Hi,
I'm still trying to build a host-to-host vpn and it's now failing with
"Can't find the certificate or private key from the NSS CKA_ID". I
can't find any way to specify an explicit path, or even where it's
looking.
I found an old thread from Feb that indicated I should specify
---output /etc/ipsec.secrets to the newhostkey command, and I've done
that.
I've included below all the details I can think of to help
troubleshoot this. I've also tried specifying left/rightckaid and that
didn't work either.
This config involves two hosts - arcade (right, remote) and orion
(left, local). I'm using "east" and "west" in this /etc/ipsec.conf,
but have also tried using the actual hostnames.
[root@orion etc]# rpm -q libreswan
libreswan-3.25-3.fc28.x86_64
Here is the process I followed on arcade:
[root@arcade etc]# rm -f ipsec.conf
[root@arcade etc]# ipsec newhostkey --output /etc/ipsec.secrets
NSS database in /etc/ipsec.d not initialized.
Please run 'ipsec initnss --nssdir /etc/ipsec.d'
[root@arcade etc]# ipsec initnss --nssdir /etc/ipsec.d
Initializing NSS database
[root@arcade etc]# ipsec newhostkey --output /etc/ipsec.secrets
Generated RSA key pair with CKAID
78ade3745b30ac9c857147cc4de0dc1ca140e6f4 was stored in the NSS
database
[root@arcade etc]# ipsec showhostkey --right --ckaid
78ade3745b30ac9c857147cc4de0dc1ca140e6f4
# rsakey AwEAAbEfZ
rightrsasigkey=0sAwEAAbEfZRzZ9Y3qC80mHpZFZ1qijnJ+dl+XMHhsvGLbcVkqiJYJ43tYH3fU6eWONm6icrJAouqIcyb9DlyVTIpxHeCjnQxbEJCPOLVZZ+V40SEHasDNmKQmEODhQAXOxx69Cy+3zTmZFWbHk4rud2LsVc3M/JUggRt+zcIFueR3wUjvQxeI/LkDKDMuaqbvRTs8TUa2CpZHbWmClex/q0SLz+P+vDeWPzUHPGAaOtAtvDpn4wgjZ0QquMdPIDL3QYNQRHQT5OAeFeWsi4dlWxpy9zv4NG305cWFkGNV4089kf4dTnGTJcnKEd1Gcfy4X33q+lq3kDPjg+GAt2guCGtlYbRK7AyxHB8BhQTM4YhFOjaMcyl18v6AA8FaSRf7LRnwMgeJ1QVKk0FGD02hW3VxIYuNu/DQA//aGJgQ1BD73+Y6BhDDpVP1Sf6oN13r3Cwpf48NoQETMo0LxG/38gDXWswQ7jRcePcXIXr9VFdaC3WoxoEe29ivEx87yfwcj6FxqHwMU6en+qj/M/5aDIN7PaOuoDY9UMlhB/TP6pc1dRcHX8gr6gsVKlV7hiKyNQdI2XANaGqGCAHYMK4ojPHojQZl3ApF/VU=
[root@arcade etc]# service ipsec restart
Redirecting to /bin/systemctl restart ipsec.service
[root@arcade etc]# ipsec auto --add mytunnel
002 "mytunnel": deleting non-instance connection
002 added connection description "mytunnel"
[root@arcade etc]# ipsec auto --up mytunnel
002 "mytunnel" #2: initiating Main Mode
104 "mytunnel" #2: STATE_MAIN_I1: initiate
106 "mytunnel" #2: STATE_MAIN_I2: sent MI2, expecting MR2
108 "mytunnel" #2: STATE_MAIN_I3: sent MI3, expecting MR3
003 "mytunnel" #2: ignoring informational payload
AUTHENTICATION_FAILED, msgid=00000000, length=12
003 "mytunnel" #2: received and ignored informational message
