[Swan] private key matching CKAID not found: can't find the private key matching the NSS CKAID
Sony Arpita Das
sonyarpita at gmail.com
Thu Sep 1 09:54:34 EEST 2022
Hi Paul,
Thank you for responding , here are the command outputs
[root at aqua6 ~]# certutil -K -d sql:/etc/ipsec.d
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
and Certificate Services"
< 0> rsa 56b52184dbbf33748cd5e6e45c8496b286ba8506 (orphan)
[root at aqua6 ~]# certutil -K -d sql:/var/lib/ipsec/nss/ipsec.d
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad
database.
[root at aqua6 ~]# ipsec auto --listall
000
000 List of Public Keys:
000
000 Sep 01 02:49:52 2022, 3104 RSA Key AwEAAb5ft (no private key), until
--- -- --:--:-- ---- ok (expires never)
000 ID_FQDN '@aqua4.blr.asicdesigners.com'
000 Sep 01 02:49:52 2022, 4080 RSA Key AwEAAeTF3 (has private key), until
--- -- --:--:-- ---- ok (expires never)
000 ID_FQDN '@aqua6.blr.asicdesigners.com'
000
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000
000 0: RSA (none) (none)
000 ckaid: 56b52184dbbf33748cd5e6e45c8496b286ba8506
000
000 List of X.509 End Certificates:
000
000 List of X.509 CA Certificates:
000
000 List of CRLs:
000
Please note that I re-did the key generation, so the CKAID has changed on
both aqua4/aqua6
Thanks,
Sony
On Tue, Aug 30, 2022 at 9:44 PM Paul Wouters <paul.wouters at aiven.io> wrote:
> On Tue, 30 Aug 2022, Sony Arpita Das wrote:
>
> > I am trying to setup host-to-host VPN and I get the following message -
> > private key matching CKAID '67fc9d0686eeba870eb2c6a7608156b64e0316d0'
> not found: can't find the
> > private key matching the NSS CKAID
>
> Can you try:
>
> certutil -K -d sql:/etc/ipsec.d
> certutil -K -d sql:/var/lib/ipsec/nss/ipsec.d
>
> Just to confirm that you are using the nssdb you think you are using?
>
> >
> rightrsasigkey=0sAwEAAbhUgd1lQvtXY2PK3j3TiqtxmB7dIZvICCx1JK6fPwPZ851HjH8Kgg/PNg1g6GVTEl83MDaWYYKtiV
> >
> QUYnOx9tBH0GxEHdRCq1vkb/1O5X8EIgoEEarstzc3tlJFJq+x/Uy5e+kVkQRlK1UVMJgzwORcuUp/+cezqwZrArQJz2QJsIg4
> >
> qP79T1LSQlQpg6oYP+vRMXwoS0MYuE5s+NU3L4jmJKh4lRX2InOxoUC1Oz1d3+wPXJGjf61jq2U9yal6bPhHPVF+RvRXGykjnz
> >
> gCj9H0sR8RPk/tBAtM255EsG4fFIrbdpmH/iJRgdZixq8rmUvPAQ6kVw05vL/Hf05YecLjTD3Slvv/ZP9mh16veEfdcibMMnda
> >
> mPLcSL0KITljvAmR8+AVDLFNsknRJhvY/gNMI7ufbpi1+0jzIyyukUZEuWsgxmCt6gMcGG4MnISlaRhZUC7JNDN1XYA3/cG2gC
> >
> hpejYflZ+qfHtN0GIo6WAtqqSFiZM47sPP0z4t8Kp67ewKB7i71Zz00Cw94etbXF3ihMNohjx7y4p9NHJzQYAQDYBLxFdZu+E6
> > sVvepFRNGEPh
> > rightckaid=21075ce1a098cfcf82859e1b91e26f530c192bbe
>
> Note that ckaid is only a LOCAL identifier, so be sure to only use it as
> such. The rsasigkey= can be used as LOCAL and REMOTE identifier. Maybe
> instead of rightckaid=, use
>
>
> rightrsasigkey=0sAwEAAb4j/v2QI06S0rOX7g9k8bIkCp1yWIlGXZyRxp+WYAQcKb8sLaRRkeovlLv7lVadk4P00iwp77O7VYDRdFlWbs75eun3H/ewZHNZw9fHz84wNX/JF49UyKDWCnNuWrEGchVsDHmN2RNbsk4AkJFTd/nIxTHx6hElJmSTET24hac3vyQizwxkwg6JSLke0y1JJpfOP7OszYbjai/HvbUQNv0V6tiEReUAIDltSM1m1UfCAF812vw+ccQdttdzYaU9rQrrHGuwTMdBpOWWpCkDJOuSK5R0oKCAXyaBrvsaFuyJFTE0aclZ4HhXZY2lTdrQY9H0aRQX9LFka5xnJGajvdxzjqlLCV9Yi4TeiqUpnrP2NbGQkoy2nKTI9qUvFt7slnwk0lUG/DGzHRHwIsZYU+4olxLc5ECGPX2mAj8HY0NUU0wvz6NHt80HbA2DLDqGiVFQlR8yzPz0F0ga9DC0lpTjqgbUt4SXKwhvkQedgLJ5xP2V+Z7R/er8xVOjOibVSnBvJCQdXe3i/bpLwtIAGWz+3sidMgofTQLN6jqG8PRrAB8=
>
> > [root at aqua6 42345]# /usr/sbin/ipsec auto --add mytunnel
> > 002 "mytunnel": terminating SAs using this connection
> > 002 "mytunnel": added IKEv2 connection
>
> After you do this, can you do: ipsec auto --listall which should show us
> the keys loaded.
>
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220901/0947a56a/attachment.htm>
More information about the Swan
mailing list