Question: Error with "dirsrv_selfsigned_cert: true"

[mwilck]

I apologize for this probably dumb question, but I'm confused.

Running the role with dirsrv_selfsigned_cert: true, I hit the following issue:

TASK [389ds-server : Check that tls_key[_file] is defined] *******************************************************************
fatal: [proxy]: FAILED! => {
    "assertion": "(dirsrv_tls_key is defined) != (dirsrv_tls_key_file is defined)",
    "changed": false,
    "evaluated_to": false
}

MSG:

only one of dirsrv_tls_key or dirsrv_tls_key_file must be defined

I had the following settings:

    dirsrv_tls_enabled: true
    dirsrv_tls_certificate_trusted: false
    dirsrv_tls_enforced: false
    dirsrv_selfsigned_cert: true
    dirsrv_selfsigned_cert_duration: 24

I had not set either dirsrv_tls_key or dirsrv_tls_key_file (and I had no idea what to set it to).
I worked around it by setting dirsrv_tls_enabled: false, but I'm unsure if this is correct, because I do want to use TLS (just with the self-signed cert for the time being). Can you confirm?

[lvps]

Hi @mwilck , for some reason GitHub decided not to notify me at all about your issue, sorry...

dirsrv_tls_key_file is the path to the .key file containing the private key, dirsrv_tls_key is the private key itself if you want to supply it without an intermediate file - the key is added to the NSS database inside 389DS, so if you supply a file the role will read the key and add it to the database anyway, 389DS doesn't read the file.

I don't know if 389DS can generate a certificate on its own, but I don't think it will work with this role. If you want to use a self-signed certificate, you have to create it manually and supply it to the role. Here's an old example that I used to generate certificates for testing: https://github.com/lvps/389ds-examples/blob/master/ca/cert.sh
It should work but I don't recommend using it in production, as I'm not sure if it's really secure.

Hope this helps!