[Openswan Users] ipsec newhostkey --configdir broken ???

Michael H. Warfield mhw at WittsEnd.com
Sun Jan 23 14:14:56 EST 2011

On Fri, 2011-01-21 at 09:40 -0500, Michael H. Warfield wrote: 
> On Wed, 2011-01-19 at 16:20 -0600, Greg Scott wrote:
> > I ended up working around the problem by installing a Fedora RPM. That
> > system is running Fedora 12, and Red Hat has a 2.6.29-1 RPM for Fedora
> > 12. So that's what I ended up with. But first, I removed 2.6.32 and
> > installed 2.6.31 from source. ipsec newhostkey with --configdir switch
> > did not fail with 2.6.31, but it also finished immediately and didn't
> > generate anything. So I removed 2.6.31 and installed the Fedora RPM
> > and all worked as expected. 
> 1) Fedora 12 is EOL and you should be using something more up to date.
> 2) You can get the 2.6.31 rpm from the F14 repos.
> 3) If you want to rebuild from source but want it to match the Fedora
> configuration, download the source RPM and install that and then install
> the newer source in the rpmbuild/SOURCES directory and update the
> rpmbuild/SPECS/openswan.spec file for the new version and rebuild it
> that way.  I do that routinely.  Once in a while it will get bitchy
> about one patch or another but that generally just means it's a fix that
> got incorporated so I just disable the patch and go again.  I don't
> think I ran into that at all from 2.6.31 to 2.6.32 though.  I think that
> will rebuild cleanly.
> > Go figure.  
> > This was how I built from source:
> > cp openswan-2.6.32.tar.gz /usr/local/src
> > cd /usr/local/src
> > tar zxvf openswan-2.6.32.tar.gz
> > cd openswan-2.6.32
> > make USE_LIBNSS=true programs install
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> That's probably where you are getting some mismatches between things.
> Look in the source rpm spec file and how they configure and build it.
> This will end up putting things in /usr/local and look for things in the
> wrong directories compared to the Fedora locations. 
> > I have a hunch when I built from source, I didn't get in whatever I
> > needed for that NSS database and that was the root of my troubles. 
> > Is there any documentation for how to use this new NSS database? I
> > still don't know how to import and export keys to/from hostkey.secrets
> > and this complicates firewall replacements and made my life more
> > stressful today. 
> Yeah, this pretty much sucks royally.  NSS is such a PITA that I
> typically just rebuild the RPM and disable NSS and FIPS checking since I
> need neither of them.  I understand the motivation behind Fedora and RH
> moving to this (unified crypto and key management, FIPS compliance, etc,
> etc, etc) but someone should have given some serious thought to smooth
> migration of existing sites.  At one point (and I hope like hell it's
> not still true) you could not "import" existing private keys into the
> NSS database.  At least I never got it to work and there are articles
> (old at this point) that claim it was broken scattered on the net.
> Yeah, that move was poorly thought out.  Regenerating stacks and stacks
> of certificates on dozens of machines just because I couldn't import
> their exiting private key was NOT AN OPTION for me.  Maybe they've fixed
> that and maybe it works smoother now.  I would love to be corrected on
> this, PLEASE.  I know, what I should do is go back and retest now with
> the latest nss tools.  Maybe I'll do that today myself.
> Have you read the document README.nss?
> /usr/share/doc/openswan-doc-2.6.32/README.nss
> You'll find lots of good information in there.  Certainly, from the
> sounds of the section on "Migrating Certificates" it would sound like
> you can simply export the key and cert to a .p12 pkcs12 file and then
> import it into the database, but I wasn't able to get that to work, at
> least not early on.  It may actually work now.

I did finally get this to work.  There is either a bug in Openswan where
it fails to read client certificates or there are some missing steps in
the README.nss file where you have to import peer certificates into the
NSS database for which you do not have the private keys.  I'll probably
be posting more on that later under its own thread and subject.  I've
now gotten it to the point where I can script the conversion from my
convention of names and files into a convention of names and files and
NSS database with nicnames where the same configs work either way.
> > thanks
> > - Greg Scott
> Regards,
> Mike
> ________________________________
> > 
> > From: users-bounces at openswan.org on behalf of Greg Scott
> > Sent: Wed 1/19/2011 2:37 PM
> > To: users at openswan.org
> > Subject: [Openswan Users] ipsec newhostkey --configdir broken ???
> > 
> > 
> > 
> > I'm in a world of hurt.  I am trying to setup openswan 2.6.32 on a live system that died.  This is an install from source.  I build a new empty nss database in /etc/ipsec.d like this:
> > 
> > certutil -N -d /etc/ipsec.d
> > 
> > and then try to generate a new hostkey, like this:
> > 
> > ipsec newhostkey --configdir /etc/ipsec.d \
> >  --output /etc/ipsec.d/hostkey.secrets \
> >  --verbose \
> >  --hostname xxx-fw
> > 
> > This fails with:
> > 
> > /usr/local/libexec/ipsec/rsasigkey: unrecognized option '--configdir'
> > 
> > So I do ipsec newhostkey without any --configdir parameter.  This runs to completion and generates a good hostkey.secrets file.  But I have a hunch it never populates any of the .db files in any nss database.
> > 
> > Later on when I start everything up, I see this in /ver/log/secure:
> > 
> > Jan 19 13:37:00 localhost pluto[13939]: "colo-hqmirror" #2: unable to locate my private key for RSA Signatur
> > 
> > And I'll bet that's because it's trying to read the key from that nss database, which doesn't get populated because that --configdir parameter seems to be broken.  This worked for at least 18 months and several installations with different versions.  But now it breaks with 2.6.32.  Or what am I doing wrong?
> > 
> > thanks
> > 
> > - Greg Scott

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20110123/639f2f34/attachment.bin 

More information about the Users mailing list