010 "mytunnel" #2: STATE_MAIN_I3: retransmission; will wait 0.5
seconds for response
003 "mytunnel" #2: ignoring informational payload
AUTHENTICATION_FAILED, msgid=00000000, length=12
003 "mytunnel" #2: received and ignored informational message
010 "mytunnel" #2: STATE_MAIN_I3: retransmission; will wait 1 seconds
for response
003 "mytunnel" #2: ignoring informational payload
AUTHENTICATION_FAILED, msgid=00000000, length=12
003 "mytunnel" #2: received and ignored informational message
Here is the process I followed on orion:
[root@orion ~]# ipsec initnss --nssdir /etc/ipsec.d
Initializing NSS database
[root@orion ~]# ipsec newhostkey --output /etc/ipsec.secrets
/usr/libexec/ipsec/newhostkey: WARNING: file "/etc/ipsec.secrets"
exists, appending to it
Generated RSA key pair with CKAID
192fbeeba1b10bf1e427d7447e87e6270a0f8d64 was stored in the NSS
database
[root@orion ~]# ipsec showhostkey --left --ckaid
192fbeeba1b10bf1e427d7447e87e6270a0f8d64
# rsakey AwEAAcM3S
leftrsasigkey=0sAwEAAcM3S6rcG0ZP+BQiD6bS8ou3ksT7U+YAGC+5o/EJo82G1iT6temZdKct37DDAgQcWRVq7b1+eoNZ8UtCZcJ0mvA0MPVvU94n0sub6dOEp57OBNVvtd6FKVjnHxF1R2gMLu6uOWsqGMYFngOU+2Xkcl17d410KToMvGCigcy1jd+s1j4ARUU+2kNudbKc6efpjSoo6cKqd80BIvFKnAESUA02xddT0s+GemXcezCI0PJEo8TcFRE8JbQpWx2Rc1PmzoesJzatUUGBSDYeuUqjfkYWm8W+eKdHTVY0yizcTJcw2/qPzdg12SYvfuQDI5AQp6ufFOkU/mTsnOf/0nkMRGfCf5FkfjhCwWb4H0ngcbt23r3ClRIFXf3yifjX+28kkM3KTo/3GfVToP0AzEAAgEk+pC+bxb7nmOb5BunZ7L+d63GP4NxhVY4JANSTnHyKOP3wrtr/iZRQJIcU5L+IRodOIRfzxHBdkNie8+W8NmfpzUFv4KaNkWkCcO3xcKF72/VvYXBT3vQ7LYfK4ui7mAbjxIAbAdprF4KTunZSluguWUeV5wWOrLX5irLUw2/75KvcnekUDTtTibv06u6Xc3U=
[root@orion etc]# ipsec auto --up mytunnel
002 "mytunnel" #1: initiating Main Mode
104 "mytunnel" #1: STATE_MAIN_I1: initiate
010 "mytunnel" #1: STATE_MAIN_I1: retransmission; will wait 0.5
seconds for response
010 "mytunnel" #1: STATE_MAIN_I1: retransmission; will wait 1 seconds
for response
106 "mytunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "mytunnel" #1: Can't find the certificate or private key from the NSS CKA_ID
003 "mytunnel" #1: unable to locate my private key for RSA Signature
224 "mytunnel" #1: STATE_MAIN_I2: AUTHENTICATION_FAILED
002 "mytunnel" #1: sending notification AUTHENTICATION_FAILED to
107.155.66.2:500
003 "mytunnel" #1: Can't find the certificate or private key from the NSS CKA_ID
003 "mytunnel" #1: unable to locate my private key for RSA Signature
224 "mytunnel" #1: STATE_MAIN_I2: AUTHENTICATION_FAILED
In this version of /etc/ipsec.conf, I was experimenting with
left/rightckaid, but I've also uncommented left/rightsigkey and tried
that as well. The error messages above are from my attempt to use the
keys.
