Bug 1005410

Summary:	cert db is broken after installation
Product:	[Fedora] Fedora	Reporter:	Fabian Deutsch <fabian.deutsch>
Component:	libreswan	Assignee:	Paul Wouters <pwouters>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	rawhide	CC:	pwouters
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-01-18 01:42:41 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Fabian Deutsch 2013-09-06 20:24:07 UTC

Description of problem:
After installing libreswan, the certdb has to be recreated manually  otherwise creating keys fails.

Version-Release number of selected component (if applicable):
fedora 19

How reproducible:
always

Steps to Reproduce:
1.ipsec rsasigkey --verbose 4096 --configdir /etc/ipsec.d/ --random /dev/urandom
2.
3.

Actual results:
getting 60 random bytes from /dev/urandom...
ipsec rsasigkey: key pair generation failed: "-8037"

Expected results:
getting 60 random bytes from /dev/urandom...
Generated RSA key pair using the NSS database
output...


Additional info:
Recreating the certdb solves this issue
# rm -f /etc/ipsec.d/*.db; certutil -N -d /etc/ipsec.d

Comment 1 Paul Wouters 2013-09-06 22:26:54 UTC

It seems that when the pluto NSS is not initialised (which we cannot automate due to certutil -N -d /etc/ipsec.d not accepting blanc password or a password file) and pluto starts, it creates some kind of *db files which are not usable. Later running rsasigkey to add a key to the database then fails, and these *db files have to be deleted.

I will talk to the nss people and see if they have a solution that might work

Comment 2 Paul Wouters 2014-01-18 01:42:41 UTC

this was fixed in 3.7