Bug 519065

Summary: Fails to start if attrcrypt can't unwrap keys
Product: [Retired] 389 Reporter: Rob Crittenden <rcritten>
Component: Database - GeneralAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: high    
Version: 1.2.1CC: jgalipea, nhosoi, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 16:33:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 434914, 518519    
Description Flags
patch none

Description Rob Crittenden 2009-08-24 19:35:38 UTC
Description of problem:

I'm replacing the whole NSS certificate DB and afterward the server fails to start.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Stop DS
2. Remove old NSS DB
3. Generate new one, using same nickname(s)
4. Restart server
Actual results:

Error logs contain:

[24/Aug/2009:15:26:42 -0400] - 389-Directory/1.2.1 B2009.224.1956 starting up
[24/Aug/2009:15:26:43 -0400] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES
[24/Aug/2009:15:26:43 -0400] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init
[24/Aug/2009:15:26:43 -0400] - Failed to initialize cipher AES in attrcrypt_init
[24/Aug/2009:15:26:43 -0400] - Error: unable to initialize attrcrypt system for userRoot
[24/Aug/2009:15:26:43 -0400] - start: Failed to start databases, err=-1 Unknown error: -1
[24/Aug/2009:15:26:43 -0400] - Failed to allocate 10000000 byte dbcache.  Please reduce nsslapd-cache-autosize and Restart the server.
[24/Aug/2009:15:26:43 -0400] - Failed to start database plugin ldbm database

Removing the attrcrypt entries in dse.ldif will let the server start again. It automatically regenerates those keys.

Comment 1 Noriko Hosoi 2009-08-24 19:59:31 UTC
Hi Rob,

I'd like to reproduce the problem...  Could you please give me some more details on the step 2. "Remove old NSS DB"?  Like the command lines you ran?


Comment 2 Rob Crittenden 2009-08-24 21:13:58 UTC
I'm literally removing the databases, rm -f *.db

I'm working on an IPA tool to generate a new CA and issue SSL server certs from it. Basically I'm doing:

# rm -f /etc/dirsrv/slapd-INSTANCE/*.db
# /usr/bin/certutil -d /etc/dirsrv/slapd-INSTANCE -S -n cacert -s "cn=IPA Test Certificate Authority" -x -t "CT,,C" -2 -m 8 -v 60

(I answer y, <enter>, y to the CA constraint question)

Then I issue a server cert:

# /usr/bin/certutil -R -s "cn=ipa.example.com" -o /tmp/certreq
# /usr/bin/certutil -d /etc/dirsrv/slapd-INSTANCE -C -c cacert -i /tmp/certreq
-o /tmp/cert.crt -m 9 -1 -5 

Then I import the new cert into my db:

# /usr/bin/certutil -A -n Server-Cert -t u,u,u -i /tmp/cert.crt

So I'm completely wiping out the old cert db and starting from scratch, using the same cert nicknames so I don't have to change the DS configuration.

Comment 3 Rich Megginson 2009-08-25 17:44:38 UTC
Created attachment 358610 [details]

Comment 4 Rich Megginson 2009-08-25 19:05:43 UTC
commit 1a4437b32afd9f9c089cb35943a0e3eaea129e2d
Author: Rich Megginson <rmeggins>
Date:   Tue Aug 25 11:44:58 2009 -0600

    Fails to start if attrcrypt can't unwrap keys
    Resolves: 519065
    Bug Description: Fails to start if attrcrypt can't unwrap keys
    Reviewed by: nhosoi (Thanks!)
    Fix Description: If not using the attrcrypt feature, just return success
    if the keys could not be unwrapped.
    Platforms tested: RHEL5 x86_64
    Flag Day: no
    Doc impact: no

Comment 5 Rich Megginson 2009-08-25 19:23:39 UTC
1.2 branch commit
commit 66aa2197b7de316f540fe924ea3435c9275a82d7
Author: Rich Megginson <rmeggins>
Date:   Tue Aug 25 11:44:58 2009 -0600

Comment 6 Jenny Severance 2010-05-05 20:58:21 UTC
If I am using the attrcypt feature - I should see this failure and if I am not - the server should start correctly - right?

Comment 7 Rich Megginson 2010-05-05 21:19:46 UTC
If you are using the attrcrypt feature, and you change the server's cert/key, you will see the failures, and the server should not start.

Comment 8 Jenny Severance 2010-05-06 15:06:40 UTC
fix verified - redhat-ds-base-8.2.0-2010050604.el5dsrv - RHEL 5.5 32 bit

1. ssl secure directory server.

2. stop directory server.

3. delete certificate dbs.

4. repeat 1 with same cert nicknames

5. start directory server

server starts successfully - errors are still logged to the errors log.

If you use attrcrypt feature and do the same procedure, this results in a failure to start with same errors.