Manually imported Trusted Keys may cause Encryption Management Server upgrade to fail
search cancel

Manually imported Trusted Keys may cause Encryption Management Server upgrade to fail


Article ID: 240302


Updated On:


Gateway Email Encryption Encryption Management Server


When upgrading to Encryption Management Server release 10.5 or above using the New Installation method as described in article 211876 and running the pgpbackup command to restore the backup, the following error message is generated after the data is restored and when services are restarted:

*** Error in 'pgpsysconf': double free or corruption

The same error is generated when trying to restart Apache with this command:

pgpsysconf --apache

Searching the Apache configuration file /etc/httpd/conf/httpd.conf for VirtualHost entries shows that there are none present:

# grep -c '</VirtualHost>' /etc/httpd/conf/httpd.conf


Symantec Encryption Management Server 10.5 and above.


One or more TLS certificates that were manually imported from the Keys / Trusted Keys page in the management console are incompatible with release 10.5 and above.


Please do the following to resolve this issue:

1. If you took a VMware snapshot prior to installing the new release from ISO, revert to snapshot. Otherwise, install the previous release from ISO and restore from backup.

2. Run this query to list the Trusted Keys that were manually imported, ordered by the expiration date:

psql oviddb ovidr -xc "SELECT tk.uuid, display_name, cer.creation, expiration
FROM trusted_key tk
LEFT JOIN key ON key.keyid = tk.keyid
LEFT JOIN certificate cer ON cer.key_uuid = key.uuid
WHERE tk.origin = 1
ORDER BY expiration"

3. From the management console, navigate to Keys / Trusted Keys and search for each expired trusted key from the query results using the display_name value. Delete each expired trusted key.

4. Export each trusted key that has not expired prior to deleting it.

5. Upgrade again using the New Installation method.

6. If the upgrade succeeds, navigate to Keys / Trusted Keys and import each trusted key that had not expired.

Alternatively, open a support case.

Additional Information