[Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.
Rob Crittenden
rcritten at redhat.com
Mon Sep 12 19:48:06 UTC 2016
Natxo Asenjo wrote:
> hi,
>
> I can reproduce this everytime. Restarting httpd fixes it for a while,
> but then ik stops working:
>
> $ ipa cert-show 1
> ipa: ERROR: cannot connect to
> 'https://kdc01.unix.domain.tld:443/ca/agent/ca/displayBySerial':
> (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old,
> unsupported format.
It is very strange that it goes from a working to a non-working state.
I have only two suggestions:
1. Create /etc/ipa/server.conf with a [global] section and debug=True in
it, restart httpd. Your log will be quite a bit more verbose but given
it reproduces so quickly hopefully won't be too big a deal. That might
show something.
2. Try brute force with strace. Finding the right httpd process to
strace can be frustrating but usually there are only 8 and they rotate
so eventually you should get the right one.
rob
> [jose.admin at kdc01 ~]$ sudo /etc/init.d/httpd restart
> Stopping httpd: [ OK ]
> Starting httpd: [ OK ]
> [jose.admin at kdc01 ~]$ ipa cert-show 1
> Certificate:
> MIIDnDCCAoSgAwIBAgIBATANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklY
> LklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcN
> MTIxMTA3MjEyNDE1WhcNMjAxMTA3MjEyNDE1WjA7MRkwFwYDVQQKExBVTklYLklS
> SVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0G
> CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCy2WVy7QkHiuENW/zkMeD4ILoqOruu
> YKvb2+rqeuI9iw+zBBt569XSxrgcyeTq0G63RjbXgrAzot4EhYg6MoepDVCn0Bnu
> rUfgbCf5R0Eboigjboh5MGnPylHefLRGARNUCwcTGA4uR9ZQL/rEUqWktmZjanYE
> vOP8UBeuq5WP5emaX8U03SzMA+cQT9w/zx0eAOYgZW5yx3aA5Q4Fu8qWqMGGAOA6
> yDQWqmIpgxiFHHRa7hQK4AjeHgvaColaU979Lh5jAv/XwrYtok1G+UVEp45INpfx
> r5dLe03ognPFPZ0/xwbBqtt/2qn6rk4L4ukH4P9g4Rw0o7U1yJVx/SOJAgMBAAGj
> gaowgacwHwYDVR0jBBgwFoAUo5fkii64zz7qM/K8k9Yj3qmENmgwDwYDVR0TAQH/
> BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFKOX5IouuM8+6jPyvJPW
> I96phDZoMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcwAYYoaHR0cDovL2tkYzAx
> LnVuaXguaXJpc3pvcmcubmw6ODAvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAQEA
> J28gdozd/ptOM5PTKKwyV+otO/wk3yErslxpNUhRZgSNUwT+t6tfF/j+jJRV5sX+
> jy09c9Do+p3Hy9gRnIVJONDScvMV9nDc75C6JGXU+FdNJJ+Dbpep/RsQjHrZ+unw
> IyAWoOpBol8sGzN5tXbeo/M6mGFxaBTH1GKtgv4CKbzQAotvMaGxzKjScHRsGaer
> NSCZp/90yRJypC3MOosUFcFl4CoYHB42XDTzjvzZQcaFNcgYXOciujwwYHNzsSqY
> cIKFSWuWvN++7g4yxQMlu8QW0Ms/PntmTmO2cDdNI1tujVyBKe599y4O/Es/MBGt
> DtVA85ALksJOU27bjtvbBg==
> Subject: CN=Certificate Authority,O=UNIX.DOMAIN.TLD
> Issuer: CN=Certificate Authority,O=UNIX.DOMAIN.TLD
> Not Before: Wed Nov 07 21:24:15 2012 UTC
> Not After: Sat Nov 07 21:24:15 2020 UTC
> Fingerprint (MD5): 28:18:34:9d:03:99:b8:ff:2b:bd:55:0a:65:bf:d4:f2
> Fingerprint (SHA1):
> 6f:e1:a4:4f:47:ec:9c:c4:ad:b9:b9:fc:e8:f4:33:4b:0a:cb:43:3e
> Serial number (hex): 0x1
> Serial number: 1
>
> And a few minutes later (5, maximum 10), then I get the
> SEC_ERROR_LEGACY_DATABASE error. No traceback in /var/log/httpd/error_log.
>
> This is the first CA domain controller.
>
> I am leaving this job in a few weeks, so I would like to leave
> everything working properly. Would it be better to upgrade the domain
> controllers to centos 7 (right now running centos 6.8, fully patched).
>
> Thanks for your input.
>
> --
> regards,
> natxo
>
>
>
> On Thu, Sep 8, 2016 at 6:30 PM, Natxo Asenjo <natxo.asenjo at gmail.com
> <mailto:natxo.asenjo at gmail.com>> wrote:
>
>
>
> On Thu, Sep 8, 2016 at 3:25 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Natxo Asenjo wrote:
>
> I do see these errors:
> [Wed Sep 07 15:56:13 2016] [error] ipa: INFO:: ping(): SUCCESS
> [Wed Sep 07 15:56:13 2016] [error] ipa: INFO: :
> host_find(u'tftp-1801',
> all=False, raw=False, version=u'2.49', no_members=False,
> pkey_only=False): CertificateFormatError
> [Wed Sep 07 15:56:44 2016] [error] ipa: INFO: : ping(): SUCCESS
> [Wed Sep 07 15:56:44 2016] [error] ipa: INFO: :
> host_find(u'tftp-1801',
> all=False, raw=False, version=u'2.49', no_members=False,
> pkey_only=False): CertificateFormatError
> [Wed Sep 07 15:57:57 2016] [error] ipa: INFO: : ping(): SUCCESS
> [Wed Sep 07 15:57:58 2016] [error] ipa: INFO: :
> host_find(u'tftp-1801',
> all=False, raw=False, version=u'2.49', no_members=False,
> pkey_only=False): CertificateFormatErro
>
>
> On Wed, Sep 7, 2016 at 4:01 PM, Natxo Asenjo
> <natxo.asenjo at gmail.com <mailto:natxo.asenjo at gmail.com>
> <mailto:natxo.asenjo at gmail.com
> <mailto:natxo.asenjo at gmail.com>>> wrote:
>
>
> alas, not woriking again.
>
> On the one kdc
>
> $ ipa host-find tftp-1801
> ipa: ERROR: Certificate format error:
> (SEC_ERROR_LEGACY_DATABASE)
> The certificate/key database is in an old, unsupported
> format.
>
> On the other:
>
> $ ipa host-find tftp-1801
> --------------
> 1 host matched
> --------------
> Host name: tftp-1801.sub.domain.tld
> .....
>
> After rebooting the kdc with the error, no new
> tracebacks in the
> error_log
>
>
> No new tracebacks but still not working?
>
> The CertificateFormatError is the server logging the equivalent
> of what you're seeing in the client.
>
> rob
>
>
>
> that's right.
>
> Is there anything else I can look at?
>
>
> --
> --
> Groeten,
> natxo
>
>
>
>
> --
> --
> Groeten,
> natxo
More information about the Freeipa-users
mailing list