[Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

Rob Crittenden rcritten at redhat.com
Wed Sep 7 13:59:17 UTC 2016 

Natxo Asenjo wrote:
>
>
> On Wed, Sep 7, 2016 at 3:27 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>     Natxo Asenjo wrote:
>
>         hi,
>
>         using centos 6.8 (server and client), when trying to view some
>         hosts we
>         get this error:
>
>
>         $ ipa host-find host-1920.sub.domain.tld
>         ipa: ERROR: Certificate format error:
>         (SEC_ERROR_LEGACY_DATABASE) The
>         certificate/key database is in an old, unsupported format.
>
>
>         I saw a thread last year about this, but no solution.
>
>         Any clues?
>
>
>     /var/log/httpd/error_log may contain a traceback
>
>
> This made me take a look at a replica and there I could not replicate
> the error, I got the info I requested.
>
> In the apache error file I saw indeed a traceback:
>
>   [Sun Sep 04 03:21:31 2016] [error] ipa: ERROR: non-public:
> XMLSyntaxError: None
> [Sun Sep 04 03:21:31 2016] [error] Traceback (most recent call last):
> [Sun Sep 04 03:21:31 2016] [error]   File
> "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 334, in
> wsgi_execute
> [Sun Sep 04 03:21:31 2016] [error]     result =
> self.Command[name](*args, **options)
> [Sun Sep 04 03:21:31 2016] [error]   File
> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 438, in __call__
> [Sun Sep 04 03:21:31 2016] [error]     ret = self.run(*args, **options)
> [Sun Sep 04 03:21:31 2016] [error]   File
> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 750, in run
> [Sun Sep 04 03:21:31 2016] [error]     return self.execute(*args, **options)
> [Sun Sep 04 03:21:31 2016] [error]   File
> "/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py", line 362, in
> execute
> [Sun Sep 04 03:21:31 2016] [error]     result =
> api.Command['cert_show'](unicode(serial))['result']
> [Sun Sep 04 03:21:31 2016] [error]   File
> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 438, in __call__
> [Sun Sep 04 03:21:31 2016] [error]     ret = self.run(*args, **options)
> [Sun Sep 04 03:21:31 2016] [error]   File
> "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 750, in run
> [Sun Sep 04 03:21:31 2016] [error]     return self.execute(*args, **options)
> [Sun Sep 04 03:21:31 2016] [error]   File
> "/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py", line 493, in
> execute
> [Sun Sep 04 03:21:31 2016] [error]
> result=self.Backend.ra.get_certificate(serial_number)
> [Sun Sep 04 03:21:31 2016] [error]   File
> "/usr/lib/python2.6/site-packages/ipaserver/plugins/dogtag.py", line
> 1489, in get_certificate
> [Sun Sep 04 03:21:31 2016] [error]     parse_result =
> self.get_parse_result_xml(http_body, parse_display_cert_xml)
> [Sun Sep 04 03:21:31 2016] [error]   File
> "/usr/lib/python2.6/site-packages/ipaserver/plugins/dogtag.py", line
> 1350, in get_parse_result_xml
> [Sun Sep 04 03:21:31 2016] [error]     doc = etree.fromstring(xml_text,
> parser)
> [Sun Sep 04 03:21:31 2016] [error]   File "lxml.etree.pyx", line 2532,
> in lxml.etree.fromstring (src/lxml/lxml.etree.c:48270)
> [Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 1545, in
> lxml.etree._parseMemoryDocument (src/lxml/lxml.etree.c:71812)
> [Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 1424, in
> lxml.etree._parseDoc (src/lxml/lxml.etree.c:70673)
> [Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 938, in
> lxml.etree._BaseParser._parseDoc (src/lxml/lxml.etree.c:67442)
> [Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 539, in
> lxml.etree._ParserContext._handleParseResultDoc
> (src/lxml/lxml.etree.c:63824)
> [Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 625, in
> lxml.etree._handleParseResult (src/lxml/lxml.etree.c:64745)
> [Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 576, in
> lxml.etree._raiseParseError (src/lxml/lxml.etree.c:64260)
> [Sun Sep 04 03:21:31 2016] [error] XMLSyntaxError: None
>
>
> restarting httpd fixed the issue. Thanks!
>
> Looking into apache never occurred to me, freeipa really is a web
> service although it provides infrastructure services.

Yeah, there are a lot of moving parts, that's for sure.

Makes me wonder if httpd should be restarted as part of the upgrade.

rob

More information about the Freeipa-users mailing list