Bug 519065
Summary: | Fails to start if attrcrypt can't unwrap keys | ||||||
---|---|---|---|---|---|---|---|
Product: | [Retired] 389 | Reporter: | Rob Crittenden <rcritten> | ||||
Component: | Database - General | Assignee: | Rich Megginson <rmeggins> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 1.2.1 | CC: | jgalipea, nhosoi, rmeggins | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-12-07 16:33:13 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 434914, 518519 | ||||||
Attachments: |
|
Description
Rob Crittenden
2009-08-24 19:35:38 UTC
Hi Rob, I'd like to reproduce the problem... Could you please give me some more details on the step 2. "Remove old NSS DB"? Like the command lines you ran? Thanks! --noriko I'm literally removing the databases, rm -f *.db I'm working on an IPA tool to generate a new CA and issue SSL server certs from it. Basically I'm doing: # rm -f /etc/dirsrv/slapd-INSTANCE/*.db # /usr/bin/certutil -d /etc/dirsrv/slapd-INSTANCE -S -n cacert -s "cn=IPA Test Certificate Authority" -x -t "CT,,C" -2 -m 8 -v 60 (I answer y, <enter>, y to the CA constraint question) Then I issue a server cert: # /usr/bin/certutil -R -s "cn=ipa.example.com" -o /tmp/certreq # /usr/bin/certutil -d /etc/dirsrv/slapd-INSTANCE -C -c cacert -i /tmp/certreq -o /tmp/cert.crt -m 9 -1 -5 Then I import the new cert into my db: # /usr/bin/certutil -A -n Server-Cert -t u,u,u -i /tmp/cert.crt So I'm completely wiping out the old cert db and starting from scratch, using the same cert nicknames so I don't have to change the DS configuration. Created attachment 358610 [details]
patch
commit 1a4437b32afd9f9c089cb35943a0e3eaea129e2d Author: Rich Megginson <rmeggins> Date: Tue Aug 25 11:44:58 2009 -0600 Fails to start if attrcrypt can't unwrap keys https://bugzilla.redhat.com/show_bug.cgi?id=519065 Resolves: 519065 Bug Description: Fails to start if attrcrypt can't unwrap keys Reviewed by: nhosoi (Thanks!) Fix Description: If not using the attrcrypt feature, just return success if the keys could not be unwrapped. Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no 1.2 branch commit commit 66aa2197b7de316f540fe924ea3435c9275a82d7 Author: Rich Megginson <rmeggins> Date: Tue Aug 25 11:44:58 2009 -0600 If I am using the attrcypt feature - I should see this failure and if I am not - the server should start correctly - right? If you are using the attrcrypt feature, and you change the server's cert/key, you will see the failures, and the server should not start. fix verified - redhat-ds-base-8.2.0-2010050604.el5dsrv - RHEL 5.5 32 bit 1. ssl secure directory server. 2. stop directory server. 3. delete certificate dbs. 4. repeat 1 with same cert nicknames 5. start directory server Result: server starts successfully - errors are still logged to the errors log. If you use attrcrypt feature and do the same procedure, this results in a failure to start with same errors. |