Hi all, I''m running FDS in multi-master mode with two servers. Both servers are configured with TLS support. One of the servers logs the following error: [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in attrcrypt_init [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in attrcrypt_init [25/Oct/2007:08:50:57 +0300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [25/Oct/2007:08:50:57 +0300] - Listening on All Interfaces port 636 for LDAPS requests Both servers seems to work just fine. Any ideas how this can be resolved? Thanks, Andreas
Andreas Kekkou wrote:> Hi all, > > I''m running FDS in multi-master mode with two servers. Both servers > are configured with TLS support. One of the servers logs the following > error: > > [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to unwrap > key for cipher AES > [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher AES > in attrcrypt_cipher_init > [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in > attrcrypt_init > [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to unwrap > key for cipher AES > [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher AES > in attrcrypt_cipher_init > [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in > attrcrypt_init > [25/Oct/2007:08:50:57 +0300] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [25/Oct/2007:08:50:57 +0300] - Listening on All Interfaces port 636 > for LDAPS requests > > Both servers seems to work just fine. Any ideas how this can be resolved?Has your SSL/TLS configuration changed at all? Have you acquired a new cert or renewed an existing cert? cd /opt/fedora-ds/alias ../shared/bin/certutil -L -P slapd-instance- -d .> > Thanks, > > Andreas > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Hi Richard, Nothing has changed. Executing the command you have suggested on both servers I get the same output: [root@serverA alias]# ../shared/bin/certutil -L -P slapd-serverA- -d . serverA-cert u,u,u Computer Science Department CA CT,, [root@serverB alias]# ../shared/bin/certutil -L -P slapd-serverB- -d . serverB-cert u,u,u Computer Science Department CA CT,, Is there anything else I have to check? Cheers. Andreas Richard Megginson wrote:> Andreas Kekkou wrote: >> Hi all, >> >> I''m running FDS in multi-master mode with two servers. Both servers >> are configured with TLS support. One of the servers logs the >> following error: >> >> [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to unwrap >> key for cipher AES >> [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher AES >> in attrcrypt_cipher_init >> [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in >> attrcrypt_init >> [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to unwrap >> key for cipher AES >> [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher AES >> in attrcrypt_cipher_init >> [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in >> attrcrypt_init >> [25/Oct/2007:08:50:57 +0300] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests >> [25/Oct/2007:08:50:57 +0300] - Listening on All Interfaces port 636 >> for LDAPS requests >> >> Both servers seems to work just fine. Any ideas how this can be >> resolved? > Has your SSL/TLS configuration changed at all? Have you acquired a > new cert or renewed an existing cert? > cd /opt/fedora-ds/alias > ../shared/bin/certutil -L -P slapd-instance- -d . >> >> Thanks, >> >> Andreas >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Andreas Kekkou wrote:> Hi Richard, > > Nothing has changed. Executing the command you have suggested on both > servers I get the same output: > > [root@serverA alias]# ../shared/bin/certutil -L -P slapd-serverA- -d . > serverA-cert u,u,u > Computer Science Department CA CT,, > > [root@serverB alias]# ../shared/bin/certutil -L -P slapd-serverB- -d . > serverB-cert u,u,u > Computer Science Department CA CT,, > > Is there anything else I have to check?grep -i personality /opt/fedora-ds/slapd-instancename/config/dse.ldif The personality name should match with the server cert name in your certdb.> > Cheers. > > Andreas > > Richard Megginson wrote: >> Andreas Kekkou wrote: >>> Hi all, >>> >>> I''m running FDS in multi-master mode with two servers. Both servers >>> are configured with TLS support. One of the servers logs the >>> following error: >>> >>> [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to >>> unwrap key for cipher AES >>> [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher AES >>> in attrcrypt_cipher_init >>> [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in >>> attrcrypt_init >>> [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to >>> unwrap key for cipher AES >>> [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher AES >>> in attrcrypt_cipher_init >>> [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in >>> attrcrypt_init >>> [25/Oct/2007:08:50:57 +0300] - slapd started. Listening on All >>> Interfaces port 389 for LDAP requests >>> [25/Oct/2007:08:50:57 +0300] - Listening on All Interfaces port 636 >>> for LDAPS