[Openswan Users] ipsec newhostkey --configdir broken ???

Michael H. Warfield mhw at WittsEnd.com
Fri Jan 21 09:50:54 EST 2011

On Fri, 2011-01-21 at 09:40 -0500, Michael H. Warfield wrote: 
> On Wed, 2011-01-19 at 16:20 -0600, Greg Scott wrote:
> > I ended up working around the problem by installing a Fedora RPM. That
> > system is running Fedora 12, and Red Hat has a 2.6.29-1 RPM for Fedora
> > 12. So that's what I ended up with. But first, I removed 2.6.32 and
> > installed 2.6.31 from source. ipsec newhostkey with --configdir switch
> > did not fail with 2.6.31, but it also finished immediately and didn't
> > generate anything. So I removed 2.6.31 and installed the Fedora RPM
> > and all worked as expected. 
> 1) Fedora 12 is EOL and you should be using something more up to date.
> 2) You can get the 2.6.31 rpm from the F14 repos.
> 3) If you want to rebuild from source but want it to match the Fedora
> configuration, download the source RPM and install that and then install
> the newer source in the rpmbuild/SOURCES directory and update the
> rpmbuild/SPECS/openswan.spec file for the new version and rebuild it
> that way.  I do that routinely.  Once in a while it will get bitchy
> about one patch or another but that generally just means it's a fix that
> got incorporated so I just disable the patch and go again.  I don't
> think I ran into that at all from 2.6.31 to 2.6.32 though.  I think that
> will rebuild cleanly.

Sorry, I should have added that, if you want the F14 srpm and you really
don't want to upgrade to F13 or F14, I would recommend just pulling it
with yumdownloader...

yumdownloader --releasever=14 --source openswan

Then rebuild it on your system with...

"rpmbuild --rebuild openswan-2.6.31-1.fc14.src.rpm"

If you have all the other pieces you need (you should if you were able
to compile it from source before) that should succeed and you'll have
2.6.31 rpms for F12.  In that case, go ahead and install the .srpm and
then the 2.6.32 sources and rebuild as described above.  Should go

> > Go figure.  

> > This was how I built from source:
> > cp openswan-2.6.32.tar.gz /usr/local/src
> > cd /usr/local/src
> > tar zxvf openswan-2.6.32.tar.gz
> > cd openswan-2.6.32
> > make USE_LIBNSS=true programs install
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> That's probably where you are getting some mismatches between things.
> Look in the source rpm spec file and how they configure and build it.
> This will end up putting things in /usr/local and look for things in the
> wrong directories compared to the Fedora locations. 
> > I have a hunch when I built from source, I didn't get in whatever I
> > needed for that NSS database and that was the root of my troubles. 
> > Is there any documentation for how to use this new NSS database? I
> > still don't know how to import and export keys to/from hostkey.secrets
> > and this complicates firewall replacements and made my life more
> > stressful today. 
> Yeah, this pretty much sucks royally.  NSS is such a PITA that I
> typically just rebuild the RPM and disable NSS and FIPS checking since I
> need neither of them.  I understand the motivation behind Fedora and RH
> moving to this (unified crypto and key management, FIPS compliance, etc,
> etc, etc) but someone should have given some serious thought to smooth
> migration of existing sites.  At one point (and I hope like hell it's
> not still true) you could not "import" existing private keys into the
> NSS database.  At least I never got it to work and there are articles
> (old at this point) that claim it was broken scattered on the net.
> Yeah, that move was poorly thought out.  Regenerating stacks and stacks
> of certificates on dozens of machines just because I couldn't import
> their exiting private key was NOT AN OPTION for me.  Maybe they've fixed
> that and maybe it works smoother now.  I would love to be corrected on
> this, PLEASE.  I know, what I should do is go back and retest now with
> the latest nss tools.  Maybe I'll do that today myself.
> Have you read the document README.nss?
> /usr/share/doc/openswan-doc-2.6.32/README.nss
> You'll find lots of good information in there.  Certainly, from the
> sounds of the section on "Migrating Certificates" it would sound like
> you can simply export the key and cert to a .p12 pkcs12 file and then
> import it into the database, but I wasn't able to get that to work, at
> least not early on.  It may actually work now.
> > thanks
> > - Greg Scott
> Regards,
> Mike
> ________________________________
> > 
> > From: users-bounces at openswan.org on behalf of Greg Scott
> > Sent: Wed 1/19/2011 2:37 PM
> > To: users at openswan.org
> > Subject: [Openswan Users] ipsec newhostkey --configdir broken ???
> > 
> > 
> > 
> > I'm in a world of hurt.  I am trying to setup openswan 2.6.32 on a live system that died.  This is an install from source.  I build a new empty nss database in /etc/ipsec.d like this:
> > 
> > certutil -N -d /etc/ipsec.d
> > 
> > and then try to generate a new hostkey, like this:
> > 
> > ipsec newhostkey --configdir /etc/ipsec.d \
> >  --output /etc/ipsec.d/hostkey.secrets \
> >  --verbose \
> >  --hostname xxx-fw
> > 
> > This fails with:
> > 
> > /usr/local/libexec/ipsec/rsasigkey: unrecognized option '--configdir'
> > 
> > So I do ipsec newhostkey without any --configdir parameter.  This runs to completion and generates a good hostkey.secrets file.  But I have a hunch it never populates any of the .db files in any nss database.
> > 
> > Later on when I start everything up, I see this in /ver/log/secure:
> > 
> > Jan 19 13:37:00 localhost pluto[13939]: "colo-hqmirror" #2: unable to locate my private key for RSA Signatur
> > 
> > And I'll bet that's because it's trying to read the key from that nss database, which doesn't get populated because that --configdir parameter seems to be broken.  This worked for at least 18 months and several installations with different versions.  But now it breaks with 2.6.32.  Or what am I doing wrong?
> > 
> > thanks
> > 
> > - Greg Scott
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20110121/07cf5a4d/attachment.bin 

More information about the Users mailing list