[Openswan Users] Unexpected error: "could not open host cert with nick name in NSS DB"

Graham Leggett minfrin at sharp.fm
Fri Jun 15 16:50:32 EDT 2012 

Hi all,

I am seeing some bizarre behaviour from openswan on FC17 (openswan-2.6.37-3.fc17.i686), it is complaining that a certificate doesn't exist, when certutil claims that it does.

The error appears as follows, and looks like a straightforward case of the cert being missing from the NSS database rooted at /etc/ipsec.d:

Jun 16 05:26:33 samantha pluto[23255]: loading secrets from "/etc/ipsec.d/radius.secrets"
Jun 16 05:26:33 samantha pluto[23255]:     could not open host cert with nick name 'radius-samantha' in NSS DB
Jun 16 05:26:33 samantha pluto[23255]: "/etc/ipsec.d/radius.secrets" line 1: NSS certficate not found

certutil however disagrees, claiming the cert is present:

[root at samantha ipsec.d]# certutil -d sql:/etc/ipsec.d -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

radius-client-ca-cert                                        C,C,C
radius-samantha                                              u,u,u
X Server CA - x                                          ,,   

The /etc/ipsec.d/radius.secrets file is configured as follows:

[root at samantha ipsec.d]# cat /etc/ipsec.d/radius.secrets 
: RSA radius-samantha

Digging a little deeper, for some bizarre reason the /etc/ipsec.d directory contains two databases, both cert8.db and cert9.db, which definitely looks wrong:

[root at samantha ipsec.d]# ls -al cert* key*
-rw------- 1 root root 65536 Jun 16 05:33 cert8.db
-rw------- 1 root root 14336 Jun 16 01:54 cert9.db
-rw------- 1 root root 16384 Jun 16 05:33 key3.db
-rw------- 1 root root 16384 Jun 16 01:54 key4.db

Moving these files elsewhere and cranking up openswan again confirms that the old format database is being created when it is missing:

[root at samantha ipsec.d]# ls -al cert* key*
-rw------- 1 root root 65536 Jun 16 05:37 cert8.db
-rw------- 1 root root 16384 Jun 16 05:37 key3.db

Does anyone know what the recommended way is of making sure openswan uses the correct NSS database type consistently and reliably on FC17?

Regards,
Graham
--

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4365 bytes
Desc: not available
URL: <https://lists.openswan.org/pipermail/users/attachments/20120615/7d0af9b6/attachment.p7s>

More information about the Users mailing list