[Openswan Users] ipsec newhostkey --configdir broken ???
GregScott at Infrasupport.com
Wed Jan 19 17:20:13 EST 2011
I ended up working around the problem by installing a Fedora RPM. That system is running Fedora 12, and Red Hat has a 2.6.29-1 RPM for Fedora 12. So that's what I ended up with. But first, I removed 2.6.32 and installed 2.6.31 from source. ipsec newhostkey with --configdir switch did not fail with 2.6.31, but it also finished immediately and didn't generate anything. So I removed 2.6.31 and installed the Fedora RPM and all worked as expected.
This was how I built from source:
cp openswan-2.6.32.tar.gz /usr/local/src
tar zxvf openswan-2.6.32.tar.gz
make USE_LIBNSS=true programs install
I have a hunch when I built from source, I didn't get in whatever I needed for that NSS database and that was the root of my troubles.
Is there any documentation for how to use this new NSS database? I still don't know how to import and export keys to/from hostkey.secrets and this complicates firewall replacements and made my life more stressful today.
- Greg Scott
From: users-bounces at openswan.org on behalf of Greg Scott
Sent: Wed 1/19/2011 2:37 PM
To: users at openswan.org
Subject: [Openswan Users] ipsec newhostkey --configdir broken ???
I'm in a world of hurt. I am trying to setup openswan 2.6.32 on a live system that died. This is an install from source. I build a new empty nss database in /etc/ipsec.d like this:
certutil -N -d /etc/ipsec.d
and then try to generate a new hostkey, like this:
ipsec newhostkey --configdir /etc/ipsec.d \
--output /etc/ipsec.d/hostkey.secrets \
This fails with:
/usr/local/libexec/ipsec/rsasigkey: unrecognized option '--configdir'
So I do ipsec newhostkey without any --configdir parameter. This runs to completion and generates a good hostkey.secrets file. But I have a hunch it never populates any of the .db files in any nss database.
Later on when I start everything up, I see this in /ver/log/secure:
Jan 19 13:37:00 localhost pluto: "colo-hqmirror" #2: unable to locate my private key for RSA Signatur
And I'll bet that's because it's trying to read the key from that nss database, which doesn't get populated because that --configdir parameter seems to be broken. This worked for at least 18 months and several installations with different versions. But now it breaks with 2.6.32. Or what am I doing wrong?
- Greg Scott
Users at openswan.org
Building and Integrating Virtual Private Networks with Openswan:
More information about the Users