<div dir="ltr"><div>hi,<br><br></div>attached error_log<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 15, 2016 at 1:09 PM, Natxo Asenjo <span dir="ltr"><<a href="mailto:natxo.asenjo@gmail.com" target="_blank">natxo.asenjo@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div class="h5"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 15, 2016 at 1:03 PM, Ben Lipton <span dir="ltr"><<a href="mailto:blipton@redhat.com" target="_blank">blipton@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><div><div>
<br>
<div>On 09/15/2016 03:04 AM, Natxo Asenjo
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Ben,<br>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 14, 2016 at 2:45 PM,
Ben Lipton <span dir="ltr"><<a href="mailto:blipton@redhat.com" target="_blank">blipton@redhat.com</a>></span>
wrote:<br>
<br>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><span></span>One other note - this could be a
permissions issue. NSS seems to produce this confusing
error message when it can't access the database, even if
the format of the database is actually fine.<br>
<br>
$ sudo chown root:root /tmp/certs<br>
$ certutil -N -d /tmp/certs<br>
certutil: function failed: SEC_ERROR_LEGACY_DATABASE:
The certificate/key database is in an old, unsupported
format.<br>
</blockquote>
</div>
<br>
</div>
<div class="gmail_extra">Thanks for the tip. What directory
should I check? I have checked:<br>
<br>
<br>
</div>
<div class="gmail_extra">[root@kdc01 httpd]$ ls -ltrZ
/etc/httpd/alias/<br>
-rw-r-----. root apache unconfined_u:object_r:cert_t:s<wbr>0
secmod.db.orig<br>
-rw-r-----. root apache unconfined_u:object_r:cert_t:s<wbr>0
key3.db.orig<br>
-rw-r-----. root apache unconfined_u:object_r:cert_t:s<wbr>0
cert8.db.orig<br>
-rw-------. root root unconfined_u:object_r:cert_t:s<wbr>0
install.log<br>
-rw-rw----. root apache unconfined_u:object_r:cert_t:s<wbr>0
pwdfile.txt<br>
-rw-rw----. root apache unconfined_u:object_r:cert_t:s<wbr>0
secmod.db<br>
-r--r--r--. root root unconfined_u:object_r:cert_t:s<wbr>0
cacert.asc.orig<br>
-r--r--r--. root root unconfined_u:object_r:cert_t:s<wbr>0
cacert.asc<br>
lrwxrwxrwx. root root system_u:object_r:cert_t:s0 <wbr>
libnssckbi.so -> ../../..//usr/lib/libnssckbi.s<wbr>o<br>
-rw-rw----. root apache unconfined_u:object_r:cert_t:s<wbr>0
key3.db<br>
-rw-rw----. root apache unconfined_u:object_r:cert_t:s<wbr>0
cert8.db<br>
<br>
[root@kdc01 httpd]$ ls -ltrdZ /etc/httpd/alias/<br>
drwxr-xr-x. root root system_u:object_r:cert_t:s0 <wbr>
/etc/httpd/alias/<br>
<br clear="all">
<br>
</div>
<div class="gmail_extra">Those seem ok.<br>
</div>
<div class="gmail_extra">
<div>--<br>
Groeten,<br>
natxo</div>
</div>
</div>
</div>
</blockquote>
<br></div></div>
The other one I know about is:<br>
# ls -ltrZ /etc/ipa/nssdb<br>
total 80<br>
-rw-------. 1 root root unconfined_u:object_r:cert_t:s<wbr>0 40 Aug 22
13:13 pwdfile.txt<br>
-rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s<wbr>0 16384 Aug 22
13:13 secmod.db<br>
-rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s<wbr>0 16384 Aug 22
13:13 key3.db<br>
-rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s<wbr>0 65536 Aug 22
13:13 cert8.db<br>
# ls -ltrdZ /etc/ipa/nssdb<br>
drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0 73 Sep 14 18:08
/etc/ipa/nssdb<br>
<br>
I still don't have any good ideas for why it would work for 5
minutes and then give an error. If you manage to get a traceback for
the CertificateFormatError by enabling debug logging, that could be
very helpful.<br>
</div>
</blockquote></div><br></div></div></div><div class="gmail_extra">I do not have that directory (centos 6.8):<br><br> ls -ltrZ /etc/ipa/<br>-rw-r--r--. root root unconfined_u:object_r:etc_t:<wbr>s0 default.conf<br>-rw-r--r--. root root unconfined_u:object_r:etc_t:<wbr>s0 ca.crt<br>drwxr-xr-x. root root system_u:object_r:etc_t:s0 <wbr> html<br>-rw-r--r--. root root unconfined_u:object_r:etc_t:<wbr>s0 server.conf.bak<br>-rw-r--r--. root root unconfined_u:object_r:etc_t:<wbr>s0 server.conf<br clear="all"></div><div class="gmail_extra"><br><br></div><div class="gmail_extra">I have enabled debugging:<br><br>$ cat /etc/ipa/server.conf<br>[global]<br>debug = True<br><br></div><div class="gmail_extra">Could I send you the logs privately?<span class="HOEnZb"><font color="#888888"><br><br><br></font></span></div><span class="HOEnZb"><font color="#888888"><div class="gmail_extra">-- <br><div>--<br>Groeten,<br>natxo</div>
</div></font></span></div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">--<br>Groeten,<br>natxo</div>
</div>