Bug 501846 - Running setup-ds-admin.pl -u on replica with ldaps chokes on CA cert
Summary: Running setup-ds-admin.pl -u on replica with ldaps chokes on CA cert
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Install/Uninstall
Version: 1.3.0
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks: 434915 389_1.2.3
TreeView+ depends on / blocked
 
Reported: 2009-05-21 01:53 UTC by jsullivan
Modified: 2015-12-07 17:14 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-07 17:14:33 UTC
Embargoed:


Attachments (Terms of Use)

Description jsullivan 2009-05-21 01:53:06 UTC
Description of problem:
I was upgrading from 8.0 to 8.1 on a RO replica before upgrading the master.  Communication is via ldaps.  setup-ds-admin.pl as for the path to the CA cert.  When given the path, it complains that the cert is already in the database.  Of course it is as we have been using it all along.  It does not proceed.  I had to delete the CA cert from the database in order to successfully run setup-ds-admin.pl

Version-Release number of selected component (if applicable):
8.1

How reproducible:
Every time

Steps to Reproduce:
1.Upgrade RO replica which uses configuration from another server via ldaps using an existing CA cert
2.run setup-ds-admin.pl -u
3.When prompted, enter the path to the CA cert file.
  
Actual results:
[root@ldap02 slapd-ldap02]# setup-ds-admin.pl -u

==============================================================================
The update option will allow you to re-register your servers with the
configuration directory server and update the information about your
servers that the console and admin server uses.  You will need your
configuration directory server admin ID and password to continue.

Continue? [yes]:

==============================================================================
Please specify the information about your configuration directory
server.  The following information is required:
- host (fully qualified), port (non-secure or secure), suffix,
  protocol (ldap or ldaps) - this information should be provided in the
  form of an LDAP url e.g. for non-secure
ldap://host.example.com:389/o=NetscapeRoot
  or for secure
ldaps://host.example.com:636/o=NetscapeRoot
- admin ID and password
- admin domain
- a CA certificate file may be required if you choose to use ldaps and
  security has not yet been configured - the file must be in PEM/ASCII
  format - specify the absolute path and filename

Configuration directory server URL [ldaps://ldap01.mycompany.com:636/o=NetscapeRoot]:
Configuration directory server admin ID [uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot]:
Configuration directory server admin password:
Configuration directory server admin domain [mycompany.com]:
CA certificate filename: /etc/dirsrv/admin-serv/SSICA.pem
The certificate database in '/etc/dirsrv/admin-serv' already contains a CA certificate.  Please remove it first, or use the certutil program to add the CA certificate with a different name.
Please try again, in case you mis-typed something.



Expected results:
Reuse of the existing CA cert

Additional info:

Comment 1 Rich Megginson 2009-09-21 21:12:52 UTC
Reviewed by: nkinder (Thanks!)
Fix Description: If the config directory LDAP url begins with ldaps, set the certdb to the existing cert directory.  NOTE that this assumes you have a valid CA cert in your cert db already, and does not allow you to change it during setup.
Platforms tested: Fedora 11 x86_64
Flag Day: no
Doc impact: no

To ssh://git.fedorahosted.org/git/389/admin.git
   d6afe98..830ad0a  master -> master

commit 830ad0a6dc8f9fe286b1f8a4778ce6f71b0faa9d
Author: Rich Megginson <rmeggins>
Date:   Mon Sep 21 15:09:54 2009 -0600

    Running setup-ds-admin.pl -u on replica with ldaps chokes on CA cert

Comment 2 Amita Sharma 2011-05-25 08:21:32 UTC
I am facing the same issue :

If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.

