[Freeipa-users] anonymous bind + ipa-install-client failure

Benjamin Reed ranger at opennms.org
Sat Jan 7 18:52:36 UTC 2012 

On 12/23/11 4:38 PM, Benjamin Reed wrote:
>
> On 12/23/11 12:02 PM, Simo Sorce wrote:
> > One thing you can test is if the ca.crt exposed via http is the same
> > that is stored on the server in /etc/ipa/ca.crt
>
> they are identical, I did find that the errors file is complaining about
> this:
>
> [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_unwrap_key: failed to
> unwrap key for cipher AES
> [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_cipher_init:
> symmetric key failed to unwrap with the private key; Cert might have
> been renewed since the key is wrapped. To recover the encrypted
> contents, keep the wrapped symmetric key value.
> [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_unwrap_key: failed to
> unwrap key for cipher 3DES
> [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_cipher_init:
> symmetric key failed to unwrap with the private key; Cert might have
> been renewed since the key is wrapped. To recover the encrypted
> contents, keep the wrapped symmetric key value.
> [22/Dec/2011:21:31:16 -0600] attrcrypt - All prepared ciphers are not
> available. Please disable attribute encryption.
>
>

So the ultimate problem is that the LDAP and HTTP certs got replaced
with a geotrust public cert, and the configuration client didn't like that.

Now, I have a new problem.  I didn't think anything has changed, but the
server had a reboot and now I get this on startup, and the directory
server is just plain dead:

[root at connect slapd-OPENNMS-COM]# /etc/init.d/dirsrv start
Starting dirsrv:
    OPENNMS-COM...[07/Jan/2012:12:35:34 -0600] - SSL alert: Security
Initialization: Can't find certificate (connect.opennms.com) for family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
security library: bad database.)
[07/Jan/2012:12:35:34 -0600] - SSL alert: Security Initialization:
Unable to retrieve private key for cert connect.opennms.com of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
security library: bad database.)
[07/Jan/2012:12:35:34 -0600] - SSL failure: None of the cipher are valid
[07/Jan/2012:12:35:34 -0600] - ERROR: SSL Initialization phase 2 Failed.
                                                           [FAILED]

At this point, I will do whatever is the fastest way to get things back
online. I do want to keep my user schema if possible, even if I have to
make them reset their passwords. Is it possible to recover that if I
just blow my config away and start fresh?


-- 
Benjamin Reed
The OpenNMS Group
http://www.opennms.org/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120107/b4cce817/attachment.htm>

More information about the Freeipa-users mailing list