[Swan] Cannot compile Libreswan 3.14 and newer on CentOS 5

Paul Wouters paul at nohats.ca
Fri Sep 25 18:20:53 UTC 2015


On Fri, 25 Sep 2015, Tomas France wrote:

> Subject: Re: [Swan] Cannot compile Libreswan 3.14 and newer on CentOS 5
> 
> OK, one more problem it seems. The RPM is installed and "ipsec verify" shows
> all green, except for "prelink" which shows "present" in yellow but that's
> probably not important for now.

it only matters if you will run in FIPS mode, in which case I recommend:

prelink -ua
rpm -e prelink

> But when starting the ipsec service, I now get this error:
>
> ----------------------
> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key
> database is in an old, unsupported format.
> Failed to initialize nss database sql:/etc/ipsec.d
> .Initializing NSS database
> See 'man pluto' if you want to protect the NSS database with a password
>
> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key
> database is in an old, unsupported format.
> Failed to initialize nss database sql:/etc/ipsec.d
> ----------------------
>
> I have not seen anything similar before.

The ipsec service should automatically have migrated that. Can you run:

ipsec checknss

it should convert from the old db files to the new db files. Or if you
never used NSS before and have no certificates or raw keys generated,
you can start a fresh one using:

ipsec initnss

Paul


More information about the Swan mailing list