what will become 2.3.7 has filters for these. attached.
any idea why this would change constantly? i'd have thought that private
keys wouldnt change unless an admin changed them.
they should; just use svn options instead of cvs.

Hi,
I discovered this problem too and patched fnrancid to ignore the key. I may
have forgotten to post it back to the mailing list. My GetConf is now as
follows:

sub GetConf {
print STDERR " In GetConf: $_" if ($debug);

while (<INPUT>) {
tr/\015//d;
next if /^\s*$/;
last if (/$prompt/);
# spot the start of an RSA private key
$priv_key = 1 if(/^\s*set private-key "-----BEGIN RSA PRIVATE KEY-----/);
# spot the end of an RSA private key
$priv_key = 0 && next if(/^\s*-----END RSA PRIVATE KEY-----"/);
next if($priv_key == 1);

# remove occurrances of conf_file_ver
next if (/^#?conf_file_ver=/);
# filter variabilities between configurations. password encryption
# upon each display of the configuration.
if (/^\s*(set [^\s]*)\s(Enc\s[^\s]+)(.*)/i && $filter_pwds > 0 ) {
ProcessHistory("ENC","","","#$1 ENC <removed> $3\n");
next;
}
ProcessHistory("","","","$_");
}
$found_end = 1;
return(1);
}


I asked Fortinet support who said:

------------------------------------------------------------------------------------
Dear Gavin,

Certificate private key will keep changing every time you make a configuration
change. This is because the private key is printed by an OpenSSL function which
uses a new random number as the salt each time the function is called. So there
is no way to keep it unchanged.

It does not mean that the associated certificate is changing.
------------------------------------------------------------------------------------

so I figure it makes sense to just ignore it from rancid. My recollection
is that it changed more often than at each config update, but it took me a
fair bit of time to get this answer, so I figured this would do.

Gavin