| Summary: | Proper logging if the SSL enabling failed due to incorrect trust flags | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Geetika Kapoor <gkapoor> |
| Component: | 389-ds-base | Assignee: | Noriko Hosoi <nhosoi> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Viktor Ashirov <vashirov> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | nkinder, rmeggins |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-28 14:41:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Description of problem: While setting up DS with TLS, trust flags need to be set as mentioned below: Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CTu,u,u server-cert u,u,u Server-Cert u,u,u if the trust is not setup properly we get below mentioned exception in directory server logs : <trust> Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CT,, server-cert ,, Server-Cert ,, </trust> [23/Nov/2016:22:10:36.913504612 +051800] slapd_ssl_init - Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.)[23/Nov/2016:22:10:36.921381616 +051800] ERROR: SSL Initialization Failed. Disabling SSL. This error is very generic and never tell about the reason behind failure. Version-Release number of selected component (if applicable): 1.3.5.10-11.el7 How reproducible: Steps to Reproduce: 1.set up trust flags as mentioned below. <trust> Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CT,, server-cert ,, Server-Cert ,, </trust> Actual results:Failure reason doesn't show actual reason of failure. [23/Nov/2016:22:11:31.901119336 +051800] slapd_ssl_init - Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.)[23/Nov/2016:22:11:31.913004139 +051800] ERROR: SSL Initialization Failed. Disabling SSL. Expected results: Errors logs could probably show some logging using which we can figure out the correct reason for failure. Additional info: Complete logs: [23/Nov/2016:22:10:36.933811005 +051800] 389-Directory/1.3.5.10 B2016.257.1817 starting up [23/Nov/2016:22:10:37.149617318 +051800] slapd started. Listening on All Interfaces port 389 for LDAP requests [23/Nov/2016:22:11:31.840633119 +051800] SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. [23/Nov/2016:22:11:31.901119336 +051800] slapd_ssl_init - Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.)[23/Nov/2016:22:11:31.913004139 +051800] ERROR: SSL Initialization Failed. Disabling SSL. [23/Nov/2016:22:11:31.925522389 +051800] 389-Directory/1.3.5.10 B2016.257.1817 starting up [23/Nov/2016:22:11:31.964573849 +051800] Detected Disorderly Shutdown last time Directory Server was running, recovering database. [23/Nov/2016:22:11:32.269108722 +051800] slapd started. Listening on All Interfaces port 389 for LDAP requests [23/Nov/2016:22:18:24.268267756 +051800] slapd shutting down - signaling operation threads - op stack size 0 max work q size 0 max work q stack size 0 Fifth Harmony - Worth It ft. Kid Ink Justin Bieber - Sorry (PURPOSE : The Movement)