# /etc/ipsec.conf
# The version 2 is only required for compatibility with openswan
version 2
config setup
protostack=netkey
conn mytunnel
leftid=@west
left=68.195.193.42
# rsakey AwEAAcM3S
#leftrsasigkey=0sAwEAAcM3S6rcG0ZP+BQiD6bS8ou3ksT7U+YAGC+5o/EJo82G1iT6temZdKct37DDAgQcWRVq7b1+eoNZ8UtCZcJ0mvA0MPVvU94n0sub6dOEp57OBNVvtd6FKVjnHxF1R2gMLu6uOWsqGMYFngOU+2Xkcl17d410KToMvGCigcy1jd+s1j4ARUU+2kNudbKc6efpjSoo6cKqd80BIvFKnAESUA02xddT0s+GemXcezCI0PJEo8TcFRE8JbQpWx2Rc1PmzoesJzatUUGBSDYeuUqjfkYWm8W+eKdHTVY0yizcTJcw2/qPzdg12SYvfuQDI5AQp6ufFOkU/mTsnOf/0nkMRGfCf5FkfjhCwWb4H0ngcbt23r3ClRIFXf3yifjX+28kkM3KTo/3GfVToP0AzEAAgEk+pC+bxb7nmOb5BunZ7L+d63GP4NxhVY4JANSTnHyKOP3wrtr/iZRQJIcU5L+IRodOIRfzxHBdkNie8+W8NmfpzUFv4KaNkWkCcO3xcKF72/VvYXBT3vQ7LYfK4ui7mAbjxIAbAdprF4KTunZSluguWUeV5wWOrLX5irLUw2/75KvcnekUDTtTibv06u6Xc3U=
leftckaid=192fbeeba1b10bf1e427d7447e87e6270a0f8d64
rightid=@east
right=107.155.66.2
# rsakey AwEAAbEfZ
#rightrsasigkey=0sAwEAAbEfZRzZ9Y3qC80mHpZFZ1qijnJ+dl+XMHhsvGLbcVkqiJYJ43tYH3fU6eWONm6icrJAouqIcyb9DlyVTIpxHeCjnQxbEJCPOLVZZ+V40SEHasDNmKQmEODhQAXOxx69Cy+3zTmZFWbHk4rud2LsVc3M/JUggRt+zcIFueR3wUjvQxeI/LkDKDMuaqbvRTs8TUa2CpZHbWmClex/q0SLz+P+vDeWPzUHPGAaOtAtvDpn4wgjZ0QquMdPIDL3QYNQRHQT5OAeFeWsi4dlWxpy9zv4NG305cWFkGNV4089kf4dTnGTJcnKEd1Gcfy4X33q+lq3kDPjg+GAt2guCGtlYbRK7AyxHB8BhQTM4YhFOjaMcyl18v6AA8FaSRf7LRnwMgeJ1QVKk0FGD02hW3VxIYuNu/DQA//aGJgQ1BD73+Y6BhDDpVP1Sf6oN13r3Cwpf48NoQETMo0LxG/38gDXWswQ7jRcePcXIXr9VFdaC3WoxoEe29ivEx87yfwcj6FxqHwMU6en+qj/M/5aDIN7PaOuoDY9UMlhB/TP6pc1dRcHX8gr6gsVKlV7hiKyNQdI2XANaGqGCAHYMK4ojPHojQZl3ApF/VU=
rightckaid=78ade3745b30ac9c857147cc4de0dc1ca140e6f4
authby=rsasig
# use auto=start when done testing the tunnel
auto=add
Here is the output from an attempt to add the tunnel using
left/rightckaid instead of left/rightrsasigkey:
[root@orion etc]# ipsec auto --add mytunnel
002 "mytunnel": deleting non-instance connection
036 left certificate with CKAID
'192fbeeba1b10bf1e427d7447e87e6270a0f8d64' not found in NSS DB
036 right certificate with CKAID
'78ade3745b30ac9c857147cc4de0dc1ca140e6f4' not found in NSS DB
002 added connection description "mytunnel"
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
