[Swan] Cannot compile Libreswan 3.14 and newer on CentOS 5

Tomas France tomfra at centrum.cz
Fri Sep 25 18:31:53 UTC 2015


The prelink trick worked, it's all "green" now.

However, both the "ipsec checknss" and "ipsec initnss" commands result in
the mentioned error. See below:

---------------------------------------
[root at fr4 logs]# ipsec checknss
Initializing NSS database
See 'man pluto' if you want to protect the NSS database with a password

certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key
database is in an old, unsupported format.
Failed to initialize nss database sql:/etc/ipsec.d
[root at fr4 logs]# ipsec initnss
Initializing NSS database
See 'man pluto' if you want to protect the NSS database with a password

certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key
database is in an old, unsupported format.
Failed to initialize nss database sql:/etc/ipsec.d
---------------------------------------

Tomas



-----Original Message-----
From: Paul Wouters [mailto:paul at nohats.ca] 
Sent: Friday, September 25, 2015 8:21 PM
To: Tomas France
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] Cannot compile Libreswan 3.14 and newer on CentOS 5

On Fri, 25 Sep 2015, Tomas France wrote:

> Subject: Re: [Swan] Cannot compile Libreswan 3.14 and newer on CentOS 
> 5
> 
> OK, one more problem it seems. The RPM is installed and "ipsec verify" 
> shows all green, except for "prelink" which shows "present" in yellow 
> but that's probably not important for now.

it only matters if you will run in FIPS mode, in which case I recommend:

prelink -ua
rpm -e prelink

> But when starting the ipsec service, I now get this error:
>
> ----------------------
> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The 
> certificate/key database is in an old, unsupported format.
> Failed to initialize nss database sql:/etc/ipsec.d .Initializing NSS 
> database See 'man pluto' if you want to protect the NSS database with 
> a password
>
> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The 
> certificate/key database is in an old, unsupported format.
> Failed to initialize nss database sql:/etc/ipsec.d
> ----------------------
>
> I have not seen anything similar before.

The ipsec service should automatically have migrated that. Can you run:

ipsec checknss

it should convert from the old db files to the new db files. Or if you never
used NSS before and have no certificates or raw keys generated, you can
start a fresh one using:

ipsec initnss

Paul



More information about the Swan mailing list