[Freeipa-users] SEC_ERROR_LEGACY_DATABASE
David Lin
linhai88 at stanford.edu
Fri May 29 09:18:15 UTC 2015
the other hosts do not have certificate set.
Thanks,
David
On 05/29/2015 02:05 AM, Petr Vobornik wrote:
> On 05/29/2015 10:45 AM, David Lin wrote:
>> ipa host-find produces this
>> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
>> certificate/key database is in an old, unsupported format.
>>
>> and ipa host-show on only one of the hosts show
>> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
>> certificate/key database is in an old, unsupported format.
>>
>> all the other hosts are fine.
>
> Does any other host have certificate set? I want to find out if it
> fails on a specific certificate and not on other(s) or if it fails for
> all hosts with certificate set.
>
> SEC_ERROR_LEGACY_DATABASE error suggests that it fails on
> initialization of NSS database which is not dependent on stored
> certificate.
>
>>
>> Thanks!
>> David
>>
>>> On May 29, 2015, at 1:35 AM, Petr Vobornik <pvoborni at redhat.com> wrote:
>>>
>>> On 05/29/2015 10:02 AM, Martin Kosek wrote:
>>>> On 05/29/2015 01:27 AM, David Lin wrote:
>>>>> Hi,
>>>>> When I try to add multiple hosts, on the web UI, when I go to the
>>>>> host
>>>>> tab,
>>>
>>> This means that Web UI calls `ipa host-find` and couple of `ipa
>>> host-show` commands. Could you try it in CLI find out which command
>>> fails?
>>>
>>> So other web ui tabs work? Does service tab work(services has some
>>> common logic with hosts)?
>>>
>>>> I get
>>>>> Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
>>>>> certificate/key database is in an old, unsupported format.
>>>>>
>>>>> What does this mean?
>>>
>>> NSS returns SEC_ERROR_LEGACY_DATABASE when it can't read the
>>> database directory (for any reason, including non-existent directory)
>>>
>>>>
>>>> That's strange. CCIng Petr. Maybe /etc/httpd/alias NSS database was
>>>> somehow damaged? Although I doubt that, in that case Apache would
>>>> not be
>>>> able to serve https even.
>>>
>>> +1
>>>
>>>>
>>>>> On one of the hosts, I do notice that when i do
>>>>>
>>>>> ipa host-show
>>>>>
>>>>> there is no certificate listed.
>>>>
>>>> If you are using FreeIPA 4.1+, this is expected:
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/4449
>>>>
>>>> Martin
>>>>
>>>
>>> --
>>> Petr Vobornik
>>
>>
>
>
More information about the Freeipa-users
mailing list