On 12/23/11 4:38 PM, Benjamin Reed wrote: > > On 12/23/11 12:02 PM, Simo Sorce wrote: > > One thing you can test is if the ca.crt exposed via http is the same > > that is stored on the server in /etc/ipa/ca.crt > > they are identical, I did find that the errors file is complaining about > this: > > [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_unwrap_key: failed to > unwrap key for cipher AES > [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_cipher_init: > symmetric key failed to unwrap with the private key; Cert might have > been renewed since the key is wrapped. To recover the encrypted > contents, keep the wrapped symmetric key value. > [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_unwrap_key: failed to > unwrap key for cipher 3DES > [22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_cipher_init: > symmetric key failed to unwrap with the private key; Cert might have > been renewed since the key is wrapped. To recover the encrypted > contents, keep the wrapped symmetric key value. > [22/Dec/2011:21:31:16 -0600] attrcrypt - All prepared ciphers are not > available. Please disable attribute encryption. > >
So the ultimate problem is that the LDAP and HTTP certs got replaced with a geotrust public cert, and the configuration client didn't like that. Now, I have a new problem. I didn't think anything has changed, but the server had a reboot and now I get this on startup, and the directory server is just plain dead: [root@connect slapd-OPENNMS-COM]# /etc/init.d/dirsrv start Starting dirsrv: OPENNMS-COM...[07/Jan/2012:12:35:34 -0600] - SSL alert: Security Initialization: Can't find certificate (connect.opennms.com) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [07/Jan/2012:12:35:34 -0600] - SSL alert: Security Initialization: Unable to retrieve private key for cert connect.opennms.com of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [07/Jan/2012:12:35:34 -0600] - SSL failure: None of the cipher are valid [07/Jan/2012:12:35:34 -0600] - ERROR: SSL Initialization phase 2 Failed. [FAILED] At this point, I will do whatever is the fastest way to get things back online. I do want to keep my user schema if possible, even if I have to make them reset their passwords. Is it possible to recover that if I just blow my config away and start fresh? -- Benjamin Reed The OpenNMS Group http://www.opennms.org/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users