[Swan] host-to-host config fails with Can't find the certificate or private key

Alex mysqlstudent at gmail.com
Tue Oct 2 21:20:54 UTC 2018 

Hi,

I'm still trying to build a host-to-host vpn and it's now failing with
"Can't find the certificate or private key from the NSS CKA_ID". I
can't find any way to specify an explicit path, or even where it's
looking.

I found an old thread from Feb that indicated I should specify
---output /etc/ipsec.secrets to the newhostkey command, and I've done
that.

I've included below all the details I can think of to help
troubleshoot this. I've also tried specifying left/rightckaid and that
didn't work either.

This config involves two hosts - arcade (right, remote) and orion
(left, local). I'm using "east" and "west" in this /etc/ipsec.conf,
but have also tried using the actual hostnames.

[root at orion etc]# rpm -q libreswan
libreswan-3.25-3.fc28.x86_64

Here is the process I followed on arcade:
[root at arcade etc]# rm -f ipsec.conf
[root at arcade etc]# ipsec newhostkey --output /etc/ipsec.secrets
NSS database in /etc/ipsec.d not initialized.
    Please run 'ipsec initnss --nssdir /etc/ipsec.d'
[root at arcade etc]# ipsec initnss --nssdir /etc/ipsec.d
Initializing NSS database

[root at arcade etc]# ipsec newhostkey --output /etc/ipsec.secrets
Generated RSA key pair with CKAID
78ade3745b30ac9c857147cc4de0dc1ca140e6f4 was stored in the NSS
database
[root at arcade etc]# ipsec showhostkey --right --ckaid
78ade3745b30ac9c857147cc4de0dc1ca140e6f4
        # rsakey AwEAAbEfZ
        rightrsasigkey=0sAwEAAbEfZRzZ9Y3qC80mHpZFZ1qijnJ+dl+XMHhsvGLbcVkqiJYJ43tYH3fU6eWONm6icrJAouqIcyb9DlyVTIpxHeCjnQxbEJCPOLVZZ+V40SEHasDNmKQmEODhQAXOxx69Cy+3zTmZFWbHk4rud2LsVc3M/JUggRt+zcIFueR3wUjvQxeI/LkDKDMuaqbvRTs8TUa2CpZHbWmClex/q0SLz+P+vDeWPzUHPGAaOtAtvDpn4wgjZ0QquMdPIDL3QYNQRHQT5OAeFeWsi4dlWxpy9zv4NG305cWFkGNV4089kf4dTnGTJcnKEd1Gcfy4X33q+lq3kDPjg+GAt2guCGtlYbRK7AyxHB8BhQTM4YhFOjaMcyl18v6AA8FaSRf7LRnwMgeJ1QVKk0FGD02hW3VxIYuNu/DQA//aGJgQ1BD73+Y6BhDDpVP1Sf6oN13r3Cwpf48NoQETMo0LxG/38gDXWswQ7jRcePcXIXr9VFdaC3WoxoEe29ivEx87yfwcj6FxqHwMU6en+qj/M/5aDIN7PaOuoDY9UMlhB/TP6pc1dRcHX8gr6gsVKlV7hiKyNQdI2XANaGqGCAHYMK4ojPHojQZl3ApF/VU=
[root at arcade etc]# service ipsec restart
Redirecting to /bin/systemctl restart ipsec.service
[root at arcade etc]# ipsec auto --add mytunnel
002 "mytunnel": deleting non-instance connection
002 added connection description "mytunnel"
[root at arcade etc]# ipsec auto --up mytunnel
002 "mytunnel" #2: initiating Main Mode
104 "mytunnel" #2: STATE_MAIN_I1: initiate
106 "mytunnel" #2: STATE_MAIN_I2: sent MI2, expecting MR2
108 "mytunnel" #2: STATE_MAIN_I3: sent MI3, expecting MR3
003 "mytunnel" #2: ignoring informational payload
AUTHENTICATION_FAILED, msgid=00000000, length=12
003 "mytunnel" #2: received and ignored informational message
010 "mytunnel" #2: STATE_MAIN_I3: retransmission; will wait 0.5
seconds for response
003 "mytunnel" #2: ignoring informational payload
AUTHENTICATION_FAILED, msgid=00000000, length=12
003 "mytunnel" #2: received and ignored informational message
010 "mytunnel" #2: STATE_MAIN_I3: retransmission; will wait 1 seconds
for response
003 "mytunnel" #2: ignoring informational payload
AUTHENTICATION_FAILED, msgid=00000000, length=12
003 "mytunnel" #2: received and ignored informational message