Do you want to register this software with an existing
configuration directory server? [yes]: yes

==============================================================================
Please specify the information about your configuration directory
server.  The following information is required:
- host (fully qualified), port (non-secure or secure), suffix,
  protocol (ldap or ldaps) - this information should be provided in the
  form of an LDAP url e.g. for non-secure
ldap://host.example.com:389/o=NetscapeRoot
  or for secure
ldaps://host.example.com:636/o=NetscapeRoot
- admin ID and password
- admin domain
- a CA certificate file may be required if you choose to use ldaps and
  security has not yet been configured - the file must be in PEM/ASCII
  format - specify the absolute path and filename

Configuration directory server URL [ldap://rheltest.pnq.redhat.com:389/o=NetscapeRoot]: ldaps://rheltest.pnq.redhat.com:636/o=NetscapeRoot
Configuration directory server admin ID [uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot]: 
Configuration directory server admin password: 
Configuration directory server admin domain [pnq.redhat.com]:          
CA certificate filename: /etc/dirsrv/slapd-rheltest/adminserv.p12
The certificate database in '/etc/dirsrv/admin-serv' already contains a CA certificate.  Please remove it first, or use the certutil program to add the CA certificate with a different name.
Please try again, in case you mis-typed something.

Configuration directory server URL [ldaps://rheltest.pnq.redhat.com:636/o=NetscapeRoot]: 

My certdb is set :
[root@rheltest ~]# certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u
Admin-Cert                                                   u,u,u
CA certificate                                               CTu,u,u

Please guide here.

Comment 3 Rich Megginson 2011-05-26 13:29:03 UTC
/etc/dirsrv/slapd-rheltest/adminserv.p12 is not a CA certificate file name.  The CA certificate filename is usually cacert.asc or something like that.

Comment 4 Amita Sharma 2011-05-27 10:48:15 UTC
[root@rheltest slapd-rheltest]# setup-ds-admin.pl -u

==============================================================================
The update option will allow you to re-register your servers with the
configuration directory server and update the information about your
servers that the console and admin server uses.  You will need your
configuration directory server admin ID and password to continue.

Continue? [yes]: yes

==============================================================================
Please specify the information about your configuration directory
server.  The following information is required:
- host (fully qualified), port (non-secure or secure), suffix,
Still getting the same error :( 

 protocol (ldap or ldaps) - this information should be provided in the
  form of an LDAP url e.g. for non-secure
ldap://host.example.com:389/o=NetscapeRoot
  or for secure
ldaps://host.example.com:636/o=NetscapeRoot
- admin ID and password
- admin domain
- a CA certificate file may be required if you choose to use ldaps and
  security has not yet been configured - the file must be in PEM/ASCII
  format - specify the absolute path and filename

Configuration directory server URL [ldap://rheltest.pnq.redhat.com:389/o=NetscapeRoot]: ldaps://rheltest.pnq.redhat.com:636/o=NetscapeRoot
Configuration directory server admin ID [uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot]: 
Configuration directory server admin password: 
Configuration directory server admin domain [pnq.redhat.com]: 
CA certificate filename: /etc/dirsrv/slapd-rheltest/cacert.asc
The certificate database in '/etc/dirsrv/admin-serv' already contains a CA certificate.  Please remove it first, or use the certutil program to add the CA certificate with a different name.
Please try again, in case you mis-typed something.

Configuration directory server URL [ldaps://rheltest.pnq.redhat.com:636/o=NetscapeRoot]:

Comment 5 Rich Megginson 2011-05-27 15:15:22 UTC
So the original Config DS Ldap URL is ldap://rheltest.pnq.redhat.com:389/o=NetscapeRoot and during setup you are attempting to change it to ldaps://rheltest.pnq.redhat.com:636/o=NetscapeRoot ?  That is not supported.  You should have already set up the config DS to use LDAPS.  (It uses the ldapurl setting from /etc/dirsrv/admin-serv/adm.conf).  Then, when you run setup, it should prompt you with ldaps://rheltest.pnq.redhat.com:636/o=NetscapeRoot instead of ldap://rheltest.pnq.redhat.com:389, and it will _not_ prompt you to enter the CA certificate.

Comment 6 Amita Sharma 2011-05-30 06:56:15 UTC
hmmm, okie.. Got it right. VERIFIED.


Note You need to log in before you can comment on or make changes to this bug.