Open anlean2002 opened 10 years ago
letoams
commented
10 years ago On Mon, 28 Apr 2014, anlean2002 wrote:
003 "office_b_tun" #3: Can't find the private key from the NSS CERT (err -12285)
I created key by nss. Why it said "Can't find the private key from the NSS CERT"? Thanks in advance.
You need to user leftcert=YourFriendlyName where YourFriendlyName is the "friendly_name" you specified in the PKCS#12 yourcert.p12 export that you imported into nss.
Paul
anlean2002
commented
10 years ago HI Paul, Thanks for your answering. I don't have PKCS#12. So, I created by myself. But, it did not successful. It show "pk12util: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format."How should I fix it? Angela
letoams
commented
10 years ago On Mon, 28 Apr 2014, anlean2002 wrote:
I don't have PKCS#12. So, I created by myself. But, it did not successful. It show "pk12util: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format."How should I fix it?
That is the "generic" NSS error. Did you specify -d /etc/ipsec.d ? If you did, did you initialise the nss db (on libreswan: ipsec initnss, on openswan certutil -N -d /etc/ipsec.d)
Then import the p12 file. On libreswan: ipsec import filename, on openswan use pk12util.
Paul
anlean2002
commented
10 years ago HI Paul,
Sorry for that i forgot to post my command I used "pk12util -i -d /etc/ipsec.d/" It is still have this problem
Angela
anlean2002
commented
10 years ago Hi Paul,
Thank you! I fixed database problem. But, I have new error now "unable to locate my private key for RSA Signature"
I used { certutil -N -d . certutil -S -k rsa -n cacert1 -s "CN=cacert1" -v 12 -d . -t "C,C,C" -x -d . pk12util -o cacert1.p12 -n cacert1 -d /etc/ipsec.d }
Angela
letoams
commented
10 years ago On Tue, 29 Apr 2014, anlean2002 wrote:
Thank you! I fixed database problem. But, I have new error now "unable to locate my private key for RSA Signature"
You need in ipsec.secrets:
: RSA "friendlyname"
where "friendlyname" is the name that was specified in creating the PKCS#12 export file.
I used { certutil -N -d . certutil -S -k rsa -n cacert1 -s "CN=cacert1" -v 12 -d . -t "C,C,C" -x -d . pk12util -o cacert1.p12 -n cacert1 -d /etc/ipsec.d }
I'm a little confused you call this cacert. A PKCS#12 (.p12) file usually contains 1) private key, 2) end certificate, 3) CA certificate
Your CA key should never get imported into openswan/libreswan. It should be offline somewhere.
Paul
anlean2002
commented
10 years ago Dear Paul
I had add ": RSA usercert1" to my /etc/ipsec.secrets. It still have this error. I am not for sure which is this mean. I read this file https://github.com/xelerance/Openswan/blob/master/docs/nss-howto.txt so I had used this command.
Angela
letoams
commented
10 years ago do you also have leftcert=usercert1 in your connection? Does the certificate show after adding the connection using ipsec auto --listall ?
The nss information in openswan is likely dated.
