- Remove From My Forums
-
General discussion
-
Hello All,
Not sure how this happened, but my CA is pooched. I’m running Windows Small Business Server 2003, SP2. Certificate Services appears to start, then stops with the following error in the event log:
Type: Error
Date: 3/9/2010
Time: 5:21:28 PM
Event: 7024
Source: Service Control Manager
Category: None
User: N/A
Computer: MyServer
Description:
The Certificate Services service terminated with service-specific error 2148073494 (0x80090016).
According to MS KB295162, verified that Administrator group was owner of «C:Documents and SettingsAll UsersApplication DataMicrosoftCryptoRSA» and has full control.
c:>certutil -verifykeys
CertUtil: -verifykeys command FAILED: 0x80092004 (-2146885628)
CertUtil: Cannot find object or property.c:>certutil -getreg CACACertHash
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfigurationsbs03
CACertHash:
CACertHash REG_MULTI_SZ =
0: 27 99 0e 68 1f 68 5d 82 03 95 f8 0e 3e 6a f7 a6 0a b5 c4 18
CertUtil: -getreg command completed successfully.c:>certutil -store my «27 99 0e 68 1f 68 5d 82 03 95 f8 0e 3e 6a f7 a6 0a b5 c4
18″
================ Certificate 4 ================
Serial Number: 12e209fee8b90f8045239b89a539ed63
Issuer: CN=sbs03, DC=SBSDom, DC=local
Subject: CN=sbs03, DC=SBSDom, DC=local
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 27 99 0e 68 1f 68 5d 82 03 95 f8 0e 3e 6a f7 a6 0a b5 c4 18
No key provider information
Missing stored keyset
CertUtil: -store command completed successfully.Thank you in advance for your help.
-Guy
-
Moved by
Tuesday, March 30, 2010 3:36 PM
Not a Server Core question (From:Server Core) -
Changed type
Tim Quan
Thursday, April 8, 2010 2:56 AM
-
Moved by
I have seen lots of people running into this specific issue in IIS 7+ and versions
When we try to change the application pool identity of an application pool to a domain account we get the below error while committing the changes.
There was an error while performing this operation.
Details:
Keyset does not exist ( exception from HRESULT : 0x8009000D)
The error code might change accordingly but you will get the text as keyset does not exist while trying to update the application pool identity with a custom account or while trying to specify a connect as user in the basic settings of a site.
You might also get the below error codes
0x80090016
0x80090005
Why am I seeing this issue?
This issue happens when your IIS specific machine keys are corrupt or missing.
Your machine keys might go corrupt if there was an improper shutdown of the machine or the machine was cloned from an existing image or if there was a system crash.
Its always a good idea to have a backup of the machine keys.
Before I explain in detail what goes wrong internally first lets discuss about the different machine keys required in IIS for encryption. The location of the key depends on the operating system is basically C:ProgramDataMicrosoftCryptoRSAMachineKeys from windows 2008 R2 and onwards
6de9cb26d2b98c01ec4e9e8b34824aa2_GUID iisConfigurationKey
d6d986f09a1ee04e24c949879fdb506c_GUID NetFrameworkConfigurationKey
76944fb33636aeddb9590521c2e8815a_GUID iisWasKey
The above 3 keys are used by IIS 7 and higher versions for encryption of the configuration.
The pertaining configuration info having information about these keys in IIS config looks something like below and will be present in C:WindowsSystem32inetsrvconfigapplicationHost.config
<configProtectedData>
<providers>
<add name=»IISWASOnlyRsaProvider» type=»» description=»Uses RsaCryptoServiceProvider to encrypt and decrypt» keyContainerName=»iisWasKey» cspProviderName=»» useMachineContainer=»true» useOAEP=»false» />
<add name=»AesProvider» type=»Microsoft.ApplicationHost.AesProtectedConfigurationProvider» description=»Uses an AES session key to encrypt and decrypt» keyContainerName=»iisConfigurationKey» cspProviderName=»» useOAEP=»false» useMachineContainer=»true» sessionKey=»value» />
<add name=»IISWASOnlyAesProvider» type=»Microsoft.ApplicationHost.AesProtectedConfigurationProvider» description=»Uses an AES session key to encrypt and decrypt» keyContainerName=»iisWasKey» cspProviderName=»» useOAEP=»false» useMachineContainer=»true» sessionKey=»value » />
</providers>
</configProtectedData>
IIS 6.0 uses a particular key c2319c42033a5ca7f44e731bfd3fa2b5_GUID to do the encryption. If you are seeing IIS admin service start up issue on an IIS 7 machine or IIS 6 machine, first thing we would check is if the metabase.xml is corrupted or if c2319c42033a5ca7f44e731bfd3fa2b5_GUID is corrupted.
In IIS any sensitive data like passwords won’t be stored in plain text and will have to be encrypted before it is stored in the config and get decrypted accordingly when needed.