Here is the process I followed on orion:
[root at orion ~]# ipsec initnss --nssdir /etc/ipsec.d
Initializing NSS database

[root at orion ~]# ipsec newhostkey --output /etc/ipsec.secrets
/usr/libexec/ipsec/newhostkey: WARNING: file "/etc/ipsec.secrets"
exists, appending to it
Generated RSA key pair with CKAID
192fbeeba1b10bf1e427d7447e87e6270a0f8d64 was stored in the NSS
database
[root at orion ~]# ipsec showhostkey --left --ckaid
192fbeeba1b10bf1e427d7447e87e6270a0f8d64
        # rsakey AwEAAcM3S
        leftrsasigkey=0sAwEAAcM3S6rcG0ZP+BQiD6bS8ou3ksT7U+YAGC+5o/EJo82G1iT6temZdKct37DDAgQcWRVq7b1+eoNZ8UtCZcJ0mvA0MPVvU94n0sub6dOEp57OBNVvtd6FKVjnHxF1R2gMLu6uOWsqGMYFngOU+2Xkcl17d410KToMvGCigcy1jd+s1j4ARUU+2kNudbKc6efpjSoo6cKqd80BIvFKnAESUA02xddT0s+GemXcezCI0PJEo8TcFRE8JbQpWx2Rc1PmzoesJzatUUGBSDYeuUqjfkYWm8W+eKdHTVY0yizcTJcw2/qPzdg12SYvfuQDI5AQp6ufFOkU/mTsnOf/0nkMRGfCf5FkfjhCwWb4H0ngcbt23r3ClRIFXf3yifjX+28kkM3KTo/3GfVToP0AzEAAgEk+pC+bxb7nmOb5BunZ7L+d63GP4NxhVY4JANSTnHyKOP3wrtr/iZRQJIcU5L+IRodOIRfzxHBdkNie8+W8NmfpzUFv4KaNkWkCcO3xcKF72/VvYXBT3vQ7LYfK4ui7mAbjxIAbAdprF4KTunZSluguWUeV5wWOrLX5irLUw2/75KvcnekUDTtTibv06u6Xc3U=

[root at orion etc]# ipsec auto --up mytunnel
002 "mytunnel" #1: initiating Main Mode
104 "mytunnel" #1: STATE_MAIN_I1: initiate
010 "mytunnel" #1: STATE_MAIN_I1: retransmission; will wait 0.5
seconds for response
010 "mytunnel" #1: STATE_MAIN_I1: retransmission; will wait 1 seconds
for response
106 "mytunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "mytunnel" #1: Can't find the certificate or private key from the NSS CKA_ID
003 "mytunnel" #1: unable to locate my private key for RSA Signature
224 "mytunnel" #1: STATE_MAIN_I2: AUTHENTICATION_FAILED
002 "mytunnel" #1: sending notification AUTHENTICATION_FAILED to
107.155.66.2:500
003 "mytunnel" #1: Can't find the certificate or private key from the NSS CKA_ID
003 "mytunnel" #1: unable to locate my private key for RSA Signature
224 "mytunnel" #1: STATE_MAIN_I2: AUTHENTICATION_FAILED


In this version of /etc/ipsec.conf, I was experimenting with
left/rightckaid, but I've also uncommented left/rightsigkey and tried
that as well. The error messages above are from my attempt to use the
keys.

