[Openswan Users] ipsec newhostkey --configdir broken ???
Greg Scott
GregScott at Infrasupport.com
Wed Jan 19 15:37:22 EST 2011
I'm in a world of hurt. I am trying to setup openswan 2.6.32 on a live system that died. This is an install from source. I build a new empty nss database in /etc/ipsec.d like this:
certutil -N -d /etc/ipsec.d
and then try to generate a new hostkey, like this:
ipsec newhostkey --configdir /etc/ipsec.d \
--output /etc/ipsec.d/hostkey.secrets \
--verbose \
--hostname xxx-fw
This fails with:
/usr/local/libexec/ipsec/rsasigkey: unrecognized option '--configdir'
So I do ipsec newhostkey without any --configdir parameter. This runs to completion and generates a good hostkey.secrets file. But I have a hunch it never populates any of the .db files in any nss database.
Later on when I start everything up, I see this in /ver/log/secure:
Jan 19 13:37:00 localhost pluto[13939]: "colo-hqmirror" #2: unable to locate my private key for RSA Signatur
And I'll bet that's because it's trying to read the key from that nss database, which doesn't get populated because that --configdir parameter seems to be broken. This worked for at least 18 months and several installations with different versions. But now it breaks with 2.6.32. Or what am I doing wrong?
thanks
- Greg Scott
More information about the Users
mailing list