[Pkg-fedora-ds-maintainers] Bug#841477: 389-ds-base: 389 directory server fails to start TLS/SSL
Michal Kaspar
michal at kaspar.in
Thu Oct 20 23:57:43 UTC 2016
Package: 389-ds-base
Version: 1.3.5.13-1
Severity: important
Dear Maintainer,
After recent updates the 389 directory server fails to start SSL on port
636. The rest of server starts fine but in the logs, there is an error
message:
SSL alert: Security Initialization: Unable to create PinObj (Netscape Portable Runtime error -5977 - Failure to load dynamic library.)
ERROR: SSL Initialization Failed. Disabling SSL.
When I ran strace on ns-slapd, I've noticed it's missing file
/etc/dirsrv/slapd-suffix/libnssckbi.so. After linking
/usr/lib/x86_64-linux-gnu/nss/libnssckbi.so from package libnss3 the
error message changed to:
SSL alert: Security Initialization: Unable to create PinObj (Netscape Portable Runtime error -8015 - The certificate/key database is in an old, unsupported format or failed to open.)
I've checked the cert db with certutil -L -d /etc/dirsrv/slapd-suffix
and it seems OK. The certificate is valid until the start of the
november so I have no idea now, where the problem might be. Is it some
libraries incompatibility or are there some other steps I can do to
debug the issue.
I'm running 389 server as a part of freeipa installation, so I'm now not
able to issue different certificate to test, becouse the CA can't start
without LDAP server running.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (650, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages 389-ds-base depends on:
ii 389-ds-base-libs 1.3.5.13-1
ii acl 2.2.52-3
ii adduser 3.115
ii debconf [debconf-2.0] 1.5.59
ii init-system-helpers 1.45
ii ldap-utils 2.4.42+dfsg-2+b3
ii libc6 2.24-5
ii libdb5.3 5.3.28-12
ii libgcc1 1:6.2.0-7
ii libicu57 57.1-4
ii libldap-2.4-2 2.4.42+dfsg-2+b3
ii libmozilla-ldap-perl 1.5.3-2+b3
ii libnetaddr-ip-perl 4.079+dfsg-1+b1
ii libnspr4 2:4.12-6
ii libnss3 2:3.26-2
ii libpam0g 1.1.8-3.3
ii libpci3 1:3.3.1-1.1
ii libperl4-corelibs-perl 0.003-2
ii libsasl2-2 2.1.26.dfsg1-15
ii libsasl2-modules-gssapi-mit 2.1.26.dfsg1-15
ii libsensors4 1:3.4.0-3
ii libsnmp30 5.7.3+dfsg-1.5+b1
ii libsocket-getaddrinfo-perl 0.22-3
ii libssl1.0.2 1.0.2j-1
ii libstdc++6 6.2.0-7
ii libsvrcore0 1:4.1.2+dfsg1-2
ii libsystemd0 231-9
ii libwrap0 7.6.q-25
ii perl 5.24.1~rc3-3
ii python 2.7.11-2
ii systemd 231-9
389-ds-base recommends no packages.
389-ds-base suggests no packages.
-- Configuration Files:
/etc/default/dirsrv changed:
KRB5_KTNAME=/etc/dirsrv/ds.keytab
KRB5CCNAME=/tmp/krb5cc_114
/etc/default/dirsrv.systemd changed:
[Service]
TimeoutStartSec=10m
NotifyAccess=all
LimitNOFILE=8192
-- no debconf information
More information about the Pkg-fedora-ds-maintainers
mailing list