[Freeipa-users] Certificate format error reported by GUI

Petr Vobornik pvoborni at redhat.com
Mon Oct 3 08:48:45 UTC 2016 

Hi Jim,

I'm glad that then ansible way help you.

By any chance, do you have the old httpd error_log at hand?

I think that IPA on RHEL 6 might suffer from an issue that under certain
conditions(unknown) some cert request might put NSS database to
incorrect state which then causes IPA framework failures for all cert
operations.

Do you see in error_log similar sequence described at:
https://www.redhat.com/archives/freeipa-users/2016-September/msg00250.html

Namely:

1. one cert_request causes:
[Thu Sep 15 13:08:23 2016] [error] ipa: DEBUG: response: NetworkError:
cannot connect to 'https://xx.xxx.xxx.xx:443/ca/agent/ca/doRevoke':
(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.


And then all following cert ops end with:

cert_show(u'15'): NetworkError
[Thu Sep 15 13:08:26 2016] [error] ipa: DEBUG: response: NetworkError:
cannot connect to
'https://xx.xxx.xxx.xxl:443/ca/agent/ca/displayBySerial':
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old,
unsupported format.



On 10/01/2016 09:36 PM, Jim Richard wrote:
> Hi Pavel:
> 
> Yes, my httpd logs were flooded with cert errors from hosts trying to renew 
> bogus certs.
> 
> How 100 or so out of 1000 hosts ended up with certs that were not valid is 
> unknown at this time but using Ansible I cleaned all those up and it looks like 
> I’m in good shape now.
> 
> Here’s the playbook I used to find certs that were problematic and tell 
> certmonger to stop tracking them:
> 
> ---
> - hosts: ipa-hosts
>    gather_facts: False
> 
>    tasks:
> 
>    - name: get request id
>      shell: ipa-getcert list -r |gawk -F\' '/Request/ {print $2}'
>      register: my_id
> 
>    #- debug: var=my_id
> 
>    - name: kill bad certs
>      shell: ipa-getcert stop-tracking -i {{ item }}
>      with_items: "{{ my_id.stdout_lines }}"
> 
> 
> <http://www.placeiq.com/><http://www.placeiq.com/><http://www.placeiq.com/>	Jim 
> Richard 
> <https://twitter.com/placeiq><https://twitter.com/placeiq><https://twitter.com/placeiq> 
> <https://www.facebook.com/PlaceIQ><https://www.facebook.com/PlaceIQ> 
> <https://www.linkedin.com/company/placeiq><https://www.linkedin.com/company/placeiq>
> SYSTEM ADMINISTRATOR III
> /(646) 338-8905 /
> 
> 
> <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/>PlaceIQ:Location 
> Data Accuracy 
> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP>
> 
> 
> 
>> On Sep 30, 2016, at 3:42 AM, Pavel Vomacka <pvomacka at redhat.com 
>> <mailto:pvomacka at redhat.com>> wrote:
>>
>> Ah, ok, does /var/log/httpd/error_log contain any error after looking at hosts 
>> using GUI? And could you please send output of ipactl status after the error 
>> ocurres?
>>
>>
>> On 09/30/2016 02:40 AM, Jim Richard wrote:
>>> Hi Paul, 3.0.0 on Centos 6.8
>>>
>>>
>>> <http://www.placeiq.com/> 	Jim Richard 	<https://twitter.com/placeiq> 
>>> <https://www.facebook.com/PlaceIQ> 	<https://www.linkedin.com/company/placeiq>
>>> SYSTEM ADMINISTRATOR III
>>> /(646) 338-8905 /
>>>
>>>
>>> PlaceIQ:Location Data Accuracy 
>>> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP>
>>>
>>>
>>>
>>>> On Sep 29, 2016, at 11:58 AM, Pavel Vomacka <pvomacka at redhat.com 
>>>> <mailto:pvomacka at redhat.com>> wrote:
>>>>
>>>> Hello,
>>>>
>>>> which version of FreeIPA do you use?
>>>>
>>>> On 09/28/2016 12:42 AM, Jim Richard wrote:
>>>>> When I try to look at hosts under the hosts tab. ipactl restart or just 
>>>>> restarting httpd seems to clear it up for a short period.
>>>>>
>>>>> Three replicas in the environment, it only happens when I look at hosts 
>>>>> using the GUI at one of the three replicas.
>>>>>
>>>>>
>>>>> Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key 
>>>>> database is in an old, unsupported format.
>>>>>
>>>>>
>>>>> <http://www.placeiq.com/> 	Jim Richard 	<https://twitter.com/placeiq> 
>>>>> <https://www.facebook.com/PlaceIQ> 	<https://www.linkedin.com/company/placeiq>
>>>>> SYSTEM ADMINISTRATOR III
>>>>> /(646) 338-8905 /
>>>>>
>>>>>
>>>>> PlaceIQ:Location Data Accuracy 
>>>>> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> -- 
>>>> Pavel^3 Vomacka
>>>
>>
>> -- 
>> Pavel^3 Vomacka
> 
> 
> 


-- 
Petr Vobornik

More information about the Freeipa-users mailing list