000] - INFO - Security Initialization - SSL info: Configured NSS Ciphers [05/Sep/2017:14:47:40.734611441 +1000] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [05/Sep/2017:14:47:40.748797439 +1000] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled [05/Sep/2017:14:47:40.761643240 +1000] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled [05/Sep/2017:14:47:40.774092434 +1000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [05/Sep/2017:14:47:40.792556312 +1000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [05/Sep/2017:14:47:40.811485627 +1000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled [05/Sep/2017:14:47:40.827630120 +1000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [05/Sep/2017:14:47:40.840205173 +1000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [05/Sep/2017:14:47:40.852789796 +1000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [05/Sep/2017:14:47:40.868609337 +1000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [05/Sep/2017:14:47:40.887122450 +1000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [05/Sep/2017:14:47:40.905222368 +1000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [05/Sep/2017:14:47:40.917509977 +1000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [05/Sep/2017:14:47:40.929811940 +1000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [05/Sep/2017:14:47:40.944601068 +1000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [05/Sep/2017:14:47:40.962488384 +1000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [05/Sep/2017:14:47:40.980224641 +1000] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [05/Sep/2017:14:47:40.994482510 +1000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [05/Sep/2017:14:47:41.007129897 +1000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [05/Sep/2017:14:47:41.019209383 +1000] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [05/Sep/2017:14:47:41.037344150 +1000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [05/Sep/2017:14:47:41.055768062 +1000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [05/Sep/2017:14:47:41.072560272 +1000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [05/Sep/2017:14:47:41.084650838 +1000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [05/Sep/2017:14:47:41.097369749 +1000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [05/Sep/2017:14:47:41.113579621 +1000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [05/Sep/2017:14:47:41.144161953 +1000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3 {root@ldapkdc 14:47} /opt/dirsrv/etc/dirsrv/slapd-localhost I0> openssl s_client -connect localhost:636 -showcerts CONNECTED(00000003) depth=0 CN = localhost verify error:num=18:self signed certificate verify return:1 depth=0 CN = localhost verify return:1 --- Certificate chain 0 s:/CN=localhost i:/CN=localhost -----BEGIN CERTIFICATE----- MIICpTCCAY2gAwIBAgIFAKsNPSYwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAxMJ bG9jYWxob3N0MB4XDTE3MDkwNTA0NDYzNFoXDTE3MTIwNTA0NDYzNFowFDESMBAG A1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA vAzmRJpNiv3VcNRcH7p94fniQhdFlPORxCLVA0eBx6DWE/oMycP9+EX5vZEHFo8X Y86zEVhQPdcYIiHEkyQNt2wxhVuN40xi866nnmTPCoSDaoW6FQ+JFsqtH+GfkyVS LqxWwMTbv4QsuKbF8NWnuB4UqRKx/aIxbdpvqgrsL4fbykTNWoiJNo8oxk7xUbUZ FqfZU7XEVKl1JQ0IA2nJHxc0YAFr7LVV1iiFd/4TFci6Xf37XsfiM2J81mZRp4n8 HTTHY/D58Mqvra83MvSMnfFx/dP3Z64vwZdWWv0uf1iHV9rd+mYpGYhJpkdO0jxa O7DFghrMFk0cpLPmdVZH3QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCMpQG4D6PG ChzfpqEuwu8YCtJhLHcye41bir9QJTIH+U/osGV99aQSsYpr0nKXo76A7SOx0x8D e3YlXq4ByBkOJztNtvGnvqkDZH/iYzrh8QBH89YLLQL8RIqrxxAqEtyCeLUnfNfH 9hH2U95VErwlZDI1771skvgGKlhVeMIzI/ft8/3dI0su5MfW1VSWhMkFHhoPaJoz HoPx33wD0QuXlCcFHH2lcZIIMailWDxcYWawMSX1QckNSKXkZnqrFqI7XnpGmea/ 6g+9ij0TwkgSNiBUJM7PwmEwoGAtnxCP7B2ayggaX77xhUTy/9ryOAaeS9QffNFt AjKbjp/wtwQP -----END CERTIFICATE----- --- Server certificate subject=/CN=localhost issuer=/CN=localhost --- No client certificate CA names sent Client Certificate Types: RSA sign, ECDSA sign, DSA sign Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:0x04+0x08:0x05+0x08:0x06+0x08:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Peer signing digest: SHA256 Server Temp Key: X25519, 253 bits --- SSL handshake has read 1180 bytes and written 359 bytes Verification error: self signed certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 6C5E558205C623A9E874401100779944524DB02FCFB3C1AF7DB5691555CF520E Session-ID-ctx: Master-Key: C57C617966C9F320173B76EDD4C4105A80EAB0797D5C5931A955F32D9A239015B34A651F31C86776DC4BACD680296486 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1504586883 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) Extended