So in case if the above machine keys are corrupted the configuration in IIS and the keys go out of sync and any encryption or decryption task will start failing. That is the reason you might see the above error while changing the application pool identity to a domain or custom account. If you change the application pool identity to an account like local system or network service or service accounts which doesn’t need password and hence no encryption the task won’t fail.
To confirm that this is the issue with machine key corruption you can try changing connect-as account for any website or virtual directory in IIS to a custom account and you will see the same error.
How to fix the issue?
Most of the times we suggest to rebuild or reinstall IIS. But what if reinstalling IIS is not an option?
Let’s see if there is something else we can do before we end up reinstalling IIS.
Before you proceed with the below steps it’s better to take backup of the IIS configuration so that you need not configure everything from the scratch in case you have to reinstall IIS.
To take backup of the IIS configuration install msdeploy from http://www.iis.net/downloads/microsoft/web-deploy
Once you install web deploy and reopen the inetmgr console you will see the option to export a server package and the root node as below.
Click on Export server package.
You would want to encrypt the configuration with your own password. To do that Click on Advanced Settings.
Enter the encryption password. You would want to remember this password while importing the package.
Click on Ok and Next.
Save the package or zip file which you can use to import later if needed
To import the package you will have to follow similar steps by clicking on Import package at the root node of IIS and then entering the encryption password.
How to work around the machine key corruption?
So enough of why and Now coming back to the main issue as to how we can fix the machine key corruption and the below errors.
There was an error while performing this operation.
Details:
Keyset does not exist ( exception from HRESULT : 0x8009000D)
We can regenerate these machine keys without reinstalling IIS completely. To do that follow the below steps.
1) Rename the below files or move it to a different location from C:ProgramDataMicrosoftCryptoRSAMachineKeys
6de9cb26d2b98c01ec4e9e8b34824aa2_GUID iisConfigurationKey
d6d986f09a1ee04e24c949879fdb506c_GUID NetFrameworkConfigurationKey
76944fb33636aeddb9590521c2e8815a_GUID iisWasKey
2) Backup applicationhost.config, then delete everything inside the tags below in applicationhost.config. Delete the contents within <configProtectedData> or <providers>.
<configProtectedData>
<providers>
…
</providers>
</configProtectedData>
3) Open a command prompt in admin mode and run the below command
«%windir%system32inetsrviissetup.exe /install SharedLibraries»
The above steps should regenerate the machine keys and also the configprotecteddata section in applicationhost.config
If this doesn’t help I guess I think most preferable option would be to reinstall IIS to fix the corruption.
Hope this helps J
Author: Chiranth Ramaswamy
Open
Issue created Nov 11, 2020 by
Key type is forbidden. Must be RSA, DSA, ECDSA, or ED25519
##Issue:
Unable to add deploy keys.
##error when I try to add keys at the project level:
Key is invalid, Key type is forbidden. Must be RSA, DSA, ECDSA, or ED25519, Fingerprint cannot be generated, Deploy keys projects deploy key key is invalid, Deploy keys projects deploy key key type is forbidden. Must be RSA, DSA, ECDSA, or ED25519, Deploy keys projects deploy key fingerprint cannot be generated.
##error when I try to add keys from the admin panel:
The form contains the following errors:
* Key is invalid
* Key type is forbidden. Must be RSA, DSA, ECDSA, or ED25519
* Fingerprint cannot be generated
##Goal:
Do the following from gitlab ci:
Deploy code to a centos server.
Build node app from that code within that centos server
restart the web server.
##Documents being followed:
- https://docs.gitlab.com/ee/ci/ssh_keys/#ssh-keys-when-using-the-docker-executor
##Type of keys tried:
- https://docs.gitlab.com/ee/ssh/README.html#ed25519-ssh-keys
- https://docs.gitlab.com/ee/ssh/README.html#rsa-ssh-keys
- ssh-keygen -t ed25519 -C «» —> same error [cat ~/.ssh/id_ed25519]
- ssh-keygen -t rsa -b 2048 -C «» —> same error [cat ~/.ssh/id_rsa]
The errors are the same for both type of keys.
versions:
kubernetes:
gitlab helm chart: gitlab-4.4.1
kubernetes provider: RKE
gitlab runner chart: gitlab-runner-0.21.1
Issues already referred but no go
- https://forum.gitlab.com/t/error-gitlab-your-ssh-key-type-is-forbidden-must-be-rsa-ecdsa-or-ed25519/16745
- omnibus-gitlab#204 (closed)
Notes:
I have also tried cat ~/.ssh/id_ed25519 | tr -d 'n' cat ~/.ssh/id_rsa | tr -d 'n' but no go.
I tried copying it from the vi editor.
I am extremely appreciative of the product and what it offers to us. I hope to get this solved by knowing what I might be doing wrong or what is wrong here!.
Edited Nov 11, 2020 by Gajendra D Ambi