Created attachment 1312637 [details] Error message from Manage Certificates Description of problem: When "Use SSL in Console" is enabled for Directory Server, clicking on Tasks->Manage Certificates shows Could not open file (null). File does not exist or filename is invalid. A filename that exists in the server security directory must be specified. Absolute or relative paths should not be specified. Version-Release number of selected component (if applicable): 389-ds-base-libs-1.3.6.6-2.fc26.x86_64 389-ds-console-1.2.16-2.fc26.noarch 389-ds-1.2.2-9.fc26.noarch 389-admin-console-1.1.12-2.fc26.noarch 389-dsgw-1.1.11-11.fc26.x86_64 389-admin-1.1.46-1.fc26.1.x86_64 389-admin-console-doc-1.1.12-2.fc26.noarch 389-adminutil-1.1.23-2.fc26.x86_64 389-console-1.1.18-2.fc26.noarch 389-ds-base-1.3.6.6-2.fc26.x86_64 389-ds-console-doc-1.2.16-2.fc26.noarch How reproducible: Always Steps to Reproduce: 1. Create a single Directory Server with setup-ds-admin.pl. No replication, only one user DIT 2. "Enable SSL for this Server" on Directory Server. Confirm that ldaps works. Confirm that Task->Manage Certificates works 3. Check "Use SSL in Console" 4. Try Tasks -> Manage Certificates . Fails with "An error has occurred" Actual results: Error dialog box Expected results: Manage Certificates dialog box Additional info:
There are no error logs related to the file access
Created attachment 1312758 [details] Failed when clicking Manage Certificates 389-console log
Created attachment 1312761 [details] Use SSL in Console off, can Manage Certificates
The POSTS (Use SSL in Console on/off) are identical: sie=slapd-example&formop=TOKEN_INFO With Use SSL in Console checked: the reply Content-type: text/html NMC_Status: 1 NMC_ErrType: NMC_ErrInfo: An error has occured. NMC_ErrDetail: Could not open file (null). File does not exist or filename is invalid. A filename that exists in the server security directory must be specified. Absolute or relative paths should not be specified. With SSL in Console unchecked: the reply <TOKENINFO> <NSS Generic Crypto Services> <MODULE>NSS Internal PKCS #11 Module</MODULE> <INTERNAL>TRUE</INTERNAL> <HARDWARE>FALSE</HARDWARE> <READONLY>TRUE</READONLY> <NEED_LOGIN>FALSE</NEED_LOGIN> <FRIENDLY>TRUE</FRIENDLY> <NEED_USER_INIT>TRUE</NEED_USER_INIT> </NSS Generic Crypto Services> <internal (software)> <MODULE>NSS Internal PKCS #11 Module</MODULE> <INTERNAL>TRUE</INTERNAL> <HARDWARE>FALSE</HARDWARE> <READONLY>FALSE</READONLY> <NEED_LOGIN>TRUE</NEED_LOGIN> <FRIENDLY>TRUE</FRIENDLY> <NEED_USER_INIT>FALSE</NEED_USER_INIT> </internal (software)> </TOKENINFO> Content-type: text/html NMC_Status: 0
Hi, could you please provide version of nss? # rpm -qa | egrep '^nss' And file permissions for your nss db files: # ls -laZ /etc/dirsrv/slapd-instance/ Thanks!
Additional info: Both of the following commands are working: sudo -u dirsrv LDAPTLS_CACERTDIR=/etc/dirsrv/admin-serv ldapsearch -x -b dc=example,dc=com -H ldaps:/// sudo -u dirsrv LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-example ldapsearch -x -b dc=example,dc=com -H ldaps:/// I am able to switch admin-serv to using TLS; after which "Manage Certificates" button still works. Requested info: [root@ldap dirsrv]# rpm -qa | egrep ^nss nss-3.31.0-1.1.fc26.x86_64 nss-util-3.31.0-1.0.fc26.x86_64 nss-sysinit-3.31.0-1.1.fc26.x86_64 nss-pem-1.0.3-3.fc26.x86_64 nss-softokn-freebl-3.31.0-1.0.fc26.x86_64 nss-softokn-3.31.0-1.0.fc26.x86_64 nss-tools-3.31.0-1.1.fc26.x86_64 [root@ldap dirsrv]# ls -l admin-serv/ slapd-example/ admin-serv/: total 156 -rw-------. 1 dirsrv root 492 Aug 14 14:23 adm.conf -rw-------. 1 dirsrv root 40 Aug 14 14:23 admpw -rw-r--r--. 1 root root 3936 Feb 10 2017 admserv.conf drwxr-xr-x. 2 root root 4096 Aug 14 14:23 bakup -rw-------. 1 dirsrv root 65536 Aug 14 15:51 cert8.db -rw-------. 1 dirsrv root 4531 Aug 14 14:49 console.conf -rw-r--r--. 1 root root 26748 Feb 10 2017 httpd.conf -rw-------. 1 dirsrv root 16384 Aug 14 15:51 key3.db -rw-------. 1 dirsrv root 8956 Aug 14 15:47 local.conf -rw-r--r--. 1 root root 4505 Feb 10 2017 nss.conf -r--------. 1 dirsrv root 20 Aug 14 14:34 pin.txt -rw-------. 1 dirsrv root 16384 Aug 14 14:23 secmod.db slapd-example/: total 392 -rw-rw----. 1 dirsrv dirsrv 65536 Aug 14 15:51 cert8.db -r--r-----. 1 dirsrv dirsrv 1676 Aug 14 14:22 certmap.conf -rw-------. 1 dirsrv dirsrv 82606 Aug 14 15:50 dse.ldif -rw-------. 2 dirsrv dirsrv 82606 Aug 14 15:50 dse.ldif.bak -rw-------. 2 dirsrv dirsrv 82606 Aug 14 15:50 dse.ldif.startOK -r--r-----. 1 dirsrv dirsrv 34975 Aug 14 14:22 dse_original.ldif -rw-rw----. 1 dirsrv dirsrv 16384 Aug 14 15:51 key3.db -r--------. 1 dirsrv root 37 Aug 14 14:37 pin.txt drwxrwx---. 2 dirsrv dirsrv 4096 Aug 14 15:50 schema -rw-rw----. 1 dirsrv dirsrv 16384 Aug 14 15:50 secmod.db -r--r-----. 1 dirsrv dirsrv 15142 Aug 14 14:22 slapd-collations.conf
