[Freeipa-users] Certificate format error reported by GUI
Jim Richard
jrichard at placeiq.com
Sat Oct 1 19:36:23 UTC 2016
Hi Pavel:
Yes, my httpd logs were flooded with cert errors from hosts trying to renew bogus certs.
How 100 or so out of 1000 hosts ended up with certs that were not valid is unknown at this time but using Ansible I cleaned all those up and it looks like I’m in good shape now.
Here’s the playbook I used to find certs that were problematic and tell certmonger to stop tracking them:
---
- hosts: ipa-hosts
gather_facts: False
tasks:
- name: get request id
shell: ipa-getcert list -r |gawk -F\' '/Request/ {print $2}'
register: my_id
#- debug: var=my_id
- name: kill bad certs
shell: ipa-getcert stop-tracking -i {{ item }}
with_items: "{{ my_id.stdout_lines }}"
<http://www.placeiq.com/> <http://www.placeiq.com/> <http://www.placeiq.com/> Jim Richard <https://twitter.com/placeiq> <https://twitter.com/placeiq> <https://twitter.com/placeiq> <https://www.facebook.com/PlaceIQ> <https://www.facebook.com/PlaceIQ> <https://www.linkedin.com/company/placeiq> <https://www.linkedin.com/company/placeiq>
SYSTEM ADMINISTRATOR III
(646) 338-8905
<http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP>
> On Sep 30, 2016, at 3:42 AM, Pavel Vomacka <pvomacka at redhat.com> wrote:
>
> Ah, ok, does /var/log/httpd/error_log contain any error after looking at hosts using GUI? And could you please send output of ipactl status after the error ocurres?
>
> On 09/30/2016 02:40 AM, Jim Richard wrote:
>> Hi Paul, 3.0.0 on Centos 6.8
>>
>>
>> <http://www.placeiq.com/> Jim Richard <https://twitter.com/placeiq> <https://www.facebook.com/PlaceIQ> <https://www.linkedin.com/company/placeiq>
>> SYSTEM ADMINISTRATOR III
>> (646) 338-8905
>> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP>
>>
>>
>>> On Sep 29, 2016, at 11:58 AM, Pavel Vomacka <pvomacka at redhat.com <mailto:pvomacka at redhat.com>> wrote:
>>>
>>> Hello,
>>>
>>> which version of FreeIPA do you use?
>>> On 09/28/2016 12:42 AM, Jim Richard wrote:
>>>> When I try to look at hosts under the hosts tab. ipactl restart or just restarting httpd seems to clear it up for a short period.
>>>>
>>>> Three replicas in the environment, it only happens when I look at hosts using the GUI at one of the three replicas.
>>>>
>>>>
>>>> Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.
>>>>
>>>>
>>>> <http://www.placeiq.com/> Jim Richard <https://twitter.com/placeiq> <https://www.facebook.com/PlaceIQ> <https://www.linkedin.com/company/placeiq>
>>>> SYSTEM ADMINISTRATOR III
>>>> (646) 338-8905
>>>> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP>
>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> Pavel^3 Vomacka
>>
>
> --
> Pavel^3 Vomacka
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161001/0127c2f6/attachment.htm>
More information about the Freeipa-users
mailing list