215220 – Manage SSL fails: Could not open file slapd-<servername>-cert8.db

Bug 215220 - Manage SSL fails: Could not open file slapd-<servername>-cert8.db

Summary: Manage SSL fails: Could not open file slapd-<servername>-cert8.db

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	389
Classification:	Retired
Component:	Security - SSL
Sub Component:
Version:	1.0.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Rich Megginson
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-11-12 15:45 UTC by Graham Leggett
Modified:	2015-01-04 23:21 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-10-05 14:57:49 UTC
Embargoed:

Attachments	(Terms of Use)

Description Graham Leggett 2006-11-12 15:45:48 UTC

If an attempt is made to create a certificate database called:

slapd-<servername>-cert8.db
slapd-<servername>-key3.db

inside the /opt/fedora-ds/alias directory owned by the ldap user (server
configured to run as user ldap:ldap), and from the admin console you click on
"manage certificates" for the directory server, you get the message "Could not
open file slapd-<servername>-cert8.db".

No explanation is given as to why this database could not be opened (file does
not exist, insufficient permissions, database corrupt, etc).

The path is not included in the error message, and so there is no way to confirm
whether the database inside /opt/fedora-ds/alias is the right database, or
whether the database should exist elsewhere.

As a result, it is currently not possible to enabled SSL on FDS v1.0.4.

Comment 1 Rich Megginson 2006-11-14 21:53:27 UTC

I just tried to reproduce this with a clean FDS 1.0.4 install on a RHEL4 system.
 I ran setup, then started the console, opened the directory server console,
clicked on Manage Certificates.  I got the dialog asking me for the new ssl pin
for the new key/cert db.  I entered the pin, and it gave me the Manage
Certificates dialog.  I could even browse the list of CA certs.
The alias directory contains the slapd-localhost-cert8.db and
slapd-localhost-key3.db files with the correct ownership and permissions.

So at this point, I think we need some more information, because we are missing
something here.

> As a result, it is currently not possible to enabled SSL on FDS v1.0.4.

You can also use the command line tools:
http://directory.fedora.redhat.com/wiki/Howto:SSL

Comment 2 Graham Leggett 2006-11-14 23:04:07 UTC

Sorry, I wasn't specific enough. The certificate database was created externally
using certutil and pk12util, the certificate database was already present when
"manage certificates" was clicked the first time.

If the database already exists, the directory server refuses to open this
database. No specific reasons are given for this in the error message.

Comment 3 Rich Megginson 2006-11-14 23:47:06 UTC

If you created the files externally, did you make sure the files were owned by
ldap:ldap, were writable e.g. mode 0600, and the alias directory was also owned
and writable by ldap:ldap?

Comment 4 Rich Megginson 2007-10-05 14:57:49 UTC

The key/cert db layout is much improved in Fedora DS 1.1

Note You need to log in before you can comment on or make changes to this bug.