Ryan Braun [ADS] wrote:
I had setup encryption on one of my test fds servers (1.1.2), generated a CAcert and a Server-Cert and turned on encryption. It all worked fine. I shut down fds, removed the Server-Cert and created a new Server-Cert with a few Subject Alt Name entries. I didn't import a p12 cert, I just used certutil to create a new cert in the database.Unfortunately, those keys were encrypted with the old key/cert. But as long as you don't want to use reversible attribute encryption, you can ignore those messages.I restarted the server and tested with ldapsearch -ZZ and it all still worked.When I had a look in the log recently, I noticed these entries everytime i restart the service.[11/Sep/2008:15:11:18 +0000] - Fedora-Directory/1.1.2 B2008.253.1749 starting up [11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in attrcrypt_init [11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in attrcrypt_init [11/Sep/2008:15:11:19 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [11/Sep/2008:15:11:19 +0000] - Listening on All Interfaces port 636 for LDAPS requestsLooking back to when I first turned on encryption, I see[10/Sep/2008:19:41:20 +0000] - Fedora-Directory/1.1.2 B2008.253.1749 starting up [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in backend userRoot, attempting to create one... [10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated and stored [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one... [10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated and stored [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in backend NetscapeRoot, attempting to create one... [10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated and stored [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in backend NetscapeRoot, attempting to create one... [10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated and stored [10/Sep/2008:19:41:20 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [10/Sep/2008:19:41:20 +0000] - Listening on All Interfaces port 636 for LDAPS requestsSo I'm wondering if I need to somehow reinit some of the encryption keys? Or maybe I missed a step for replacing a Server-Cert? But from the docs it looks like a straight forward turn off fds, remove old cert, create/import new cert (with same name), restart fds.
Ryan -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
