[Swan] host-to-host config fails with Can't find the certificate or private key

Alex mysqlstudent at gmail.com
Wed Oct 3 00:43:48 UTC 2018 

Hi,

On Tue, Oct 2, 2018 at 5:54 PM Paul Wouters <paul at nohats.ca> wrote:
>
> On Tue, 2 Oct 2018, Alex wrote:
>
> > Here is the process I followed on arcade:
> > [root at arcade etc]# rm -f ipsec.conf
> > [root at arcade etc]# ipsec newhostkey --output /etc/ipsec.secrets
> > NSS database in /etc/ipsec.d not initialized.
> >    Please run 'ipsec initnss --nssdir /etc/ipsec.d'
> > [root at arcade etc]# ipsec initnss --nssdir /etc/ipsec.d
> > Initializing NSS database
> >
> > [root at arcade etc]# ipsec newhostkey --output /etc/ipsec.secrets
> > Generated RSA key pair with CKAID
> > 78ade3745b30ac9c857147cc4de0dc1ca140e6f4 was stored in the NSS
> > database
>
> You do not need to use --output /etc/ipsec.secrets anymore for RSA/ECDSA
> keys.
>
> > [root at arcade etc]# ipsec showhostkey --right --ckaid
> > 78ade3745b30ac9c857147cc4de0dc1ca140e6f4
> >        # rsakey AwEAAbEfZ
> >        rightrsasigkey=0sAwEAAbEfZRzZ9Y3qC80mHpZFZ1qijnJ+dl+XMHhsvGLbcVkqiJYJ43tYH3fU6eWONm6icrJAouqIcyb9DlyVTIpxHeCjnQxbEJCPOLVZZ+V40SEHasDNmKQmEODhQAXOxx69Cy+3zTmZFWbHk4rud2LsVc3M/JUggRt+zcIFueR3wUjvQxeI/LkDKDMuaqbvRTs8TUa2CpZHbWmClex/q0SLz+P+vDeWPzUHPGAaOtAtvDpn4wgjZ0QquMdPIDL3QYNQRHQT5OAeFeWsi4dlWxpy9zv4NG305cWFkGNV4089kf4dTnGTJcnKEd1Gcfy4X33q+lq3kDPjg+GAt2guCGtlYbRK7AyxHB8BhQTM4YhFOjaMcyl18v6AA8FaSRf7LRnwMgeJ1QVKk0FGD02hW3VxIYuNu/DQA//aGJgQ1BD73+Y6BhDDpVP1Sf6oN13r3Cwpf48NoQETMo0LxG/38gDXWswQ7jRcePcXIXr9VFdaC3WoxoEe29ivEx87yfwcj6FxqHwMU6en+qj/M/5aDIN7PaOuoDY9UMlhB/TP6pc1dRcHX8gr6gsVKlV7hiKyNQdI2XANaGqGCAHYMK4ojPHojQZl3ApF/VU=
>
> So did you add this to your configuration file? (on both ends)

Yes, I built the file on one system and copied it to the remote.

> > 003 "mytunnel" #2: ignoring informational payload AUTHENTICATION_FAILED, msgid=00000000, length=12
>
> The other end failed.
>
> > Here is the process I followed on orion:
> > [root at orion ~]# ipsec initnss --nssdir /etc/ipsec.d
> > Initializing NSS database
> >
> > [root at orion ~]# ipsec newhostkey --output /etc/ipsec.secrets
> > /usr/libexec/ipsec/newhostkey: WARNING: file "/etc/ipsec.secrets"
> > exists, appending to it
> > Generated RSA key pair with CKAID
> > 192fbeeba1b10bf1e427d7447e87e6270a0f8d64 was stored in the NSS
> > database
> > [root at orion ~]# ipsec showhostkey --left --ckaid
> > 192fbeeba1b10bf1e427d7447e87e6270a0f8d64
> >        # rsakey AwEAAcM3S
> >        leftrsasigkey=0sAwEAAcM3S6rcG0ZP+BQiD6bS8ou3ksT7U+YAGC+5o/EJo82G1iT6temZdKct37DDAgQcWRVq7b1+eoNZ8UtCZcJ0mvA0MPVvU94n0sub6dOEp57OBNVvtd6FKVjnHxF1R2gMLu6uOWsqGMYFngOU+2Xkcl17d410KToMvGCigcy1jd+s1j4ARUU+2kNudbKc6efpjSoo6cKqd80BIvFKnAESUA02xddT0s+GemXcezCI0PJEo8TcFRE8JbQpWx2Rc1PmzoesJzatUUGBSDYeuUqjfkYWm8W+eKdHTVY0yizcTJcw2/qPzdg12SYvfuQDI5AQp6ufFOkU/mTsnOf/0nkMRGfCf5FkfjhCwWb4H0ngcbt23r3ClRIFXf3yifjX+28kkM3KTo/3GfVToP0AzEAAgEk+pC+bxb7nmOb5BunZ7L+d63GP4NxhVY4JANSTnHyKOP3wrtr/iZRQJIcU5L+IRodOIRfzxHBdkNie8+W8NmfpzUFv4KaNkWkCcO3xcKF72/VvYXBT3vQ7LYfK4ui7mAbjxIAbAdprF4KTunZSluguWUeV5wWOrLX5irLUw2/75KvcnekUDTtTibv06u6Xc3U=
>
> did you add this to the configuration file (on both ends)

Yes, the config file I pasted here was copied to both systems.

> > [root at orion etc]# ipsec auto --up mytunnel
> > 002 "mytunnel" #1: initiating Main Mode
>
> It looks like you did not restart libreswan, this is needed to re-open
> the NSS database after adding the new keypair.
> > 003 "mytunnel" #1: Can't find the certificate or private key from the NSS CKA_ID
> This looks like what happens when you don't restart after adding a
> keypair.

The systems were even rebooted. I've also just tried it again after
restarting the service and it fails with the same message.

I thought it might be helpful to include the certutil output. You'll
notice the keys it's complaining are missing are the ones listed with
showhostkey and certutil -K.

arcade:
# certutil -L -d sql:/etc/ipsec.d

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

# certutil -K -d sql:/etc/ipsec.d
certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private Key and Certificate Services"
< 0> rsa      78ade3745b30ac9c857147cc4de0dc1ca140e6f4   (orphan)
# ipsec showhostkey --list
< 1> RSA keyid: AwEAAbEfZ ckaid: 78ade3745b30ac9c857147cc4de0dc1ca140e6f4

orion:
# certutil -L -d sql:/etc/ipsec.d

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

# certutil -K -d sql:/etc/ipsec.d
certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private Key and Certificate Services"
< 0> rsa      192fbeeba1b10bf1e427d7447e87e6270a0f8d64   (orphan)
# ipsec showhostkey --list
< 1> RSA keyid: AwEAAcM3S ckaid: 192fbeeba1b10bf1e427d7447e87e6270a0f8d64

Any other ideas of a cause? :-(

More information about the Swan mailing list