[Freeipa-users] anonymous bind + ipa-install-client failure
Rob Crittenden
rcritten at redhat.com
Wed Jan 4 18:30:43 UTC 2012
Benjamin Reed wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/23/11 12:02 PM, Simo Sorce wrote:
>> One thing you can test is if the ca.crt exposed via http is the same
>> that is stored on the server in /etc/ipa/ca.crt
>
> they are identical, I did find that the errors file is complaining about
> this:
>
> [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_unwrap_key: failed to
> unwrap key for cipher AES
> [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_cipher_init:
> symmetric key failed to unwrap with the private key; Cert might have
> been renewed since the key is wrapped. To recover the encrypted
> contents, keep the wrapped symmetric key value.
> [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_unwrap_key: failed to
> unwrap key for cipher 3DES
> [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_cipher_init:
> symmetric key failed to unwrap with the private key; Cert might have
> been renewed since the key is wrapped. To recover the encrypted
> contents, keep the wrapped symmetric key value.
> [22/Dec/2011:21:31:16 -0600] attrcrypt - All prepared ciphers are not
> available. Please disable attribute encryption.
These are not related. IIRC 389-ds generates symmetric keys
automatically when it is first started and if you've replaced your NSS
cert db in the meantime those keys are not available. This would only be
a problem if you decided to use per-attribute encryption at some future
point.
You might want to try pulling the CA out of the DS instance and
comparing that to what is being served up by the HTTP server:
certutil -L -d /etc/dirsrv/slapd-INSTANCE to get the list of certs
This to get a specific cert
certutil -L -n 'some nickname' -d /etc/dirsrv/slapd-INSTANCE -a >
/tmp/dsca.crt
The error here is that the client doesn't trust the certificate that
389-ds is using.
rob
More information about the Freeipa-users
mailing list