[Pkg-fedora-ds-maintainers] Bug#841477: 389-ds-base: 389 directory server fails to start TLS/SSL

Michal Kaspar michal at kaspar.in
Thu Oct 20 23:57:43 UTC 2016 

Package: 389-ds-base
Version: 1.3.5.13-1
Severity: important

Dear Maintainer,
After recent updates the 389 directory server fails to start SSL on port
636. The rest of server starts fine but in the logs, there is an error
message:
SSL alert: Security Initialization: Unable to create PinObj (Netscape Portable Runtime error -5977 - Failure to load dynamic library.)
ERROR: SSL Initialization Failed.  Disabling SSL.
When I ran strace on ns-slapd, I've noticed it's missing file
/etc/dirsrv/slapd-suffix/libnssckbi.so. After linking
/usr/lib/x86_64-linux-gnu/nss/libnssckbi.so from package libnss3 the
error message changed to:
SSL alert: Security Initialization: Unable to create PinObj (Netscape Portable Runtime error -8015 - The certificate/key database is in an old, unsupported format or failed to open.)
I've checked the cert db with certutil -L -d /etc/dirsrv/slapd-suffix
and it seems OK. The certificate is valid until the start of the
november so I have no idea now, where the problem might be. Is it some
libraries incompatibility or are there some other steps I can do to
debug the issue.
I'm running 389 server as a part of freeipa installation, so I'm now not
able to issue different certificate to test, becouse the CA can't start
without LDAP server running.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (650, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages 389-ds-base depends on:
ii  389-ds-base-libs             1.3.5.13-1
ii  acl                          2.2.52-3
ii  adduser                      3.115
ii  debconf [debconf-2.0]        1.5.59
ii  init-system-helpers          1.45
ii  ldap-utils                   2.4.42+dfsg-2+b3
ii  libc6                        2.24-5
ii  libdb5.3                     5.3.28-12
ii  libgcc1                      1:6.2.0-7
ii  libicu57                     57.1-4
ii  libldap-2.4-2                2.4.42+dfsg-2+b3
ii  libmozilla-ldap-perl         1.5.3-2+b3
ii  libnetaddr-ip-perl           4.079+dfsg-1+b1
ii  libnspr4                     2:4.12-6
ii  libnss3                      2:3.26-2
ii  libpam0g                     1.1.8-3.3
ii  libpci3                      1:3.3.1-1.1
ii  libperl4-corelibs-perl       0.003-2
ii  libsasl2-2                   2.1.26.dfsg1-15
ii  libsasl2-modules-gssapi-mit  2.1.26.dfsg1-15
ii  libsensors4                  1:3.4.0-3
ii  libsnmp30                    5.7.3+dfsg-1.5+b1
ii  libsocket-getaddrinfo-perl   0.22-3
ii  libssl1.0.2                  1.0.2j-1
ii  libstdc++6                   6.2.0-7
ii  libsvrcore0                  1:4.1.2+dfsg1-2
ii  libsystemd0                  231-9
ii  libwrap0                     7.6.q-25
ii  perl                         5.24.1~rc3-3
ii  python                       2.7.11-2
ii  systemd                      231-9

389-ds-base recommends no packages.

389-ds-base suggests no packages.

-- Configuration Files:
/etc/default/dirsrv changed:
KRB5_KTNAME=/etc/dirsrv/ds.keytab
KRB5CCNAME=/tmp/krb5cc_114

/etc/default/dirsrv.systemd changed:
[Service]
TimeoutStartSec=10m
NotifyAccess=all
LimitNOFILE=8192


-- no debconf information

More information about the Pkg-fedora-ds-maintainers mailing list