pk12util: PKCS12 decode not verified: SEC_ERROR_PKCS12_INVALID_MAC: Unable to import. Invalid MAC. Incorrect password or corrupt file. Friendly Name: caSigningCert cert-pki-ca Friendly Name: ocspSigningCert cert-pki-ca Friendly Name: subsystemCert cert-pki-ca Friendly Name: auditSigningCert cert-pki-ca Friendly Name: caSigningCert cert-pki-ca Friendly Name: ocspSigningCert cert-pki-ca Friendly Name: subsystemCert cert-pki-ca Friendly Name: auditSigningCert cert-pki-ca Friendly Name: Server-Cert cert-pki-ca
Ok you probably have all you need but the error message means the password is wrong. Without the password you're still stuck.
So if it's supposed to be the Directory Manager password, I'm sure I have that one right because I can use it for basic 'ldapsearch'es.
OK, so after some some serious forensic work, I think I know what happened. Unfortunately, all of this was going on at a profoundly stressful time and I have no recollection of any of this. I had a snapshot of the server just after setup; in that I confirmed that the password was not what I thought it was immediately after it was set up. I also confirmed through a backup of my password manager that it was the password that I intended to use. So, very likely I managed to repeat a typo twice during set up.
In December I was setting up a trust with a previous Active Directory instance and discovered then that the DM password did not work. I changed it in LDAP by directly editing 'dse.ldif'. I made an attempt to fix cacert.p12, but it failed and I just replaced the file with the original (hence the dm_password, the key_pin and cacert.p12.bkp in root). Setting up the trust worked once the password was changed, and so I moved on... haven't had any problems in between so obviously just forgot about the whole thing (like I said, stressful time; cognition-impacting drugs...). I determined all this cause I have the full command history for the server.
This, I'm sure, is also why I was never able to get a replica running. Sigh.
So—thanks for listening to my sob-story.... Given it's most likely a typo of what I think it is, I may try and brute-force it, but assuming that's not going to work, am I rebuilding from scratch?
Thanks,
Sean