[OCPBUGS-22844] ipsec-addcert.sh script fails along with ipsec-import service - Red Hat Issue Tracker

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.14.0, 4.14.z
Component/s: Documentation / SDN
Labels:
- ipsec

Severity:
Moderate
Regression:
No
Sprint:
SDN Sprint 245, SDN Sprint 246
sprint_count:
2
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Type:
Release Note Not Required
Release Note Status:
In Progress

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

Following the ipsec N/S feature, we could see the pk12util script fails due to incorrect password but there is no mention where to provide the password resulting into service failure.

~~~
sh-5.1# journalctl -xu ipsec-import
Nov 02 10:19:02 degcpe1-tsgjp-worker-c-kbxdg systemd[1]: Starting Import external certs into ipsec NSS...
░░ Subject: A start job for unit ipsec-import.service has begun execution
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░
░░ A start job for unit ipsec-import.service has begun execution.
░░
░░ The job identifier is 344.
Nov 02 10:19:02 degcpe1-tsgjp-worker-c-kbxdg ipsec-addcert.sh[943]: importing cert to NSS
Nov 02 10:19:02 degcpe1-tsgjp-worker-c-kbxdg ipsec-addcert.sh[970]: pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
Nov 02 10:19:02 degcpe1-tsgjp-worker-c-kbxdg ipsec-addcert.sh[970]: pk12util: PKCS12 decode validate bags failed: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
Nov 02 10:19:02 degcpe1-tsgjp-worker-c-kbxdg systemd[1]: ipsec-import.service: Main process exited, code=exited, status=18/n/a
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░
░░ An ExecStart= process belonging to unit ipsec-import.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 18.
Nov 02 10:19:02 degcpe1-tsgjp-worker-c-kbxdg systemd[1]: ipsec-import.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░
░░ The unit ipsec-import.service has entered the 'failed' state with result 'exit-code'.
Nov 02 10:19:02 degcpe1-tsgjp-worker-c-kbxdg systemd[1]: Failed to start Import external certs into ipsec NSS.
░░ Subject: A start job for unit ipsec-import.service has failed
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░
░░ A start job for unit ipsec-import.service has finished with a failure.
░░
░░ The job identifier is 344 and the job result is failed.
sh-5.1#
~~~

Re creating the butane file using the certificate as mentioned below, fixed the issue and should be done in the script as well..

~~~
Fixed using this
sh-5.1# pk12util -W "<Password_goes_here>" -i /etc/pki/certs/left_server.p12 -d /var/lib/ipsec/nss/
pk12util: no nickname for cert in PKCS12 file.
pk12util: using nickname: usercert1.xx.xx:ipsec_fabric_2.0 - Deutsche Bank AG
pk12util: PKCS12 IMPORT SUCCESSFUL
sh-5.1#
~~~

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

1.
2.
3.

Actual results:

Expected results:

Additional info:

Assignee:: OCP DocsBot

Reporter:: Jatan Malde

QA Contact:: Anurag Saxena

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2023/11/02 10:47 AM

Updated:: 2024/05/03 1:44 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates