Description of problem: I was upgrading from 8.0 to 8.1 on a RO replica before upgrading the master. Communication is via ldaps. setup-ds-admin.pl as for the path to the CA cert. When given the path, it complains that the cert is already in the database. Of course it is as we have been using it all along. It does not proceed. I had to delete the CA cert from the database in order to successfully run setup-ds-admin.pl Version-Release number of selected component (if applicable): 8.1 How reproducible: Every time Steps to Reproduce: 1.Upgrade RO replica which uses configuration from another server via ldaps using an existing CA cert 2.run setup-ds-admin.pl -u 3.When prompted, enter the path to the CA cert file. Actual results: [root@ldap02 slapd-ldap02]# setup-ds-admin.pl -u ============================================================================== The update option will allow you to re-register your servers with the configuration directory server and update the information about your servers that the console and admin server uses. You will need your configuration directory server admin ID and password to continue. Continue? [yes]: ============================================================================== Please specify the information about your configuration directory server. The following information is required: - host (fully qualified), port (non-secure or secure), suffix, protocol (ldap or ldaps) - this information should be provided in the form of an LDAP url e.g. for non-secure ldap://host.example.com:389/o=NetscapeRoot or for secure ldaps://host.example.com:636/o=NetscapeRoot - admin ID and password - admin domain - a CA certificate file may be required if you choose to use ldaps and security has not yet been configured - the file must be in PEM/ASCII format - specify the absolute path and filename Configuration directory server URL [ldaps://ldap01.mycompany.com:636/o=NetscapeRoot]: Configuration directory server admin ID [uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot]: Configuration directory server admin password: Configuration directory server admin domain [mycompany.com]: CA certificate filename: /etc/dirsrv/admin-serv/SSICA.pem The certificate database in '/etc/dirsrv/admin-serv' already contains a CA certificate. Please remove it first, or use the certutil program to add the CA certificate with a different name. Please try again, in case you mis-typed something. Expected results: Reuse of the existing CA cert Additional info:
Reviewed by: nkinder (Thanks!) Fix Description: If the config directory LDAP url begins with ldaps, set the certdb to the existing cert directory. NOTE that this assumes you have a valid CA cert in your cert db already, and does not allow you to change it during setup. Platforms tested: Fedora 11 x86_64 Flag Day: no Doc impact: no To ssh://git.fedorahosted.org/git/389/admin.git d6afe98..830ad0a master -> master commit 830ad0a6dc8f9fe286b1f8a4778ce6f71b0faa9d Author: Rich Megginson <rmeggins> Date: Mon Sep 21 15:09:54 2009 -0600 Running setup-ds-admin.pl -u on replica with ldaps chokes on CA cert
I am facing the same issue : If you do not yet have a configuration directory server, enter 'No' to be prompted to set up one. Do you want to register this software with an existing configuration directory server? [yes]: yes ============================================================================== Please specify the information about your configuration directory server. The following information is required: - host (fully qualified), port (non-secure or secure), suffix, protocol (ldap or ldaps) - this information should be provided in the form of an LDAP url e.g. for non-secure ldap://host.example.com:389/o=NetscapeRoot or for secure ldaps://host.example.com:636/o=NetscapeRoot - admin ID and password - admin domain - a CA certificate file may be required if you choose to use ldaps and security has not yet been configured - the file must be in PEM/ASCII format - specify the absolute path and filename Configuration directory server URL [ldap://rheltest.pnq.redhat.com:389/o=NetscapeRoot]: ldaps://rheltest.pnq.redhat.com:636/o=NetscapeRoot Configuration directory server admin ID [uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot]: Configuration directory server admin password: Configuration directory server admin domain [pnq.redhat.com]: CA certificate filename: /etc/dirsrv/slapd-rheltest/adminserv.p12 The certificate database in '/etc/dirsrv/admin-serv' already contains a CA certificate. Please remove it first, or use the certutil program to add the CA certificate with a different name. Please try again, in case you mis-typed something. Configuration directory server URL [ldaps://rheltest.pnq.redhat.com:636/o=NetscapeRoot]: My certdb is set : [root@rheltest ~]# certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u Admin-Cert u,u,u CA certificate CTu,u,u Please guide here.
/etc/dirsrv/slapd-rheltest/adminserv.p12 is not a CA certificate file name. The CA certificate filename is usually cacert.asc or something like that.
[root@rheltest slapd-rheltest]# setup-ds-admin.pl -u ============================================================================== The update option will allow you to re-register your servers with the configuration directory server and update the information about your servers that the console and admin server uses. You will need your configuration directory server admin ID and password to continue. Continue? [yes]: yes ============================================================================== Please specify the information about your configuration directory server. The following information is required: - host (fully qualified), port (non-secure or secure), suffix, Still getting the same error :( protocol (ldap or ldaps) - this information should be provided in the form of an LDAP url e.g. for non-secure ldap://host.example.com:389/o=NetscapeRoot or for secure ldaps://host.example.com:636/o=NetscapeRoot - admin ID and password - admin domain - a CA certificate file may be required if you choose to use ldaps and security has not yet been configured - the file must be in PEM/ASCII format - specify the absolute path and filename Configuration directory server URL [ldap://rheltest.pnq.redhat.com:389/o=NetscapeRoot]: ldaps://rheltest.pnq.redhat.com:636/o=NetscapeRoot Configuration directory server admin ID [uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot]: Configuration directory server admin password: Configuration directory server admin domain [pnq.redhat.com]: CA certificate filename: /etc/dirsrv/slapd-rheltest/cacert.asc The certificate database in '/etc/dirsrv/admin-serv' already contains a CA certificate. Please remove it first, or use the certutil program to add the CA certificate with a different name. Please try again, in case you mis-typed something. Configuration directory server URL [ldaps://rheltest.pnq.redhat.com:636/o=NetscapeRoot]:
So the original Config DS Ldap URL is ldap://rheltest.pnq.redhat.com:389/o=NetscapeRoot and during setup you are attempting to change it to ldaps://rheltest.pnq.redhat.com:636/o=NetscapeRoot ? That is not supported. You should have already set up the config DS to use LDAPS. (It uses the ldapurl setting from /etc/dirsrv/admin-serv/adm.conf). Then, when you run setup, it should prompt you with ldaps://rheltest.pnq.redhat.com:636/o=NetscapeRoot instead of ldap://rheltest.pnq.redhat.com:389, and it will _not_ prompt you to enter the CA certificate.
hmmm, okie.. Got it right. VERIFIED.