<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 09/15/2016 03:04 AM, Natxo Asenjo
wrote:<br>
</div>
<blockquote
cite="mid:CAHBEJzU5rPKP_ajwLV8_HB_eC5igppSLsACJavOMgLeg2hDbig@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Ben,<br>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 14, 2016 at 2:45 PM,
Ben Lipton <span dir="ltr"><<a moz-do-not-send="true"
target="_blank" href="mailto:blipton@redhat.com">blipton@redhat.com</a>></span>
wrote:<br>
<br>
<blockquote style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex" class="gmail_quote"><span
class="gmail-"></span>One other note - this could be a
permissions issue. NSS seems to produce this confusing
error message when it can't access the database, even if
the format of the database is actually fine.<br>
<br>
$ sudo chown root:root /tmp/certs<br>
$ certutil -N -d /tmp/certs<br>
certutil: function failed: SEC_ERROR_LEGACY_DATABASE:
The certificate/key database is in an old, unsupported
format.<br>
</blockquote>
</div>
<br>
</div>
<div class="gmail_extra">Thanks for the tip. What directory
should I check? I have checked:<br>
<br>
<br>
</div>
<div class="gmail_extra">[root@kdc01 httpd]$ ls -ltrZ
/etc/httpd/alias/<br>
-rw-r-----. root apache unconfined_u:object_r:cert_t:s0
secmod.db.orig<br>
-rw-r-----. root apache unconfined_u:object_r:cert_t:s0
key3.db.orig<br>
-rw-r-----. root apache unconfined_u:object_r:cert_t:s0
cert8.db.orig<br>
-rw-------. root root unconfined_u:object_r:cert_t:s0
install.log<br>
-rw-rw----. root apache unconfined_u:object_r:cert_t:s0
pwdfile.txt<br>
-rw-rw----. root apache unconfined_u:object_r:cert_t:s0
secmod.db<br>
-r--r--r--. root root unconfined_u:object_r:cert_t:s0
cacert.asc.orig<br>
-r--r--r--. root root unconfined_u:object_r:cert_t:s0
cacert.asc<br>
lrwxrwxrwx. root root system_u:object_r:cert_t:s0
libnssckbi.so -> ../../..//usr/lib/libnssckbi.so<br>
-rw-rw----. root apache unconfined_u:object_r:cert_t:s0
key3.db<br>
-rw-rw----. root apache unconfined_u:object_r:cert_t:s0
cert8.db<br>
<br>
[root@kdc01 httpd]$ ls -ltrdZ /etc/httpd/alias/<br>
drwxr-xr-x. root root system_u:object_r:cert_t:s0
/etc/httpd/alias/<br>
<br clear="all">
<br>
</div>
<div class="gmail_extra">Those seem ok.<br>
</div>
<div class="gmail_extra">
<div class="gmail_signature">--<br>
Groeten,<br>
natxo</div>
</div>
</div>
</div>
</blockquote>
<br>
The other one I know about is:<br>
# ls -ltrZ /etc/ipa/nssdb<br>
total 80<br>
-rw-------. 1 root root unconfined_u:object_r:cert_t:s0 40 Aug 22
13:13 pwdfile.txt<br>
-rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 16384 Aug 22
13:13 secmod.db<br>
-rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 16384 Aug 22
13:13 key3.db<br>
-rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 65536 Aug 22
13:13 cert8.db<br>
# ls -ltrdZ /etc/ipa/nssdb<br>
drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0 73 Sep 14 18:08
/etc/ipa/nssdb<br>
<br>
I still don't have any good ideas for why it would work for 5
minutes and then give an error. If you manage to get a traceback for
the CertificateFormatError by enabling debug logging, that could be
very helpful.<br>
</body>
</html>