Description of problem: I'm replacing the whole NSS certificate DB and afterward the server fails to start. Version-Release number of selected component (if applicable): 389-ds-base-1.2.1-1.fc11.i586 How reproducible: Steps to Reproduce: 1. Stop DS 2. Remove old NSS DB 3. Generate new one, using same nickname(s) 4. Restart server Actual results: Error logs contain: [24/Aug/2009:15:26:42 -0400] - 389-Directory/1.2.1 B2009.224.1956 starting up [24/Aug/2009:15:26:43 -0400] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [24/Aug/2009:15:26:43 -0400] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [24/Aug/2009:15:26:43 -0400] - Failed to initialize cipher AES in attrcrypt_init [24/Aug/2009:15:26:43 -0400] - Error: unable to initialize attrcrypt system for userRoot [24/Aug/2009:15:26:43 -0400] - start: Failed to start databases, err=-1 Unknown error: -1 [24/Aug/2009:15:26:43 -0400] - Failed to allocate 10000000 byte dbcache. Please reduce nsslapd-cache-autosize and Restart the server. [24/Aug/2009:15:26:43 -0400] - Failed to start database plugin ldbm database Removing the attrcrypt entries in dse.ldif will let the server start again. It automatically regenerates those keys.
Hi Rob, I'd like to reproduce the problem... Could you please give me some more details on the step 2. "Remove old NSS DB"? Like the command lines you ran? Thanks! --noriko
I'm literally removing the databases, rm -f *.db I'm working on an IPA tool to generate a new CA and issue SSL server certs from it. Basically I'm doing: # rm -f /etc/dirsrv/slapd-INSTANCE/*.db # /usr/bin/certutil -d /etc/dirsrv/slapd-INSTANCE -S -n cacert -s "cn=IPA Test Certificate Authority" -x -t "CT,,C" -2 -m 8 -v 60 (I answer y, <enter>, y to the CA constraint question) Then I issue a server cert: # /usr/bin/certutil -R -s "cn=ipa.example.com" -o /tmp/certreq # /usr/bin/certutil -d /etc/dirsrv/slapd-INSTANCE -C -c cacert -i /tmp/certreq -o /tmp/cert.crt -m 9 -1 -5 Then I import the new cert into my db: # /usr/bin/certutil -A -n Server-Cert -t u,u,u -i /tmp/cert.crt So I'm completely wiping out the old cert db and starting from scratch, using the same cert nicknames so I don't have to change the DS configuration.
Created attachment 358610 [details] patch
commit 1a4437b32afd9f9c089cb35943a0e3eaea129e2d Author: Rich Megginson <rmeggins> Date: Tue Aug 25 11:44:58 2009 -0600 Fails to start if attrcrypt can't unwrap keys https://bugzilla.redhat.com/show_bug.cgi?id=519065 Resolves: 519065 Bug Description: Fails to start if attrcrypt can't unwrap keys Reviewed by: nhosoi (Thanks!) Fix Description: If not using the attrcrypt feature, just return success if the keys could not be unwrapped. Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no
1.2 branch commit commit 66aa2197b7de316f540fe924ea3435c9275a82d7 Author: Rich Megginson <rmeggins> Date: Tue Aug 25 11:44:58 2009 -0600
If I am using the attrcypt feature - I should see this failure and if I am not - the server should start correctly - right?
If you are using the attrcrypt feature, and you change the server's cert/key, you will see the failures, and the server should not start.
fix verified - redhat-ds-base-8.2.0-2010050604.el5dsrv - RHEL 5.5 32 bit 1. ssl secure directory server. 2. stop directory server. 3. delete certificate dbs. 4. repeat 1 with same cert nicknames 5. start directory server Result: server starts successfully - errors are still logged to the errors log. If you use attrcrypt feature and do the same procedure, this results in a failure to start with same errors.