[Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

Natxo Asenjo natxo.asenjo at gmail.com
Mon Sep 12 07:09:59 UTC 2016 

hi,

I can reproduce this everytime. Restarting httpd fixes it for a while, but
then ik stops working:

$ ipa cert-show 1
ipa: ERROR: cannot connect to '
https://kdc01.unix.domain.tld:443/ca/agent/ca/displayBySerial':
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old,
unsupported format.
[jose.admin at kdc01 ~]$ sudo /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[jose.admin at kdc01 ~]$ ipa cert-show 1
  Certificate:
MIIDnDCCAoSgAwIBAgIBATANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklY
LklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcN
MTIxMTA3MjEyNDE1WhcNMjAxMTA3MjEyNDE1WjA7MRkwFwYDVQQKExBVTklYLklS
SVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCy2WVy7QkHiuENW/zkMeD4ILoqOruu
YKvb2+rqeuI9iw+zBBt569XSxrgcyeTq0G63RjbXgrAzot4EhYg6MoepDVCn0Bnu
rUfgbCf5R0Eboigjboh5MGnPylHefLRGARNUCwcTGA4uR9ZQL/rEUqWktmZjanYE
vOP8UBeuq5WP5emaX8U03SzMA+cQT9w/zx0eAOYgZW5yx3aA5Q4Fu8qWqMGGAOA6
yDQWqmIpgxiFHHRa7hQK4AjeHgvaColaU979Lh5jAv/XwrYtok1G+UVEp45INpfx
r5dLe03ognPFPZ0/xwbBqtt/2qn6rk4L4ukH4P9g4Rw0o7U1yJVx/SOJAgMBAAGj
gaowgacwHwYDVR0jBBgwFoAUo5fkii64zz7qM/K8k9Yj3qmENmgwDwYDVR0TAQH/
BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFKOX5IouuM8+6jPyvJPW
I96phDZoMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcwAYYoaHR0cDovL2tkYzAx
LnVuaXguaXJpc3pvcmcubmw6ODAvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAQEA
J28gdozd/ptOM5PTKKwyV+otO/wk3yErslxpNUhRZgSNUwT+t6tfF/j+jJRV5sX+
jy09c9Do+p3Hy9gRnIVJONDScvMV9nDc75C6JGXU+FdNJJ+Dbpep/RsQjHrZ+unw
IyAWoOpBol8sGzN5tXbeo/M6mGFxaBTH1GKtgv4CKbzQAotvMaGxzKjScHRsGaer
NSCZp/90yRJypC3MOosUFcFl4CoYHB42XDTzjvzZQcaFNcgYXOciujwwYHNzsSqY
cIKFSWuWvN++7g4yxQMlu8QW0Ms/PntmTmO2cDdNI1tujVyBKe599y4O/Es/MBGt
DtVA85ALksJOU27bjtvbBg==
  Subject: CN=Certificate Authority,O=UNIX.DOMAIN.TLD
  Issuer: CN=Certificate Authority,O=UNIX.DOMAIN.TLD
  Not Before: Wed Nov 07 21:24:15 2012 UTC
  Not After: Sat Nov 07 21:24:15 2020 UTC
  Fingerprint (MD5): 28:18:34:9d:03:99:b8:ff:2b:bd:55:0a:65:bf:d4:f2
  Fingerprint (SHA1):
6f:e1:a4:4f:47:ec:9c:c4:ad:b9:b9:fc:e8:f4:33:4b:0a:cb:43:3e
  Serial number (hex): 0x1
  Serial number: 1

And a few minutes later (5, maximum 10), then I get the
SEC_ERROR_LEGACY_DATABASE error. No traceback in /var/log/httpd/error_log.

This is the first CA domain controller.

I am leaving this job in a few weeks, so I would like to leave everything
working properly. Would it be better to upgrade the domain controllers to
centos 7 (right now running centos 6.8, fully patched).

Thanks for your input.

-- 
regards,
natxo



On Thu, Sep 8, 2016 at 6:30 PM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:

>
>
> On Thu, Sep 8, 2016 at 3:25 PM, Rob Crittenden <rcritten at redhat.com>
> wrote:
>
>> Natxo Asenjo wrote:
>>
>>> I do see these errors:
>>> [Wed Sep 07 15:56:13 2016] [error] ipa: INFO:: ping(): SUCCESS
>>> [Wed Sep 07 15:56:13 2016] [error] ipa: INFO: : host_find(u'tftp-1801',
>>> all=False, raw=False, version=u'2.49', no_members=False,
>>> pkey_only=False): CertificateFormatError
>>> [Wed Sep 07 15:56:44 2016] [error] ipa: INFO: : ping(): SUCCESS
>>> [Wed Sep 07 15:56:44 2016] [error] ipa: INFO: : host_find(u'tftp-1801',
>>> all=False, raw=False, version=u'2.49', no_members=False,
>>> pkey_only=False): CertificateFormatError
>>> [Wed Sep 07 15:57:57 2016] [error] ipa: INFO: : ping(): SUCCESS
>>> [Wed Sep 07 15:57:58 2016] [error] ipa: INFO: : host_find(u'tftp-1801',
>>> all=False, raw=False, version=u'2.49', no_members=False,
>>> pkey_only=False): CertificateFormatErro
>>>
>>>
>>> On Wed, Sep 7, 2016 at 4:01 PM, Natxo Asenjo <natxo.asenjo at gmail.com
>>> <mailto:natxo.asenjo at gmail.com>> wrote:
>>>
>>>
>>>     alas, not woriking again.
>>>
>>>     On the one kdc
>>>
>>>     $ ipa host-find tftp-1801
>>>     ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE)
>>>     The certificate/key database is in an old, unsupported format.
>>>
>>>     On the other:
>>>
>>>     $ ipa host-find tftp-1801
>>>     --------------
>>>     1 host matched
>>>     --------------
>>>        Host name: tftp-1801.sub.domain.tld
>>>     .....
>>>
>>>     After rebooting the kdc with the error, no new tracebacks in the
>>>     error_log
>>>
>>
>> No new tracebacks but still not working?
>>
>> The CertificateFormatError is the server logging the equivalent of what
>> you're seeing in the client.
>>
>> rob
>>
>
>
> that's right.
>
> Is there anything else I can look at?
>
>
> --
> --
> Groeten,
> natxo
>



-- 
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160912/994c61d8/attachment.htm>

More information about the Freeipa-users mailing list