Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'Add trust for server cert' cannot find cert with $ssl['cert_name'] #23

Open
davidc0le opened this issue Nov 18, 2018 · 1 comment
Open

'Add trust for server cert' cannot find cert with $ssl['cert_name'] #23

davidc0le opened this issue Nov 18, 2018 · 1 comment

Comments

@davidc0le
Copy link
Contributor

If an instance is setup with SSL, using pre-existing files, there is a mismatch between the certificate name used to export the bundle into the pkcs12 file and the name used later to identify that cert during the 'Add trust for server cert' step. The first step is using the server name and the second the $ssl['cert_name']

Two excerpts from the debug run of the puppet agent:

Info: Concat[prod_cert_bundle]: Scheduling refresh of Exec[Create pkcs12 cert: prod]
Debug: ExecCreate pkcs12 cert: prod: Executing 'openssl pkcs12 -export -password pass:supersecret -name VW-ESXVM-S-3-LAP08-US.example.com -in /etc/ssl/prod-bundle.pem -out /etc/ssl/prod.p12'
Debug: Executing: 'openssl pkcs12 -export -password pass:supersecret -name VW-ESXVM-S-3-LAP08-US.example.com -in /etc/ssl/prod-bundle.pem -out /etc/ssl/prod.p12'

Debug: ExecAdd trust for server cert: prod: Executing check 'certutil -L -d /etc/dirsrv/slapd-prod | grep "identcert" | grep "u,u,u"'
Debug: Executing: 'certutil -L -d /etc/dirsrv/slapd-prod | grep "identcert" | grep "u,u,u"'
Debug: ExecAdd trust for server cert: prod: Executing 'certutil -M -n "identcert" -t u,u,u -d /etc/dirsrv/slapd-prod'
Debug: Executing: 'certutil -M -n "identcert" -t u,u,u -d /etc/dirsrv/slapd-prod'
Notice: /Stage[main]/Profiles::Ldap_server/Ds_389::Instance[VW-ESXVM-S-3-LAP08-US]/Exec[Add trust for server cert: prod]/returns: certutil: could not find certificate named "identcert": SEC_ERROR_BAD_DATABASE: security library: bad database.
Error: 'certutil -M -n "identcert" -t u,u,u -d /etc/dirsrv/slapd-prod' returned 255 instead of one of [0]
Error: /Stage[main]/Profiles::Ldap_server/Ds_389::Instance[VW-ESXVM-S-3-LAP08-US]/Exec[Add trust for server cert: prod]/returns: change from 'notrun' to ['0'] failed: 'certutil -M -n "identcert" -t u,u,u -d /etc/dirsrv/slapd-prod' returned 255 instead of one of [0]
@davidc0le
Copy link
Contributor Author

davidc0le commented Nov 18, 2018
edited
Loading

The output of certutil -L to confirm that identcert is missing:

certutil -L -d /etc/dirsrv/slapd-prod

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

VW-ESXVM-S-3-LAP08-US.example.com u,u,u
...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@davidc0le