anlean2002
commented
10 years ago Hi Paul, Yes, I added leftcert=usercert1 in my .conf. -------------------------------------- ipsec auto --listall--------------------------------------------------------------- 000 000 List of Public Keys: 000 000 Apr 30 00:54:26 2014, 2048 RSA Key AQPyPlE1T (no private key), until --- -- --:--:-- ---- ok (expires never) 000 ID_IPV4_ADDR '10.21.11.108' 000 Apr 30 00:54:26 2014, 2048 RSA Key AQOow8RQP (has private key), until --- -- --:--:-- ---- ok (expires never) 000 ID_IPV4_ADDR '10.21.10.25' 000 Apr 30 00:54:26 2014, 1024 RSA Key AwEAAfMz/ (no private key), until Apr 29 22:48:38 2015 ok 000 ID_DER_ASN1_DN 'CN=usercert1' 000 Issuer 'CN=cacert1' 000 List of Pre-shared secrets (from /etc/ipsec.secrets) 000 1: RSA (none) (none) 000 000 List of X.509 End Certificates: 000 000 Apr 30 00:54:26 2014, count: 1 000 subject: 'CN=usercert1' 000 issuer: 'CN=cacert1' 000 serial: 00:9f:05:f0:c5 000 pubkey: 1024 RSA Key AwEAAfMz/ 000 validity: not before Apr 29 22:48:38 2014 ok 000 not after Apr 29 22:48:38 2015 ok 000 000 List of X.509 CA Certificates: 000 000 Apr 29 22:51:18 2014, count: 1 000 subject: 'CN=CAcert.yourdomain.com' 000 issuer: 'CN=CAcert.yourdomain.com' 000 serial: 03:e8 000 pubkey: 1024 RSA Key AwEAAbKVa 000 validity: not before Apr 29 15:53:08 2014 ok 000 not after Apr 29 15:53:08 2024 ok 000 Apr 29 22:51:18 2014, count: 1 000 subject: 'CN=cacert1' 000 issuer: 'CN=cacert1' 000 serial: 00:9f:05:ef:eb 000 pubkey: 1024 RSA Key AwEAAeKsm 000 validity: not before Apr 29 22:46:44 2014 ok 000 not after Apr 29 22:46:44 2015 ok 000 Apr 29 22:51:18 2014, count: 1 000 subject: 'CN=ca-cert-common-name' 000 issuer: 'CN=ca-cert-common-name' 000 serial: 00:9f:05:ec:cb 000 pubkey: 1024 RSA Key AwEAAbEK1 000 validity: not before Apr 29 22:40:10 2015 fatal (not valid yet)
Angela
letoams
commented
10 years ago On Tue, 29 Apr 2014, anlean2002 wrote:
Yes, I added leftcert=usercert1 in my .conf.
Then I don't know how to help you anymore. I stopped using openswan over two years ago for libreswan. The only openswan i use is the one still in RHEL6 (eg based on 2.6.32)
Maybe an openswan developer can help you further.
Paul
anlean2002
commented
10 years ago HI Paul,
You help me a lot. Thanks for you help! :)
This is my HOWTO. http://ms12.voip.edu.tw/~s100321030/HOWTO/How%20to%20Install%20and%20Run%20IPsec%20on%20CentOS.html This my error message 104 "office_b_tun" #3: STATE_MAIN_I1: initiate 003 "office_b_tun" #3: received Vendor ID payload [Openswan (this version) 2.6.32 ] 003 "office_b_tun" #3: received Vendor ID payload [Dead Peer Detection] 003 "office_b_tun" #3: received Vendor ID payload [RFC 3947] method set to=109 106 "office_b_tun" #3: STATE_MAIN_I2: sent MI2, expecting MR2 003 "office_b_tun" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected 003 "office_b_tun" #3: Can't find the private key from the NSS CERT (err -12285) 108 "office_b_tun" #3: STATE_MAIN_I3: sent MI3, expecting MR3 003 "office_b_tun" #3: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000 003 "office_b_tun" #3: received and ignored informational message 010 "office_b_tun" #3: STATE_MAIN_I3: retransmission; will wait 20s for response 003 "office_b_tun" #3: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000 003 "office_b_tun" #3: received and ignored informational message 003 "office_b_tun" #3: discarding duplicate packet; already STATE_MAIN_I3 010 "office_b_tun" #3: STATE_MAIN_I3: retransmission; will wait 40s for response 003 "office_b_tun" #3: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000 003 "office_b_tun" #3: received and ignored informational message 003 "office_b_tun" #3: discarding duplicate packet; already STATE_MAIN_I3 031 "office_b_tun" #3: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message 000 "office_b_tun" #3: starting keying attempt 2 of an unlimited number, but releasing whack I created key by nss. Why it said "Can't find the private key from the NSS CERT"? Thanks in advance.