[Freeipa-users] Certificate system unavailable
Sigbjorn Lie
sigbjorn at nixtra.com
Thu Feb 20 22:40:48 UTC 2014
On 20/02/14 23:08, Rob Crittenden wrote:
> Sigbjorn Lie wrote:
>> On 20/02/14 21:38, Rob Crittenden wrote:
>>>>
>>>> I am surprised too. I dumped the PKI CA certificate from
>>>> /etc/pki/nssdb
>>>> before and after I updated it into text files, and diff'ed them. No
>>>> differences was reported.
>>>
>>> I can't think of a reason it would be using the sqlite database at
>>> all. You don't have NSS_DEFAULT_DB_TYPE set somewhere do you? I'd find
>>> it hard to believe that this would be set EVERYWHERE.
>>>
>>> If we want to brute force things, trying strace against a client that
>>> isn't working to confirm that it is trying to open cert9 might give us
>>> a data point at least.
>>
>> I have NSS_DEFAULT_DB_TYPE set to "sql".
>
> Oh, ok, that's why then. You're telling NSS to use sqlite databases
> and we only configure the older database style so the client isn't
> finding its CA cert.
>
> So you can either not set that or migrate all the client databases.
> I'm a little surprised the servers aren't blowing up on you too.
>
Ohh so true...unset NSS_DEFAULT_DB_TYPE and it's all working fine! I
can't believe it was something this silly!
I've found the file where the NSS_DEFAULT_DB_TYPE is set to "sql" for
our environment. This file has not been changed since Sep 2012. It's
only set for a select amount of our accounts (mine being one of them) -
that's why the servers isn't blowing up. And is why the webui is still
working...
We installed IPA in early 2012 and I've not had issues using the "ipa"
command on any machines until a few weeks ago - and yes,
NSS_DEFAULT_DB_TYPE=sql has been in the environment for my account the
whole time.
We recently installed a set of patches upgrading our servers to RHEL
6.5+(some updates) from 6.4. It would seem like something changed with
this set of patches. And it also explains why this did not happen in the
test environment as the same accounts are not being utilised there.
Thank you for your assistance resolving these issues we've had recently. :)
Regards,
Siggi
More information about the Freeipa-users
mailing list