[Freeipa-users] Certificate system unavailable
Rob Crittenden
rcritten at redhat.com
Thu Feb 20 22:08:11 UTC 2014
Sigbjorn Lie wrote:
> On 20/02/14 21:38, Rob Crittenden wrote:
>>>
>>> I am surprised too. I dumped the PKI CA certificate from /etc/pki/nssdb
>>> before and after I updated it into text files, and diff'ed them. No
>>> differences was reported.
>>
>> I can't think of a reason it would be using the sqlite database at
>> all. You don't have NSS_DEFAULT_DB_TYPE set somewhere do you? I'd find
>> it hard to believe that this would be set EVERYWHERE.
>>
>> If we want to brute force things, trying strace against a client that
>> isn't working to confirm that it is trying to open cert9 might give us
>> a data point at least.
>
> I have NSS_DEFAULT_DB_TYPE set to "sql".
Oh, ok, that's why then. You're telling NSS to use sqlite databases and
we only configure the older database style so the client isn't finding
its CA cert.
So you can either not set that or migrate all the client databases. I'm
a little surprised the servers aren't blowing up on you too.
rob
More information about the Freeipa-users
mailing list