Hello all, solved this:
[root@host html]# cd /etc/openldap/cacerts/
[root@host cacerts]# certutil -A -n "<insert cert nick here>" -t PC -i /etc/openldap/cacerts/<certname>.pem -d .
[root@host cacerts]# chmod +r *.db
[root@host cacerts]# ls -la
total 108
drwxr-xr-x. 2 root root 4096 Sep 2 15:08 .
drwxr-xr-x. 5 root root 4096 Sep 2 14:00 ..
lrwxrwxrwx 1 root root 10 Sep 1 16:20 <certhash>.0 -> <certname>.pem
-rw-r--r-- 1 root root 65536 Sep 2 15:08 cert8.db
-rw-r--r-- 1 root root 16384 Sep 2 15:08 key3.db
-rw-r--r-- 1 root root 16384 Sep 2 15:08 secmod.db
-rw-r--r-- 1 root root 1155 Sep 1 11:34 <certname>.pem
[root@host cacerts]# /etc/init.d/httpd restart
This will add the missing dbs and should work.
This was also on a SL6.1 server.
Christopher Tooley
[log in to unmask]
Systems, HEP/Astronomy UVic
On 2011-09-02, at 2:18 PM, Christopher Tooley wrote:
> Hello all again,
>
> So, looking through the source of the openldap TLS stuff, I've found where the message is happening:
> http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/libldap/tls_m.c;h=c85d322014fa838341f3fefdea9a5f693fadc079;hb=f7a0fc9f8b7fa9cfecd6a075b2867abd149dd0de#l1669
>
> according to a comment a couple of lines up:
> "/* no moznss db found, or not using moznss db */"
>
> I have also done an strace on apache, here are the (I think) most relevant parts:
> --------------------------------------------------------------------------------
> stat("/etc/openldap/cacerts/secmod.db", 0x7fffe681c1c0) = -1 ENOENT (No such file or directory)
> open("/etc/openldap/cacerts/secmod.db", O_RDONLY) = -1 ENOENT (No such file or directory)
> stat("/etc/openldap/cacerts/cert8.db", 0x7fffe681c580) = -1 ENOENT (No such file or directory)
> open("/etc/openldap/cacerts/cert8.db", O_RDONLY) = -1 ENOENT (No such file or directory)
> stat("/etc/openldap/cacerts/cert7.db", 0x7fffe681c5b0) = -1 ENOENT (No such file or directory)
> open("/etc/openldap/cacerts/cert7.db", O_RDONLY) = -1 ENOENT (No such file or directory)
> open("/pkcs11.txt", O_RDONLY) = -1 ENOENT (No such file or directory)
> access("/secmod.db", F_OK) = -1 ENOENT (No such file or directory)
> stat("/key3.db", 0x7fffe681c590) = -1 ENOENT (No such file or directory)
> open("/key3.db", O_RDONLY) = -1 ENOENT (No such file or directory)
> write(2, "TLS: could not initialize moznss"..., 68) = 68
> write(2, "TLS: could perform TLS system in"..., 46) = 46
> write(2, "TLS: error: could not initialize"..., 91) = 91
> write(2, "TLS: can't create ssl handle.\n", 30) = 30
> write(2, "ldap_err2string\n", 16) = 16
> write(2, "[Fri Sep 02 13:57:00 2011] [erro"..., 175) = 175
> write(2, "ldap_err2string\n", 16) = 16
> -----------------------------------------------------------------------------------
>
> So, it's looking for certs but I don't have those installed - nor do I think I should, as I think moznss is *supposed* to be a drop in replacement for openssl afaik. How do I get apache/php to act like a proper ldap query agent and just use the .pem file located in /etc/openldap/cacerts/?
>
> I have a .pem file located in /etc/openldap/cacerts/<certname>.pem that seems to work fine with like every other LDAPS query I do...?? :\
>
> Thanks for any help!
>
> -Chris
|