# /etc/ipsec.conf
# The version 2 is only required for compatibility with openswan
version 2

config setup
    protostack=netkey

conn mytunnel
    leftid=@west
    left=68.195.193.42
        # rsakey AwEAAcM3S
        #leftrsasigkey=0sAwEAAcM3S6rcG0ZP+BQiD6bS8ou3ksT7U+YAGC+5o/EJo82G1iT6temZdKct37DDAgQcWRVq7b1+eoNZ8UtCZcJ0mvA0MPVvU94n0sub6dOEp57OBNVvtd6FKVjnHxF1R2gMLu6uOWsqGMYFngOU+2Xkcl17d410KToMvGCigcy1jd+s1j4ARUU+2kNudbKc6efpjSoo6cKqd80BIvFKnAESUA02xddT0s+GemXcezCI0PJEo8TcFRE8JbQpWx2Rc1PmzoesJzatUUGBSDYeuUqjfkYWm8W+eKdHTVY0yizcTJcw2/qPzdg12SYvfuQDI5AQp6ufFOkU/mTsnOf/0nkMRGfCf5FkfjhCwWb4H0ngcbt23r3ClRIFXf3yifjX+28kkM3KTo/3GfVToP0AzEAAgEk+pC+bxb7nmOb5BunZ7L+d63GP4NxhVY4JANSTnHyKOP3wrtr/iZRQJIcU5L+IRodOIRfzxHBdkNie8+W8NmfpzUFv4KaNkWkCcO3xcKF72/VvYXBT3vQ7LYfK4ui7mAbjxIAbAdprF4KTunZSluguWUeV5wWOrLX5irLUw2/75KvcnekUDTtTibv06u6Xc3U=
        leftckaid=192fbeeba1b10bf1e427d7447e87e6270a0f8d64
    rightid=@east
    right=107.155.66.2
        # rsakey AwEAAbEfZ
        #rightrsasigkey=0sAwEAAbEfZRzZ9Y3qC80mHpZFZ1qijnJ+dl+XMHhsvGLbcVkqiJYJ43tYH3fU6eWONm6icrJAouqIcyb9DlyVTIpxHeCjnQxbEJCPOLVZZ+V40SEHasDNmKQmEODhQAXOxx69Cy+3zTmZFWbHk4rud2LsVc3M/JUggRt+zcIFueR3wUjvQxeI/LkDKDMuaqbvRTs8TUa2CpZHbWmClex/q0SLz+P+vDeWPzUHPGAaOtAtvDpn4wgjZ0QquMdPIDL3QYNQRHQT5OAeFeWsi4dlWxpy9zv4NG305cWFkGNV4089kf4dTnGTJcnKEd1Gcfy4X33q+lq3kDPjg+GAt2guCGtlYbRK7AyxHB8BhQTM4YhFOjaMcyl18v6AA8FaSRf7LRnwMgeJ1QVKk0FGD02hW3VxIYuNu/DQA//aGJgQ1BD73+Y6BhDDpVP1Sf6oN13r3Cwpf48NoQETMo0LxG/38gDXWswQ7jRcePcXIXr9VFdaC3WoxoEe29ivEx87yfwcj6FxqHwMU6en+qj/M/5aDIN7PaOuoDY9UMlhB/TP6pc1dRcHX8gr6gsVKlV7hiKyNQdI2XANaGqGCAHYMK4ojPHojQZl3ApF/VU=
        rightckaid=78ade3745b30ac9c857147cc4de0dc1ca140e6f4
    authby=rsasig
    # use auto=start when done testing the tunnel
    auto=add

Here is the output from an attempt to add the tunnel using
left/rightckaid instead of left/rightrsasigkey:

[root at orion etc]# ipsec auto --add mytunnel
002 "mytunnel": deleting non-instance connection
036 left certificate with CKAID
'192fbeeba1b10bf1e427d7447e87e6270a0f8d64' not found in NSS DB
036 right certificate with CKAID
'78ade3745b30ac9c857147cc4de0dc1ca140e6f4' not found in NSS DB
002 added connection description "mytunnel"

More information about the Swan mailing list