[389-users] Re: Attribute encryption issue

Hi, , Yesterday, I ran up against an attribute encryption issue, and I'm looking for advice on how to debug and resolve the issue. For background, I have a pair of RHEL 7 servers in an MMR configuration. Let's call them host_A and host_B. Both are running the RedHat-provided 1.3.9 RPMs of 389-ds. There is also an RHEL 6 system, host_Z, that was set up in an MMR configuration with host_B. This setup was used to test the transition from one generation of servers to the next one. All had dbeen working fine, and I next tried severing the connection between host_Z and host_B. The replication agreements were removed and a cleanAllRUV task was initiated on host_B. All seemed to go well -- until I restarted host_A. After restarting host_A, I got the following in the errors log: [09/Jan/2020:17:00:36.191870707 -0800] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES [09/Jan/2020:17:00:36.192310924 -0800] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [09/Jan/2020:17:00:36.206041190 -0800] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES [09/Jan/2020:17:00:36.206478885 -0800] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [09/Jan/2020:17:00:36.206905949 -0800] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption. No change was made to the TLS certificate, and I would not have expected the tear-down of the replication agreements between host_Z and host_b to be relevant here. host_B is still able to replicate to host_A, but host_A is unable to go in the other direction. I haven't identified anything that would account for this problem. The system had been up from early December and had not exhibited any issues. So, any suggestions as to how I can troubleshoot and fix this issue? The log messages don't seem to be very helpful.

thanks,