<div dir="ltr"><div><div><div><div><div><div><div>hi,<br><br></div>I can reproduce this everytime. Restarting httpd fixes it for a while, but then ik stops working:<br><br>$ ipa cert-show 1<br>ipa: ERROR: cannot connect to '<a href="https://kdc01.unix.domain.tld:443/ca/agent/ca/displayBySerial">https://kdc01.unix.domain.tld:443/ca/agent/ca/displayBySerial</a>': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.<br>[jose.admin@kdc01 ~]$ sudo /etc/init.d/httpd restart<br>Stopping httpd: [ OK ]<br>Starting httpd: [ OK ]<br>[jose.admin@kdc01 ~]$ ipa cert-show 1<br> Certificate: MIIDnDCCAoSgAwIBAgIBATANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklY<br>LklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcN<br>MTIxMTA3MjEyNDE1WhcNMjAxMTA3MjEyNDE1WjA7MRkwFwYDVQQKExBVTklYLklS<br>SVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0G<br>CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCy2WVy7QkHiuENW/zkMeD4ILoqOruu<br>YKvb2+rqeuI9iw+zBBt569XSxrgcyeTq0G63RjbXgrAzot4EhYg6MoepDVCn0Bnu<br>rUfgbCf5R0Eboigjboh5MGnPylHefLRGARNUCwcTGA4uR9ZQL/rEUqWktmZjanYE<br>vOP8UBeuq5WP5emaX8U03SzMA+cQT9w/zx0eAOYgZW5yx3aA5Q4Fu8qWqMGGAOA6<br>yDQWqmIpgxiFHHRa7hQK4AjeHgvaColaU979Lh5jAv/XwrYtok1G+UVEp45INpfx<br>r5dLe03ognPFPZ0/xwbBqtt/2qn6rk4L4ukH4P9g4Rw0o7U1yJVx/SOJAgMBAAGj<br>gaowgacwHwYDVR0jBBgwFoAUo5fkii64zz7qM/K8k9Yj3qmENmgwDwYDVR0TAQH/<br>BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFKOX5IouuM8+6jPyvJPW<br>I96phDZoMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcwAYYoaHR0cDovL2tkYzAx<br>LnVuaXguaXJpc3pvcmcubmw6ODAvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAQEA<br>J28gdozd/ptOM5PTKKwyV+otO/wk3yErslxpNUhRZgSNUwT+t6tfF/j+jJRV5sX+<br>jy09c9Do+p3Hy9gRnIVJONDScvMV9nDc75C6JGXU+FdNJJ+Dbpep/RsQjHrZ+unw<br>IyAWoOpBol8sGzN5tXbeo/M6mGFxaBTH1GKtgv4CKbzQAotvMaGxzKjScHRsGaer<br>NSCZp/90yRJypC3MOosUFcFl4CoYHB42XDTzjvzZQcaFNcgYXOciujwwYHNzsSqY<br>cIKFSWuWvN++7g4yxQMlu8QW0Ms/PntmTmO2cDdNI1tujVyBKe599y4O/Es/MBGt<br>DtVA85ALksJOU27bjtvbBg==<br> Subject: CN=Certificate Authority,O=UNIX.DOMAIN.TLD<br> Issuer: CN=Certificate Authority,O=UNIX.DOMAIN.TLD<br> Not Before: Wed Nov 07 21:24:15 2012 UTC<br> Not After: Sat Nov 07 21:24:15 2020 UTC<br> Fingerprint (MD5): 28:18:34:9d:03:99:b8:ff:2b:bd:55:0a:65:bf:d4:f2<br> Fingerprint (SHA1): 6f:e1:a4:4f:47:ec:9c:c4:ad:b9:b9:fc:e8:f4:33:4b:0a:cb:43:3e<br> Serial number (hex): 0x1<br> Serial number: 1<br><br></div>And a few minutes later (5, maximum 10), then I get the SEC_ERROR_LEGACY_DATABASE error. No traceback in /var/log/httpd/error_log.<br><br></div>This is the first CA domain controller.<br><br></div>I am leaving this job in a few weeks, so I would like to leave everything working properly. Would it be better to upgrade the domain controllers to centos 7 (right now running centos 6.8, fully patched).<br><br></div>Thanks for your input.<br><br>-- <br></div>regards,<br></div>natxo<br><div><div><div><div><div><br><br></div></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 8, 2016 at 6:30 PM, Natxo Asenjo <span dir="ltr"><<a href="mailto:natxo.asenjo@gmail.com" target="_blank">natxo.asenjo@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div class="h5"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 8, 2016 at 3:25 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Natxo Asenjo wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span> I do see these errors:<br> [Wed Sep 07 15:56:13 2016] [error] ipa: INFO:: ping(): SUCCESS<br> [Wed Sep 07 15:56:13 2016] [error] ipa: INFO: : host_find(u'tftp-1801',<br> all=False, raw=False, version=u'2.49', no_members=False,<br> pkey_only=False): CertificateFormatError<br> [Wed Sep 07 15:56:44 2016] [error] ipa: INFO: : ping(): SUCCESS<br> [Wed Sep 07 15:56:44 2016] [error] ipa: INFO: : host_find(u'tftp-1801',<br> all=False, raw=False, version=u'2.49', no_members=False,<br> pkey_only=False): CertificateFormatError<br> [Wed Sep 07 15:57:57 2016] [error] ipa: INFO: : ping(): SUCCESS<br> [Wed Sep 07 15:57:58 2016] [error] ipa: INFO: : host_find(u'tftp-1801',<br> all=False, raw=False, version=u'2.49', no_members=False,<br> pkey_only=False): CertificateFormatErro<br> <br> <br> On Wed, Sep 7, 2016 at 4:01 PM, Natxo Asenjo <<a href="mailto:natxo.asenjo@gmail.com" target="_blank">natxo.asenjo@gmail.com</a><br></span><span> <mailto:<a href="mailto:natxo.asenjo@gmail.com" target="_blank">natxo.asenjo@gmail.com</a><wbr>>> wrote:<br> <br> <br> alas, not woriking again.<br> <br> On the one kdc<br> <br> $ ipa host-find tftp-1801<br> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE)<br> The certificate/key database is in an old, unsupported format.<br> <br> On the other:<br> <br> $ ipa host-find tftp-1801<br> --------------<br> 1 host matched<br> --------------<br> Host name: tftp-1801.sub.domain.tld<br> .....<br> <br> After rebooting the kdc with the error, no new tracebacks in the<br> error_log<br> </span></blockquote> <br> No new tracebacks but still not working?<br> <br> The CertificateFormatError is the server logging the equivalent of what you're seeing in the client.<span><font color="#888888"><br> <br> rob<br> </font></span></blockquote></div><br><br clear="all"></div></div></div><div class="gmail_extra">that's right.<br><br></div><div class="gmail_extra">Is there anything else I can look at?<span class="HOEnZb"><font color="#888888"><br><br><br></font></span></div><span class="HOEnZb"><font color="#888888"><div class="gmail_extra">-- <br><div data-smartmail="gmail_signature">--<br>Groeten,<br>natxo</div> </div></font></span></div> </blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">--<br>Groeten,<br>natxo</div> </div>