Hi all,
we have the following situation: An 389ds with tls/ssl configured whith an certificate from letsencrypt.
Since letsencrypt is short-dated we have an automated update routine for regenerating the cert8.db.
Now we have this sort of errors in changelog.
[01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_cipher_init: symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_unwrap_key: failed to unwrap key for cipher 3DES [01/Jun/2018:11:46:40 +0200] attrcrypt - attrcrypt_cipher_init: symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [01/Jun/2018:11:46:40 +0200] attrcrypt - All prepared ciphers are not available. Please disable attribute encryption.
I never used attribute encryption and we don't need it at the moment. But as far as I understand, it's based on the server private key. This is the one we change every 60 days.
The best idea seems to disable attribute encryption (which doesn't make much sense if the private key isn't password protected anyway).
Or is there any other way to deal with key changes?
Thanks and regards Jan