Reinhard Nappert wrote: > No, this is fine. > > Before I restart the server certutil is fine, afterwards, it is not ......
Are both dirsrv and certutil using the same NSS library? rob > > -----Original Message----- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Tuesday, September 28, 2010 3:13 PM > To: General discussion list for the 389 Directory server project. > Cc: Reinhard Nappert > Subject: Re: [389-users] 389 DS 1.2.6. and certificates > > Reinhard Nappert wrote: >> I have the same permissions. >> >> CTu,u,u works with my previous servers. Since I did a certutil -L -d .... >> before the restart, I know that the database was fine before I restarted the >> server. >> > > Could this be pin related? Do you have a different password set on the > database than the 389-ds instance is expecting? > > rob > >> -Reinhard >> >> -----Original Message----- >> From: 389-users-boun...@lists.fedoraproject.org >> [mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of >> Gerrard Geldenhuis >> Sent: Tuesday, September 28, 2010 2:47 PM >> To: General discussion list for the 389 Directory server project. >> Subject: Re: [389-users] 389 DS 1.2.6. and certificates >> >> Hi >> >> I have seen similar problems... in my case the database became corrupt if I >> changed it while dirsrv were running. >> >> Also check permissions: >> >> -rw------- 1 nobody root 65536 Aug 12 12:18 cert8.db >> -rw------- 1 nobody root 16384 Aug 12 12:18 key3.db >> -rw------- 1 nobody root 16384 Sep 28 17:08 secmod.db >> >> and my CA only have CT,, >> >> Not sure that would make a difference but worth checking. >> >> Regards >> >> ________________________________________ >> From: 389-users-boun...@lists.fedoraproject.org >> [389-users-boun...@lists.fedoraproject.org] on behalf of Reinhard >> Nappert [rnapp...@juniper.net] >> Sent: 28 September 2010 16:24 >> To: General discussion list for the 389 Directory server project. >> Subject: Re: [389-users] 389 DS 1.2.6. and certificates >> >> Yes, I built it myself on 4.4. >> >> No, it does not make a difference when I change the files to read >> only, before I restart the server >> >> >> >> -----Original Message----- >> From: 389-users-boun...@lists.fedoraproject.org >> [mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Rich >> Megginson >> Sent: Tuesday, September 28, 2010 11:05 AM >> To: General discussion list for the 389 Directory server project. >> Subject: Re: [389-users] 389 DS 1.2.6. and certificates >> >> Reinhard Nappert wrote: >>> Hi, >>> I built and installed the 389 Directory Server 1.2.6 on CentOS 4.4. >> Do you mean 5.5? Or did you build it yourself? >>> The server works fine. >>> Then, I generated the certs (using certutil) and imported them in the >>> cert-store. The certs are generated basically generated by the >>> setupssl2.sh script. When I list the certs afterwards, everything >>> looks fine: >>> >>> certutil -L -d /etc/dirsrv/<dir-instance> >>> CA certificate CTu,u,u >>> <hostname> u,u,u >>> However, when I restart the server, I get the following error and the >>> server does not come up anymore: >>> [28/Sep/2010:10:45:40 -0400] - SSL alert: Security Initialization: >>> NSS initialization failed (Netscape Portable Runtime error -8174 - >>> security library: bad database.): certdir: /etc/dirsrv/<dir-instance> >>> >>> Not surprisingly, the certutil -L -d .... comes up with the same error: >>> certutil: function failed: security library: bad database. >>> >>> Any idea, what goes wrong there? >> Not sure. After running the script to generate the certs, can you change >> the cert8.db, key3.db, and secmod.db files to be read only (mode 0400), >> before starting the directory server? Does that help? >>> >>> Thanks, >>> -Reinhard >>> >>> --------------------------------------------------------------------- >>> - >>> -- >>> >>> -- >>> 389 users mailing list >>> 389-users@lists.fedoraproject.org >>> https://admin.fedoraproject.org/mailman/listinfo/389-users >> >> -- >> 389 users mailing list >> 389-users@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/389-users >> -- >> 389 users mailing list >> 389-users@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/389-users >> >> ______________________________________________________________________ >> __ In order to protect our email recipients, Betfair Group use SkyScan >> from MessageLabs to scan all Incoming and Outgoing mail for viruses. >> >> ______________________________________________________________________ >> __ >> -- >> 389 users mailing list >> 389-users@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/389-users >> -- >> 389 users mailing list >> 389-users@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users