Friday, May 8, 2026

[389-users] Re: version 3.1 : ERR - attrcrypt_ciphe

I haven't seen this particular error before.  Here is my error log at startup. Does your log look similar to this (besides the error)?


[05/May/2026:10:38:38.570345263 -0400] - INFO - slapd_extract_cert - CA CERT NAME: Self-Signed-CA
[05/May/2026:10:38:38.575013995 -0400] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password if pin.txt does not exist.
[05/May/2026:10:38:38.596977165 -0400] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert
[05/May/2026:10:38:38.628070445 -0400] - INFO - Security Initialization - SSL info: Enabling default cipher set.
[05/May/2026:10:38:38.629070043 -0400] - INFO - Security Initialization - SSL info: Configured NSS Ciphers
[05/May/2026:10:38:38.629758473 -0400] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled
[05/May/2026:10:38:38.630223912 -0400] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled
[05/May/2026:10:38:38.630729097 -0400] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled
...

...

[05/May/2026:10:38:38.646869597 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.3
[05/May/2026:10:38:38.647319500 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.3
[05/May/2026:10:38:38.647903706 -0400] - INFO - main - 389-Directory/3.2.0 DEVELOPER BUILD B0000.000.0000 starting up
...

...
[05/May/2026:10:38:38.758475494 -0400] - INFO - dbmdb_make_env - MDB environment created with maxsize=21474836480 (20.0 GB)
[05/May/2026:10:38:38.759509913 -0400] - INFO - dbmdb_make_env - MDB environment created with max readers=126
[05/May/2026:10:38:38.760668867 -0400] - INFO - dbmdb_make_env - MDB environment created with max database instances=512
[05/May/2026:10:38:38.763059652 -0400] - NOTICE - attrcrypt_cipher_init - No symmetric key found for cipher AES in backend userroot, attempting to create one...
[05/May/2026:10:38:38.765674326 -0400] - INFO - attrcrypt_cipher_init - Key for cipher AES successfully generated and stored
[05/May/2026:10:38:38.766149695 -0400] - NOTICE - attrcrypt_cipher_init - No symmetric key found for cipher 3DES in backend userroot, attempting to create one...
[05/May/2026:10:38:38.768561634 -0400] - INFO - attrcrypt_cipher_init - Key for cipher 3DES successfully generated and stored



Are you running the server with security enabled?  


Have you explicitly enabled/disable specific ciphers under cn=encryption,cn=config ?


dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
CACertExtractFile: /tmp/slapd-localhost/Self-Signed-CA.pem
nsSSL3Ciphers:  +all,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384



Also what platform are you running this on?  What rpm version of "nss" is installed?  This could also be related to your system's crypto policy.


Thanks,

Mark



On 5/8/26 4:11 PM, Ghiurea, Isabella via 389-users wrote:



After installing new Certs on version 389-ds-base-libs-3.1.3-7.el10_1.x86_64 ,

I am seeing the following  ERR in errolog when restarting the ldap.


[08/May/2026:12:47:19.286692556 -0700] - INFO - dbmdb_make_env - MDB environment created with max database instances=512.
[08/May/2026:12:47:19.287568735 -0700] - ERR - attrcrypt_cipher_init - Failed to retrieve key for cipher AES (2)
[08/May/2026:12:47:19.287866902 -0700] - ERR - attrcrypt_cipher_init - Failed to retrieve key for cipher 3DES (2)
[08/May/2026:12:47:19.288083818 -0700] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption.

And here are my entries for encryption in dse.ldif :
dn: cn=encrypted attribute keys,cn=userroot,cn=ldbm database,cn=plugins,cn=con
 fig
objectClass: top
objectClass: extensibleObject
cn: encrypted attribute keys
creatorsName: cn=ldbm database,cn=plugins,cn=config
modifiersName: cn=ldbm database,cn=plugins,cn=config
createTimestamp: 20260128,........
modifyTimestamp: 20260128........
numSubordinates: 2

dn: cn=encrypted attributes,cn=userroot,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: encrypted attributes
creatorsName: cn=ldbm database,cn=plugins,cn=config
modifiersName: cn=ldbm database,cn=plugins,cn=config
createTimestamp: 202601282....
modifyTimestamp: 20260128....

What else must be change to eliminate the errors.
thank you !


-- 
Identity Management Development Team

-- _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)