Forgot about -Z [root@ldap dirsrv]# ls -laZ admin-serv/ slapd-example/ admin-serv/: total 164 drwx------. 3 dirsrv root system_u:object_r:dirsrvadmin_config_t:s0 4096 Aug 14 14:49 . drwxrwxr-x. 7 root dirsrv system_u:object_r:dirsrv_config_t:s0 4096 Aug 14 14:22 .. -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrvadmin_config_t:s0 492 Aug 14 14:23 adm.conf -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrvadmin_config_t:s0 40 Aug 14 14:23 admpw -rw-r--r--. 1 root root system_u:object_r:dirsrvadmin_config_t:s0 3936 Feb 10 2017 admserv.conf drwxr-xr-x. 2 root root unconfined_u:object_r:dirsrvadmin_config_t:s0 4096 Aug 14 14:23 bakup -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrvadmin_config_t:s0 65536 Aug 14 15:51 cert8.db -rw-------. 1 dirsrv root system_u:object_r:dirsrvadmin_config_t:s0 4531 Aug 14 14:49 console.conf -rw-r--r--. 1 root root system_u:object_r:dirsrvadmin_config_t:s0 26748 Feb 10 2017 httpd.conf -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrvadmin_config_t:s0 16384 Aug 14 15:51 key3.db -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrvadmin_config_t:s0 8956 Aug 14 15:47 local.conf -rw-r--r--. 1 root root system_u:object_r:dirsrvadmin_config_t:s0 4505 Feb 10 2017 nss.conf -r--------. 1 dirsrv root unconfined_u:object_r:dirsrvadmin_config_t:s0 20 Aug 14 14:34 pin.txt -rw-------. 1 dirsrv root unconfined_u:object_r:dirsrvadmin_config_t:s0 16384 Aug 14 14:23 secmod.db slapd-example/: total 400 drwxrwx---. 3 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 4096 Aug 14 15:50 . drwxrwxr-x. 7 root dirsrv system_u:object_r:dirsrv_config_t:s0 4096 Aug 14 14:22 .. -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 65536 Aug 14 15:51 cert8.db -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 1676 Aug 14 14:22 certmap.conf -rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 82606 Aug 14 15:50 dse.ldif -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 82606 Aug 14 15:50 dse.ldif.bak -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 82606 Aug 14 15:50 dse.ldif.startOK -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 34975 Aug 14 14:22 dse_original.ldif -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 16384 Aug 14 15:51 key3.db -r--------. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 37 Aug 14 14:37 pin.txt drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 4096 Aug 14 15:50 schema -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 16384 Aug 14 15:50 secmod.db -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 15142 Aug 14 14:22 slapd-collations.conf
[root@ldap dirsrv]# audit2allow -al #============= dirsrvadmin_script_t ============== allow dirsrvadmin_script_t sssd_public_t:file { getattr open read }; allow dirsrvadmin_script_t sssd_t:unix_stream_socket connectto; allow dirsrvadmin_script_t sssd_var_lib_t:dir search; allow dirsrvadmin_script_t sssd_var_lib_t:sock_file write; allow dirsrvadmin_script_t systemd_unit_file_t:service { start status stop }; I have temporarily set SELinux to Permissive. Forgive us our trespasses...
Also DS Console Configuration -> Encryption shows the same (null) error box, but when you dismiss the dialog it goes to the Encryption tab With Manage Certificates: when you dismiss the dialog box, the same dialog box appears again. Dismissing a 2nd time returns to the main DS Console screen.
This message is a reminder that Fedora 26 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '26'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 26 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 26 changed to end-of-life (EOL) status on 2018-05-29. Fedora 26 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.