[Freeipa-users] SEC_ERROR_LEGACY_DATABASE

David Lin linhai88 at stanford.edu
Fri May 29 09:18:15 UTC 2015 

the other hosts do not have certificate set.

Thanks,
David


On 05/29/2015 02:05 AM, Petr Vobornik wrote:
> On 05/29/2015 10:45 AM, David Lin wrote:
>> ipa host-find produces this
>> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The 
>> certificate/key database is in an old, unsupported format.
>>
>> and ipa host-show on only one of the hosts show
>> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The 
>> certificate/key database is in an old, unsupported format.
>>
>> all the other hosts are fine.
>
> Does any other host have certificate set? I want to find out if it 
> fails on a specific certificate and not on other(s) or if it fails for 
> all hosts with certificate set.
>
> SEC_ERROR_LEGACY_DATABASE error suggests that it fails on 
> initialization of NSS database which is not dependent on stored 
> certificate.
>
>>
>> Thanks!
>> David
>>
>>> On May 29, 2015, at 1:35 AM, Petr Vobornik <pvoborni at redhat.com> wrote:
>>>
>>> On 05/29/2015 10:02 AM, Martin Kosek wrote:
>>>> On 05/29/2015 01:27 AM, David Lin wrote:
>>>>> Hi,
>>>>> When I try to add multiple hosts, on the web UI, when I go to the 
>>>>> host
>>>>> tab,
>>>
>>> This means that Web UI calls `ipa host-find` and couple of `ipa 
>>> host-show` commands. Could you try it in CLI find out which command 
>>> fails?
>>>
>>> So other web ui tabs work? Does service tab work(services has some 
>>> common logic with hosts)?
>>>
>>>> I get
>>>>> Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
>>>>> certificate/key database is in an old, unsupported format.
>>>>>
>>>>> What does this mean?
>>>
>>> NSS returns SEC_ERROR_LEGACY_DATABASE when it can't read the 
>>> database directory (for any reason, including non-existent directory)
>>>
>>>>
>>>> That's strange. CCIng Petr. Maybe /etc/httpd/alias NSS database was
>>>> somehow damaged? Although I doubt that, in that case Apache would 
>>>> not be
>>>> able to serve https even.
>>>
>>> +1
>>>
>>>>
>>>>> On one of the hosts, I do notice that when i do
>>>>>
>>>>> ipa host-show
>>>>>
>>>>> there is no certificate listed.
>>>>
>>>> If you are using FreeIPA 4.1+, this is expected:
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/4449
>>>>
>>>> Martin
>>>>
>>>
>>> -- 
>>> Petr Vobornik
>>
>>
>
>

More information about the Freeipa-users mailing list