[Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.
Rob Crittenden
rcritten at redhat.com
Wed Sep 7 13:59:17 UTC 2016
Natxo Asenjo wrote:
>
>
> On Wed, Sep 7, 2016 at 3:27 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Natxo Asenjo wrote:
>
> hi,
>
> using centos 6.8 (server and client), when trying to view some
> hosts we
> get this error:
>
>
> $ ipa host-find host-1920.sub.domain.tld
> ipa: ERROR: Certificate format error:
> (SEC_ERROR_LEGACY_DATABASE) The
> certificate/key database is in an old, unsupported format.
>
>
> I saw a thread last year about this, but no solution.
>
> Any clues?
>
>
> /var/log/httpd/error_log may contain a traceback
>
>
> This made me take a look at a replica and there I could not replicate
> the error, I got the info I requested.
>
> In the apache error file I saw indeed a traceback:
>
> [Sun Sep 04 03:21:31 2016] [error] ipa: ERROR: non-public:
> XMLSyntaxError: None
> [Sun Sep 04 03:21:31 2016] [error] Traceback (most recent call last):
> [Sun Sep 04 03:21:31 2016] [error] File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 334, in
> wsgi_execute
> [Sun Sep 04 03:21:31 2016] [error] result =
> self.Command[name](*args, **options)
> [Sun Sep 04 03:21:31 2016] [error] File
> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 438, in __call__
> [Sun Sep 04 03:21:31 2016] [error] ret = self.run(*args, **options)
> [Sun Sep 04 03:21:31 2016] [error] File
> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 750, in run
> [Sun Sep 04 03:21:31 2016] [error] return self.execute(*args, **options)
> [Sun Sep 04 03:21:31 2016] [error] File
> "/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py", line 362, in
> execute
> [Sun Sep 04 03:21:31 2016] [error] result =
> api.Command['cert_show'](unicode(serial))['result']
> [Sun Sep 04 03:21:31 2016] [error] File
> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 438, in __call__
> [Sun Sep 04 03:21:31 2016] [error] ret = self.run(*args, **options)
> [Sun Sep 04 03:21:31 2016] [error] File
> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 750, in run
> [Sun Sep 04 03:21:31 2016] [error] return self.execute(*args, **options)
> [Sun Sep 04 03:21:31 2016] [error] File
> "/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py", line 493, in
> execute
> [Sun Sep 04 03:21:31 2016] [error]
> result=self.Backend.ra.get_certificate(serial_number)
> [Sun Sep 04 03:21:31 2016] [error] File
> "/usr/lib/python2.6/site-packages/ipaserver/plugins/dogtag.py", line
> 1489, in get_certificate
> [Sun Sep 04 03:21:31 2016] [error] parse_result =
> self.get_parse_result_xml(http_body, parse_display_cert_xml)
> [Sun Sep 04 03:21:31 2016] [error] File
> "/usr/lib/python2.6/site-packages/ipaserver/plugins/dogtag.py", line
> 1350, in get_parse_result_xml
> [Sun Sep 04 03:21:31 2016] [error] doc = etree.fromstring(xml_text,
> parser)
> [Sun Sep 04 03:21:31 2016] [error] File "lxml.etree.pyx", line 2532,
> in lxml.etree.fromstring (src/lxml/lxml.etree.c:48270)
> [Sun Sep 04 03:21:31 2016] [error] File "parser.pxi", line 1545, in
> lxml.etree._parseMemoryDocument (src/lxml/lxml.etree.c:71812)
> [Sun Sep 04 03:21:31 2016] [error] File "parser.pxi", line 1424, in
> lxml.etree._parseDoc (src/lxml/lxml.etree.c:70673)
> [Sun Sep 04 03:21:31 2016] [error] File "parser.pxi", line 938, in
> lxml.etree._BaseParser._parseDoc (src/lxml/lxml.etree.c:67442)
> [Sun Sep 04 03:21:31 2016] [error] File "parser.pxi", line 539, in
> lxml.etree._ParserContext._handleParseResultDoc
> (src/lxml/lxml.etree.c:63824)
> [Sun Sep 04 03:21:31 2016] [error] File "parser.pxi", line 625, in
> lxml.etree._handleParseResult (src/lxml/lxml.etree.c:64745)
> [Sun Sep 04 03:21:31 2016] [error] File "parser.pxi", line 576, in
> lxml.etree._raiseParseError (src/lxml/lxml.etree.c:64260)
> [Sun Sep 04 03:21:31 2016] [error] XMLSyntaxError: None
>
>
> restarting httpd fixed the issue. Thanks!
>
> Looking into apache never occurred to me, freeipa really is a web
> service although it provides infrastructure services.
Yeah, there are a lot of moving parts, that's for sure.
Makes me wonder if httpd should be restarted as part of the upgrade.
rob
More information about the Freeipa-users
mailing list