Sean McLennan via FreeIPA-users wrote:
>>>> pk12util: PKCS12 decode not verified: SEC_ERROR_PKCS12_INVALID_MAC:
>>>> Unable to import. Invalid MAC. Incorrect password or corrupt file.
>>>> Friendly Name: caSigningCert cert-pki-ca
>>>> Friendly Name: ocspSigningCert cert-pki-ca
>>>> Friendly Name: subsystemCert cert-pki-ca
>>>> Friendly Name: auditSigningCert cert-pki-ca
>>>> Friendly Name: caSigningCert cert-pki-ca
>>>> Friendly Name: ocspSigningCert cert-pki-ca
>>>> Friendly Name: subsystemCert cert-pki-ca
>>>> Friendly Name: auditSigningCert cert-pki-ca
>>>> Friendly Name: Server-Cert cert-pki-ca
>>> Ok you probably have all you need but the error message means the
>>> password is wrong. Without the password you're still stuck.
>> So if it's supposed to be the Directory Manager password, I'm sure I
>> have that one right because I can use it for basic 'ldapsearch'es.
OK, so after some some serious forensic work, I think I know what
happened. Unfortunately, all of this was going on at a profoundly
stressful time and I have no recollection of any of this. I had a
snapshot of the server just after setup; in that I confirmed that the
password was not what I thought it was immediately after it was set up.
I also confirmed through a backup of my password manager that it was the
password that I intended to use. So, very likely I managed to repeat a
typo twice during set up.
In December I was setting up a trust with a previous Active Directory
instance and discovered then that the DM password did not work. I
changed it in LDAP by directly editing 'dse.ldif'. I made an attempt to
fix cacert.p12, but it failed and I just replaced the file with the
original (hence the dm_password, the key_pin and cacert.p12.bkp in
root). Setting up the trust worked once the password was changed, and so
I moved on... haven't had any problems in between so obviously just
forgot about the whole thing (like I said, stressful time;
cognition-impacting drugs...). I determined all this cause I have the
full command history for the server.
This, I'm sure, is also why I was never able to get a replica running. Sigh.
So—thanks for listening to my sob-story.... Given it's most likely a
typo of what I think it is, I may try and brute-force it, but assuming
that's not going to work, am I rebuilding from scratch?
Sadly yes.
rob