From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc3 Firefox/1.0.6 Description of problem: I'm running fedora core 3 inside a xen virtual machine. After works fine at least 2 months openssl is failing signing certificates. Openssl appears to be unable to read the private key of the certification authority. Version-Release number of selected component (if applicable): openssl-0.9.7a-42.1 How reproducible: Always Steps to Reproduce: At this point I don't know the source of the problem or how reproduce, simply openssl become unable to read the private key of the certification authority. Actual Results: #> openssl rsa -in /usr/local/OpenCA/NiagaraCA/var/crypto/keys/cakey.pem -text -noout Enter pass phrase for /usr/local/OpenCA/NiagaraCA/var/crypto/keys/cakey.pem: unable to load Private Key 4821:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:438: 4821:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:421: Expected Results: A new certificate. Additional info: The system is in a xen virtual machine.
Sorry, this doesn't belong to OpenSSL, I'm reassigning it to XEN however it could be most probably a hardware problem or admin error.
uhm... I tried read the private key in other boxes with the same result and searching in google other people has reported the error with no references to xen
If the bug also happens without Xen, it is probably an openssl issue. If the bug does not happen with Xen on another computer, it could be a memory corruption issue. If the bug only happens under Xen, regardless of hardware, it's probably a Xen bug. Jorge, could you please try running the same openssl command on another computer, and/or without Xen, to try reproducing the problem?
The openssl command was executed in other two boxes without xen and I receive the same error: # openssl rsa -in cakey.pem -out keyout.pem Enter pass phrase for cakey.pem: unable to load Private Key 6755:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:438: 6755:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:421: The error is critical for me because there are several boxes that use certificates emited by the Certification Authority and I'm unable to do my work because of this error.
The problem is the private key got most probably corrupted somehow. Do you have backup? You should. The Xen could be the culprit if you used the key only from the Xen virtual machine when it got corrupted. But it's now very hard to say what corrupted the key. Does the cakey.pem file look normal? And are you sure you just didn't forget the passphrase?
I have a backup. Doing a diff with the file in the backup agains the file in the xen virtual machine I obtain: # diff cakey.pem backup_cakey.pem -s Files cakey.pem and backup_cakey.pem are identical The passphrase is ok. I'm pretty sure that I don't lost the passphrase ..
Could you try to downgrade openssl to the version from the FC-3 vanilla (not updated) - openssl-0.9.7a-40? Of course this could be the culprit only if it stopped working just after the upgrade from updates. If the downgrade doesn't help I think that the problem is surely with the passphrase.
The downgrade does not work ... but the problem is not the passphrase. Well, I can sign the request but I can generate a new certificate.
sorry .. I can NOT generate a new cert but I CAN generate the certificate request.
By "The downgrade does not work" you mean that you downgraded OpenSSL and it didn't help? If so then it is certainly problem with the passphrase or both your cakey.pem and backup are corrupted. There is simply no other possibility. Certificate request generation works because it doesn't use the CA private key.
I don't have any reason for bring me to a bad situation.
I'm sorry but there is simply no way how it could be OpenSSL's fault if: 1. Downgrade didn't help. 2. Backup is from the time when it worked fine and is identical to the current key. 3. The key doesn't work on another machines. The only non sci-fi reasons remaining are: 1. bad passphrase because you forgot it 2. bad passphrase because some evil attacker replaced both your key and your backup with different key
This post in other place hit at the same point: http://openvpn.net/archive/openvpn-users/2005-07/msg00149.html
This is absolutely unrelated problem with openssl misconfiguration, sorry.
Was a forgotten password. I'm very embarrased. Thanks for your help.