This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: First-time usage problem: "Enter new password for systemtap server certificate/key database"

From: Dave Brolley <brolley at redhat dot com>
To: Elijah Newren <newren at gmail dot com>
Cc: systemtap at sourceware dot org
Date: Mon, 24 Aug 2009 11:48:09 -0400
Subject: Re: First-time usage problem: "Enter new password for systemtap server certificate/key database"
References: <51419b2c0908222237o560830b2l57bcdccd044b33fa@mail.gmail.com>

Hi Elijah,

Thanks for trying systemtap! Let me try to address the problems you are having with certificates.

Elijah Newren wrote:

# stap -v -e 'probe vfs.read {printf("read performed\n"); exit()}' Pass 1: parsed user script and 59 library script(s) in 170usr/20sys/210real ms. Pass 2: analyzed script: 1 probe(s), 11 function(s), 2 embed(s), 1 global(s) in 360usr/160sys/551real ms. Pass 3: translated to C into "/tmp/stap3MwYIW/stap_a361f9cac28b917909da3d13c68e9b8c_4882.c" in 360usr/120sys/513real ms. Enter new password for systemtap server certificate/key database:

This prompt error occurs when systemtap tries to sign the generated kernel module for the first time but is unable to generate a password to protect the private key for its signing certificate. This should not be happening with the latest release (or the latest git) unless you have used the --unprivileged option. However some previous systemtap releases did attempt to sign all modules. What version of systemtap are you using?

In order to sign the module, systemtap generates its own signing certificate with a private key that is password protected. Normally the password is self-generated and random, since only systemtap ever needs it. The following two methods are tried

mkpasswd -l 20

and

apg -a 1 -n 1 -m 20 -x 20

If these fail, then systemtap prompts for a password. I'm interested in the response to the above two commands on your system. Can you please try them and post the responses?

If systemtap does prompt for a password, then any old psuedo random string will do. You will never need to remember it (in fact, it's probably best if you don't!).

I eventually hit Ctrl-C, and things seemed to
continue on fine (though I get occasional errors such as "Could not
obtain information on certificate database file
/etc/systemtap/ssl/server/cert8.db.").

In order to clear the ongoing errors you can remove the /etc/systemtap/ssl/server directory. If systemtap prompts you for a password again, just enter some random string and you should not be prompted again (although as I said above I'm interested in why you were prompted in the first place, i.e. why the two automated attempts at password generated failed).

Let me know if you have any additional questions or concerns.

Thanks,
Dave

Follow-Ups:
- Re: First-time usage problem: "Enter new password for systemtap server certificate/key database"
  - From: Elijah Newren

References:
- First-time usage problem: "Enter new password for systemtap server certificate/key database"
  - From: Elijah Newren

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]