master secret: no --- ^C {root@ldapkdc 14:48} /opt/dirsrv/etc/dirsrv/slapd-localhost I0> certutil -L -d . -n Server-Cert Certificate: Data: Version: 3 (0x2) Serial Number: 00:ab:0d:3d:26 Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=localhost" Validity: Not Before: Tue Sep 05 04:46:34 2017 Not After : Tue Dec 05 04:46:34 2017 Subject: "CN=localhost" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: bc:0c:e6:44:9a:4d:8a:fd:d5:70:d4:5c:1f:ba:7d:e1: f9:e2:42:17:45:94:f3:91:c4:22:d5:03:47:81:c7:a0: d6:13:fa:0c:c9:c3:fd:f8:45:f9:bd:91:07:16:8f:17: 63:ce:b3:11:58:50:3d:d7:18:22:21:c4:93:24:0d:b7: 6c:31:85:5b:8d:e3:4c:62:f3:ae:a7:9e:64:cf:0a:84: 83:6a:85:ba:15:0f:89:16:ca:ad:1f:e1:9f:93:25:52: 2e:ac:56:c0:c4:db:bf:84:2c:b8:a6:c5:f0:d5:a7:b8: 1e:14:a9:12:b1:fd:a2:31:6d:da:6f:aa:0a:ec:2f:87: db:ca:44:cd:5a:88:89:36:8f:28:c6:4e:f1:51:b5:19: 16:a7:d9:53:b5:c4:54:a9:75:25:0d:08:03:69:c9:1f: 17:34:60:01:6b:ec:b5:55:d6:28:85:77:fe:13:15:c8: ba:5d:fd:fb:5e:c7:e2:33:62:7c:d6:66:51:a7:89:fc: 1d:34:c7:63:f0:f9:f0:ca:af:ad:af:37:32:f4:8c:9d: f1:71:fd:d3:f7:67:ae:2f:c1:97:56:5a:fd:2e:7f:58: 87:57:da:dd:fa:66:29:19:88:49:a6:47:4e:d2:3c:5a: 3b:b0:c5:82:1a:cc:16:4d:1c:a4:b3:e6:75:56:47:dd Exponent: 65537 (0x10001) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 8c:a5:01:b8:0f:a3:c6:0a:1c:df:a6:a1:2e:c2:ef:18: 0a:d2:61:2c:77:32:7b:8d:5b:8a:bf:50:25:32:07:f9: 4f:e8:b0:65:7d:f5:a4:12:b1:8a:6b:d2:72:97:a3:be: 80:ed:23:b1:d3:1f:03:7b:76:25:5e:ae:01:c8:19:0e: 27:3b:4d:b6:f1:a7:be:a9:03:64:7f:e2:63:3a:e1:f1: 00:47:f3:d6:0b:2d:02:fc:44:8a:ab:c7:10:2a:12:dc: 82:78:b5:27:7c:d7:c7:f6:11:f6:53:de:55:12:bc:25: 64:32:35:ef:bd:6c:92:f8:06:2a:58:55:78:c2:33:23: f7:ed:f3:fd:dd:23:4b:2e:e4:c7:d6:d5:54:96:84:c9: 05:1e:1a:0f:68:9a:33:1e:83:f1:df:7c:03:d1:0b:97: 94:27:05:1c:7d:a5:71:92:08:31:a8:a5:58:3c:5c:61: 66:b0:31:25:f5:41:c9:0d:48:a5:e4:66:7a:ab:16:a2: 3b:5e:7a:46:99:e6:bf:ea:0f:bd:8a:3d:13:c2:48:12: 36:20:54:24:ce:cf:c2:61:30:a0:60:2d:9f:10:8f:ec: 1d:9a:ca:08:1a:5f:be:f1:85:44:f2:ff:da:f2:38:06: 9e:4b:d4:1f:7c:d1:6d:02:32:9b:8e:9f:f0:b7:04:0f Fingerprint (SHA-256): 88:CC:46:2A:31:2E:1C:CB:E4:55:A2:3E:CC:63:01:6F:EE:8B:70:85:9E:53:92:12:77:0F:8B:81:31:34:4A:79 Fingerprint (SHA1): BA:22:8D:57:79:01:1B:D5:68:31:27:51:A6:83:9B:6C:29:C1:9D:41 Mozilla-CA-Policy: false (attribute missing) Certificate Trust Flags: SSL Flags: Valid CA Trusted CA User Email Flags: User Object Signing Flags: User
Metadata Update from @firstyear: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
So when NSS make sql the default everything will "just work" from our side :)
BTW, looks like sql as the default was deferred to F28: https://meetbot.fedoraproject.org/fedora-meeting/2017-08-11/fesco.2017-08-11-16.01.log.html But it's good that we have it working already :)
From rcrit:
"You might want to consider allowing a prefix in the NSS db path to avoid requiring an environment variable but otherwise that's great news!"
Noriko's original patch also mentions this:
15 This patch tries these 2 cases. 16 1) #define ENABLE_SQL_PREFIX 1 17 This enables generating "sql:/path/to/certdir". 18 2) / #define ENABLE_SQL_PREFIX 1 / 19 This depends upon the NSS_DEFAULT_DB_TYPE="sql" and use the ordinary 20 path to access the cert db.
I don't think this should be closed out yet.
Metadata Update from @mreynolds: - Issue status updated to: Open (was: Closed)
That's to override the "current" default scheme.
If NSS swap the scheme to SQL by default, then everything should "just work" as I understand it. That's why I was happy to close this ....
It would be good to test with a build of NSS that uses SQL by default then to validate the assertion?
That's to override the "current" default scheme. If NSS swap the scheme to SQL by default, then everything should "just work" as I understand it. That's why I was happy to close this .... It would be good to test with a build of NSS that uses SQL by default then to validate the assertion?
I just don't want any surprises when the switch finally happens. As long DS can handle both DB and SQL seamlessly then I'm happy.
Apparently, there is a case where this does not work :) I will investigate. See https://bugzilla.redhat.com/show_bug.cgi?id=1485370
It could be nss version related as I always tested on fedora, never EL. I suspect in the case we don't have key3.db, we need to check key4.db and then preix sql: to the url.
However, I would have expected NSS lib to do this. Investigation needed.
This is working, closing ticket
Metadata Update from @mreynolds: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1820
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: fixed)
Login to comment on this ticket.