Hi, On Fri, Jun 01 2018 at 12:06:50 +0200, Jan Kowalsky <jankow@xxxxxxxxxxxxxxxxxx> wrote: > Hi all, > > we have the following situation: An 389ds with tls/ssl configured whith > an certificate from letsencrypt. > > Since letsencrypt is short-dated we have an automated update routine for > regenerating the cert8.db. > > Now we have this sort of errors in changelog. > > [01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_unwrap_key: failed to > unwrap key for cipher AES > [01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_cipher_init: > symmetric key failed to unwrap with the private key; Cert might have > been renewed since the key is wrapped. To recover the encrypted > contents, keep the wrapped symmetric key value. > [01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_unwrap_key: failed to > unwrap key for cipher 3DES > [01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_cipher_init: > symmetric key failed to unwrap with the private key; Cert might have > been renewed since the key is wrapped. To recover the encrypted > contents, keep the wrapped symmetric key value. > [01/Jun/2018:11:46:40 +0200] attrcrypt - All prepared ciphers are not > available. Please disable attribute encryption. > > I never used attribute encryption and we don't need it at the moment. > But as far as I understand, it's based on the server private key. This > is the one we change every 60 days. > > The best idea seems to disable attribute encryption (which doesn't make > much sense if the private key isn't password protected anyway). > > Or is there any other way to deal with key changes? It's possible to regenerate encryption keys from the new certificate: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/updating_the_tls_certificates_used_for_attribute_encryption HTH > > Thanks and regards > Jan > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx/message/VAMLVAQBXLGZFKJF7HS4QV7TSEKQ6TR3/
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx/message/NX7FRP36ZZNWC5GDZPSMLW6OTLRWZUZO/