requests >>> >>> Both servers seems to work just fine. Any ideas how this can be >>> resolved? >> Has your SSL/TLS configuration changed at all? Have you acquired a >> new cert or renewed an existing cert? >> cd /opt/fedora-ds/alias >> ../shared/bin/certutil -L -P slapd-instance- -d . >>> >>> Thanks, >>> >>> Andreas >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Both names are exactly the same. Richard Megginson wrote:> Andreas Kekkou wrote: >> Hi Richard, >> >> Nothing has changed. Executing the command you have suggested on both >> servers I get the same output: >> >> [root@serverA alias]# ../shared/bin/certutil -L -P slapd-serverA- -d . >> serverA-cert u,u,u >> Computer Science Department CA CT,, >> >> [root@serverB alias]# ../shared/bin/certutil -L -P slapd-serverB- -d . >> serverB-cert u,u,u >> Computer Science Department CA CT,, >> >> Is there anything else I have to check? > grep -i personality /opt/fedora-ds/slapd-instancename/config/dse.ldif > > The personality name should match with the server cert name in your > certdb. >> >> Cheers. >> >> Andreas >> >> Richard Megginson wrote: >>> Andreas Kekkou wrote: >>>> Hi all, >>>> >>>> I''m running FDS in multi-master mode with two servers. Both servers >>>> are configured with TLS support. One of the servers logs the >>>> following error: >>>> >>>> [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to >>>> unwrap key for cipher AES >>>> [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher >>>> AES in attrcrypt_cipher_init >>>> [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in >>>> attrcrypt_init >>>> [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to >>>> unwrap key for cipher AES >>>> [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher >>>> AES in attrcrypt_cipher_init >>>> [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in >>>> attrcrypt_init >>>> [25/Oct/2007:08:50:57 +0300] - slapd started. Listening on All >>>> Interfaces port 389 for LDAP requests >>>> [25/Oct/2007:08:50:57 +0300] - Listening on All Interfaces port 636 >>>> for LDAPS requests >>>> >>>> Both servers seems to work just fine. Any ideas how this can be >>>> resolved? >>> Has your SSL/TLS configuration changed at all? Have you acquired a >>> new cert or renewed an existing cert? >>> cd /opt/fedora-ds/alias >>> ../shared/bin/certutil -L -P slapd-instance- -d . >>>> >>>> Thanks, >>>> >>>> Andreas >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Andreas Kekkou wrote:> Both names are exactly the same. > > Richard Megginson wrote: >> Andreas Kekkou wrote: >>> Hi Richard, >>> >>> Nothing has changed. Executing the command you have suggested on >>> both servers I get the same output: >>> >>> [root@serverA alias]# ../shared/bin/certutil -L -P slapd-serverA- -d . >>> serverA-cert u,u,u >>> Computer Science Department CA CT,, >>> >>> [root@serverB alias]# ../shared/bin/certutil -L -P slapd-serverB- -d . >>> serverB-cert u,u,u >>> Computer Science Department CA CT,, >>> >>> Is there anything else I have to check? >> grep -i personality /opt/fedora-ds/slapd-instancename/config/dse.ldif >> >> The personality name should match with the server cert name in your >> certdb. >>> >>> Cheers. >>> >>> Andreas >>> >>> Richard Megginson wrote: >>>> Andreas Kekkou wrote: >>>>> Hi all, >>>>> >>>>> I''m running FDS in multi-master mode with two servers. Both >>>>> servers are configured with TLS support. One of the servers logs >>>>> the following error: >>>>> >>>>> [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to >>>>> unwrap key for cipher AES >>>>> [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher >>>>> AES in attrcrypt_cipher_init >>>>> [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in >>>>> attrcrypt_init >>>>> [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to >>>>> unwrap key for cipher AES >>>>> [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher >>>>> AES in attrcrypt_cipher_init >>>>> [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in >>>>> attrcrypt_init >>>>> [25/Oct/2007:08:50:57 +0300] - slapd started. Listening on All >>>>> Interfaces port 389 for LDAP requests >>>>> [25/Oct/2007:08:50:57 +0300] - Listening on All Interfaces port >>>>> 636 for LDAPS requests >>>>> >>>>> Both servers seems to work just fine. Any ideas how this can be >>>>> resolved? >>>> Has your SSL/TLS configuration changed at all? Have you acquired a >>>> new cert or renewed an existing cert? >>>> cd /opt/fedora-ds/alias >>>> ../shared/bin/certutil -L -P slapd-instance- -d .I''m not sure. If you are not using attribute encryption, and do not have any encrypted attribute values, you can simply remove the offending attributes: shutdown the server edit dse.ldif - remove the entry cn=AES, cn=encrypted attribute keys, cn=userRoot, cn=ldbm database, cn=plugins, cn=config and cn=AES, cn=encrypted attribute keys, cn=NetscapeRoot, n=ldbm database, cn=plugins, cn=config then restart the server>>>>> >>>>> Thanks, >>>>> >>>>> Andreas >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >