[Openswan Users] ipsec newhostkey --configdir broken ???

Michael H. Warfield mhw at WittsEnd.com
Fri Jan 21 09:40:49 EST 2011 

On Wed, 2011-01-19 at 16:20 -0600, Greg Scott wrote:
> I ended up working around the problem by installing a Fedora RPM. That
> system is running Fedora 12, and Red Hat has a 2.6.29-1 RPM for Fedora
> 12. So that's what I ended up with. But first, I removed 2.6.32 and
> installed 2.6.31 from source. ipsec newhostkey with --configdir switch
> did not fail with 2.6.31, but it also finished immediately and didn't
> generate anything. So I removed 2.6.31 and installed the Fedora RPM
> and all worked as expected. 

1) Fedora 12 is EOL and you should be using something more up to date.

2) You can get the 2.6.31 rpm from the F14 repos.

3) If you want to rebuild from source but want it to match the Fedora
configuration, download the source RPM and install that and then install
the newer source in the rpmbuild/SOURCES directory and update the
rpmbuild/SPECS/openswan.spec file for the new version and rebuild it
that way.  I do that routinely.  Once in a while it will get bitchy
about one patch or another but that generally just means it's a fix that
got incorporated so I just disable the patch and go again.  I don't
think I ran into that at all from 2.6.31 to 2.6.32 though.  I think that
will rebuild cleanly.

> Go figure.  

> This was how I built from source:

> cp openswan-2.6.32.tar.gz /usr/local/src
> cd /usr/local/src
> tar zxvf openswan-2.6.32.tar.gz
> cd openswan-2.6.32
> make USE_LIBNSS=true programs install
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

That's probably where you are getting some mismatches between things.
Look in the source rpm spec file and how they configure and build it.
This will end up putting things in /usr/local and look for things in the
wrong directories compared to the Fedora locations. 

> I have a hunch when I built from source, I didn't get in whatever I
> needed for that NSS database and that was the root of my troubles. 

> Is there any documentation for how to use this new NSS database? I
> still don't know how to import and export keys to/from hostkey.secrets
> and this complicates firewall replacements and made my life more
> stressful today. 

Yeah, this pretty much sucks royally.  NSS is such a PITA that I
typically just rebuild the RPM and disable NSS and FIPS checking since I
need neither of them.  I understand the motivation behind Fedora and RH
moving to this (unified crypto and key management, FIPS compliance, etc,
etc, etc) but someone should have given some serious thought to smooth
migration of existing sites.  At one point (and I hope like hell it's
not still true) you could not "import" existing private keys into the
NSS database.  At least I never got it to work and there are articles
(old at this point) that claim it was broken scattered on the net.
Yeah, that move was poorly thought out.  Regenerating stacks and stacks
of certificates on dozens of machines just because I couldn't import
their exiting private key was NOT AN OPTION for me.  Maybe they've fixed
that and maybe it works smoother now.  I would love to be corrected on
this, PLEASE.  I know, what I should do is go back and retest now with
the latest nss tools.  Maybe I'll do that today myself.

Have you read the document README.nss?

/usr/share/doc/openswan-doc-2.6.32/README.nss

You'll find lots of good information in there.  Certainly, from the
sounds of the section on "Migrating Certificates" it would sound like
you can simply export the key and cert to a .p12 pkcs12 file and then
import it into the database, but I wasn't able to get that to work, at
least not early on.  It may actually work now.

> thanks

> - Greg Scott

Regards,
Mike

________________________________
> 
> From: users-bounces at openswan.org on behalf of Greg Scott
> Sent: Wed 1/19/2011 2:37 PM
> To: users at openswan.org
> Subject: [Openswan Users] ipsec newhostkey --configdir broken ???
> 
> 
> 
> I'm in a world of hurt.  I am trying to setup openswan 2.6.32 on a live system that died.  This is an install from source.  I build a new empty nss database in /etc/ipsec.d like this:
> 
> certutil -N -d /etc/ipsec.d
> 
> and then try to generate a new hostkey, like this:
> 
> ipsec newhostkey --configdir /etc/ipsec.d \
>  --output /etc/ipsec.d/hostkey.secrets \
>  --verbose \
>  --hostname xxx-fw
> 
> This fails with:
> 
> /usr/local/libexec/ipsec/rsasigkey: unrecognized option '--configdir'
> 
> So I do ipsec newhostkey without any --configdir parameter.  This runs to completion and generates a good hostkey.secrets file.  But I have a hunch it never populates any of the .db files in any nss database.
> 
> Later on when I start everything up, I see this in /ver/log/secure:
> 
> Jan 19 13:37:00 localhost pluto[13939]: "colo-hqmirror" #2: unable to locate my private key for RSA Signatur
> 
> And I'll bet that's because it's trying to read the key from that nss database, which doesn't get populated because that --configdir parameter seems to be broken.  This worked for at least 18 months and several installations with different versions.  But now it breaks with 2.6.32.  Or what am I doing wrong?
> 
> thanks
> 
> - Greg Scott

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20110121/9772a3cb/attachment-0001.bin

More information about the Users mailing list