[Freeipa-users] anonymous bind + ipa-install-client failure
Benjamin Reed
ranger at opennms.org
Sat Jan 7 18:52:36 UTC 2012
On 12/23/11 4:38 PM, Benjamin Reed wrote:
>
> On 12/23/11 12:02 PM, Simo Sorce wrote:
> > One thing you can test is if the ca.crt exposed via http is the same
> > that is stored on the server in /etc/ipa/ca.crt
>
> they are identical, I did find that the errors file is complaining about
> this:
>
> [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_unwrap_key: failed to
> unwrap key for cipher AES
> [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_cipher_init:
> symmetric key failed to unwrap with the private key; Cert might have
> been renewed since the key is wrapped. To recover the encrypted
> contents, keep the wrapped symmetric key value.
> [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_unwrap_key: failed to
> unwrap key for cipher 3DES
> [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_cipher_init:
> symmetric key failed to unwrap with the private key; Cert might have
> been renewed since the key is wrapped. To recover the encrypted
> contents, keep the wrapped symmetric key value.
> [22/Dec/2011:21:31:16 -0600] attrcrypt - All prepared ciphers are not
> available. Please disable attribute encryption.
>
>
So the ultimate problem is that the LDAP and HTTP certs got replaced
with a geotrust public cert, and the configuration client didn't like that.
Now, I have a new problem. I didn't think anything has changed, but the
server had a reboot and now I get this on startup, and the directory
server is just plain dead:
[root at connect slapd-OPENNMS-COM]# /etc/init.d/dirsrv start
Starting dirsrv:
OPENNMS-COM...[07/Jan/2012:12:35:34 -0600] - SSL alert: Security
Initialization: Can't find certificate (connect.opennms.com) for family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
security library: bad database.)
[07/Jan/2012:12:35:34 -0600] - SSL alert: Security Initialization:
Unable to retrieve private key for cert connect.opennms.com of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
security library: bad database.)
[07/Jan/2012:12:35:34 -0600] - SSL failure: None of the cipher are valid
[07/Jan/2012:12:35:34 -0600] - ERROR: SSL Initialization phase 2 Failed.
[FAILED]
At this point, I will do whatever is the fastest way to get things back
online. I do want to keep my user schema if possible, even if I have to
make them reset their passwords. Is it possible to recover that if I
just blow my config away and start fresh?
--
Benjamin Reed
The OpenNMS Group
http://www.opennms.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120107/b4cce817/attachment.htm>
More information about the Freeipa-users
mailing list