May 16

Lotus Domino 7 cross-certificate problems

, , , , , , , , , , No Comments »

Lotus Domino 7 has an unfortunate bug which means that you can’t cross-certify with another organization via phone or e-mail, by using the Domino Administrator, choosing Cross Certify Key… and entering their key ID. The bug is documented in the readme.pdf, and is still unfixed as of 7.0.2. It results in server errors saying “The subject’s public key found in the cross certificate does not match the one found in the certificate table.”

[Update 2006-05-17: I'm pleased to say that I heard today they've managed to squeeze a fix for the problem into 7.0.2. This is not an official statement of support from IBM, etc etc.]

This is a problem in situations where you want to cross-certify your server with someone else’s, but for whatever reasons they can’t or won’t give you access to CERT.ID, and can’t engage the cooperation of the owners of their CERT.ID.

Continue reading »

Oct 24

crAPTastic

, , No Comments »

If you run Debian testing, you might be getting an error like this:

W: GPG error: http://debian.teleglobe.net stable/non-US Release: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY B629A24C38C6029A
W: GPG error: http://debian.teleglobe.net testing/non-US Release: The followingsignatures couldn’t be verified because the public key is not available: NO_PUBKEY B629A24C38C6029A

The solution is:

# apt-key add /usr/share/keyrings/debian-role-keys.gpg

[Update: If you don't have that gpg file, you need to apt-get install debian-keyring first.]

The cause is apparently that APT 0.6 has made its way into testing. Either there’s now a new key or the new version of APT somehow borks the old keyring or something. I just wanted the solution.

Also, don’t upgrade PAM in Debian testing if you have it configured to count login attempts via pam_tally.so, as a bug in PAM 0.79-3 I hit yesterday causes every authentication to segfault if you use pam_tally.so deny=N, locking you out of your system. The maintainer is working on a fix, the workaround is to comment out your account line for pam_tally.so in /etc/pam.d/*

I guess now that the 3.1 release finally happened, people are getting more relaxed about releasing stuff into testing.

(Noting this here because when I searched for the answer to the APT problem I found a lot of wrong answers before I found the right one. Pagerank hath its privileges.)