Red Hat Bugzilla – Bug 167197
private key certificate
Last modified: 2007-11-30 17:11:12 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc3 Firefox/1.0.6
Description of problem:
I'm running fedora core 3 inside a xen virtual machine. After works fine at least 2 months openssl is failing signing certificates. Openssl appears to be unable to read the private key of the certification authority.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
At this point I don't know the source of the problem or how reproduce, simply openssl become unable to read the private key of the certification authority.
Actual Results: #> openssl rsa -in /usr/local/OpenCA/NiagaraCA/var/crypto/keys/cakey.pem -text -noout
Enter pass phrase for /usr/local/OpenCA/NiagaraCA/var/crypto/keys/cakey.pem:
unable to load Private Key
4821:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:438:
4821:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:421:
Expected Results: A new certificate.
The system is in a xen virtual machine.
Sorry, this doesn't belong to OpenSSL, I'm reassigning it to XEN however it
could be most probably a hardware problem or admin error.
uhm... I tried read the private key in other boxes with the same result and
searching in google other people has reported the error with no references to xen
If the bug also happens without Xen, it is probably an openssl issue.
If the bug does not happen with Xen on another computer, it could be a memory
If the bug only happens under Xen, regardless of hardware, it's probably a Xen bug.
Jorge, could you please try running the same openssl command on another
computer, and/or without Xen, to try reproducing the problem?
The openssl command was executed in other two boxes without xen and I receive
the same error:
# openssl rsa -in cakey.pem -out keyout.pem
Enter pass phrase for cakey.pem:
unable to load Private Key
6755:error:06065064:digital envelope routines:EVP_DecryptFinal:bad
6755:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:421:
The error is critical for me because there are several boxes that use
certificates emited by the Certification Authority and I'm unable to do my work
because of this error.
The problem is the private key got most probably corrupted somehow. Do you have
backup? You should.
The Xen could be the culprit if you used the key only from the Xen virtual
machine when it got corrupted.
But it's now very hard to say what corrupted the key.
Does the cakey.pem file look normal?
And are you sure you just didn't forget the passphrase?
I have a backup. Doing a diff with the file in the backup agains the file in the
xen virtual machine I obtain:
# diff cakey.pem backup_cakey.pem -s
Files cakey.pem and backup_cakey.pem are identical
The passphrase is ok. I'm pretty sure that I don't lost the passphrase ..
Could you try to downgrade openssl to the version from the FC-3 vanilla (not
updated) - openssl-0.9.7a-40? Of course this could be the culprit only if it
stopped working just after the upgrade from updates.
If the downgrade doesn't help I think that the problem is surely with the
The downgrade does not work ... but the problem is not the passphrase. Well, I
can sign the request but I can generate a new certificate.
sorry .. I can NOT generate a new cert but I CAN generate the certificate request.
By "The downgrade does not work" you mean that you downgraded OpenSSL and it
didn't help? If so then it is certainly problem with the passphrase or both your
cakey.pem and backup are corrupted. There is simply no other possibility.
Certificate request generation works because it doesn't use the CA private key.
I don't have any reason for bring me to a bad situation.
I'm sorry but there is simply no way how it could be OpenSSL's fault if:
1. Downgrade didn't help.
2. Backup is from the time when it worked fine and is identical to the current key.
3. The key doesn't work on another machines.
The only non sci-fi reasons remaining are:
1. bad passphrase because you forgot it
2. bad passphrase because some evil attacker replaced both your key and your
backup with different key
This post in other place hit at the same point:
This is absolutely unrelated problem with openssl misconfiguration, sorry.
Was a forgotten password. I'm very embarrased. Thanks for your help.