[Freeipa-users] SEC_ERROR_LEGACY_DATABASE

Petr Vobornik pvoborni at redhat.com
Fri May 29 09:05:48 UTC 2015 

On 05/29/2015 10:45 AM, David Lin wrote:
> ipa host-find produces this
> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.
>
> and ipa host-show on only one of the hosts show
> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.
>
> all the other hosts are fine.

Does any other host have certificate set? I want to find out if it fails 
on a specific certificate and not on other(s) or if it fails for all 
hosts with certificate set.

SEC_ERROR_LEGACY_DATABASE error suggests that it fails on initialization 
of NSS database which is not dependent on stored certificate.

>
> Thanks!
> David
>
>> On May 29, 2015, at 1:35 AM, Petr Vobornik <pvoborni at redhat.com> wrote:
>>
>> On 05/29/2015 10:02 AM, Martin Kosek wrote:
>>> On 05/29/2015 01:27 AM, David Lin wrote:
>>>> Hi,
>>>> When I try to add multiple hosts, on the web UI, when I go to the host
>>>> tab,
>>
>> This means that Web UI calls `ipa host-find` and couple of `ipa host-show` commands. Could you try it in CLI find out which command fails?
>>
>> So other web ui tabs work? Does service tab work(services has some common logic with hosts)?
>>
>>> I get
>>>> Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
>>>> certificate/key database is in an old, unsupported format.
>>>>
>>>> What does this mean?
>>
>> NSS returns SEC_ERROR_LEGACY_DATABASE when it can't read the database directory (for any reason, including non-existent directory)
>>
>>>
>>> That's strange. CCIng Petr. Maybe /etc/httpd/alias NSS database was
>>> somehow damaged? Although I doubt that, in that case Apache would not be
>>> able to serve https even.
>>
>> +1
>>
>>>
>>>> On one of the hosts, I do notice that when i do
>>>>
>>>> ipa host-show
>>>>
>>>> there is no certificate listed.
>>>
>>> If you are using FreeIPA 4.1+, this is expected:
>>>
>>> https://fedorahosted.org/freeipa/ticket/4449
>>>
>>> Martin
>>>
>>
>> --
>> Petr Vobornik
>
>


-- 
Petr Vobornik

More information about the Freeipa-users mailing list