Bug 519065 - Fails to start if attrcrypt can't unwrap keys
Summary: Fails to start if attrcrypt can't unwrap keys
Alias: None
Product: 389
Classification: Retired
Component: Database - General
Version: 1.2.1
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Viktor Ashirov
Depends On:
Blocks: 434914 389_1.2.2
TreeView+ depends on / blocked
Reported: 2009-08-24 19:35 UTC by Rob Crittenden
Modified: 2015-12-07 16:33 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-12-07 16:33:13 UTC

Attachments (Terms of Use)
patch (1.39 KB, patch)
2009-08-25 17:44 UTC, Rich Megginson
no flags Details | Diff

Description Rob Crittenden 2009-08-24 19:35:38 UTC
Description of problem:

I'm replacing the whole NSS certificate DB and afterward the server fails to start.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Stop DS
2. Remove old NSS DB
3. Generate new one, using same nickname(s)
4. Restart server
Actual results:

Error logs contain:

[24/Aug/2009:15:26:42 -0400] - 389-Directory/1.2.1 B2009.224.1956 starting up
[24/Aug/2009:15:26:43 -0400] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES
[24/Aug/2009:15:26:43 -0400] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init
[24/Aug/2009:15:26:43 -0400] - Failed to initialize cipher AES in attrcrypt_init
[24/Aug/2009:15:26:43 -0400] - Error: unable to initialize attrcrypt system for userRoot
[24/Aug/2009:15:26:43 -0400] - start: Failed to start databases, err=-1 Unknown error: -1
[24/Aug/2009:15:26:43 -0400] - Failed to allocate 10000000 byte dbcache.  Please reduce nsslapd-cache-autosize and Restart the server.
[24/Aug/2009:15:26:43 -0400] - Failed to start database plugin ldbm database

Removing the attrcrypt entries in dse.ldif will let the server start again. It automatically regenerates those keys.

Comment 1 Noriko Hosoi 2009-08-24 19:59:31 UTC
Hi Rob,

I'd like to reproduce the problem...  Could you please give me some more details on the step 2. "Remove old NSS DB"?  Like the command lines you ran?


Comment 2 Rob Crittenden 2009-08-24 21:13:58 UTC
I'm literally removing the databases, rm -f *.db

I'm working on an IPA tool to generate a new CA and issue SSL server certs from it. Basically I'm doing:

# rm -f /etc/dirsrv/slapd-INSTANCE/*.db
# /usr/bin/certutil -d /etc/dirsrv/slapd-INSTANCE -S -n cacert -s "cn=IPA Test Certificate Authority" -x -t "CT,,C" -2 -m 8 -v 60

(I answer y, <enter>, y to the CA constraint question)

Then I issue a server cert:

# /usr/bin/certutil -R -s "cn=ipa.example.com" -o /tmp/certreq
# /usr/bin/certutil -d /etc/dirsrv/slapd-INSTANCE -C -c cacert -i /tmp/certreq
-o /tmp/cert.crt -m 9 -1 -5 

Then I import the new cert into my db:

# /usr/bin/certutil -A -n Server-Cert -t u,u,u -i /tmp/cert.crt

So I'm completely wiping out the old cert db and starting from scratch, using the same cert nicknames so I don't have to change the DS configuration.

Comment 3 Rich Megginson 2009-08-25 17:44:38 UTC
Created attachment 358610 [details]

Comment 4 Rich Megginson 2009-08-25 19:05:43 UTC
commit 1a4437b32afd9f9c089cb35943a0e3eaea129e2d
Author: Rich Megginson <rmeggins>
Date:   Tue Aug 25 11:44:58 2009 -0600

    Fails to start if attrcrypt can't unwrap keys
    Resolves: 519065
    Bug Description: Fails to start if attrcrypt can't unwrap keys
    Reviewed by: nhosoi (Thanks!)
    Fix Description: If not using the attrcrypt feature, just return success
    if the keys could not be unwrapped.
    Platforms tested: RHEL5 x86_64
    Flag Day: no
    Doc impact: no

Comment 5 Rich Megginson 2009-08-25 19:23:39 UTC
1.2 branch commit
commit 66aa2197b7de316f540fe924ea3435c9275a82d7
Author: Rich Megginson <rmeggins>
Date:   Tue Aug 25 11:44:58 2009 -0600

Comment 6 Jenny Severance 2010-05-05 20:58:21 UTC
If I am using the attrcypt feature - I should see this failure and if I am not - the server should start correctly - right?

Comment 7 Rich Megginson 2010-05-05 21:19:46 UTC
If you are using the attrcrypt feature, and you change the server's cert/key, you will see the failures, and the server should not start.

Comment 8 Jenny Severance 2010-05-06 15:06:40 UTC
fix verified - redhat-ds-base-8.2.0-2010050604.el5dsrv - RHEL 5.5 32 bit

1. ssl secure directory server.

2. stop directory server.

3. delete certificate dbs.

4. repeat 1 with same cert nicknames

5. start directory server

server starts successfully - errors are still logged to the errors log.

If you use attrcrypt feature and do the same procedure, this results in a failure to start with same errors.

Note You need to log in before you can comment on or make changes to this bug.