[Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.
Rob Crittenden
rcritten at redhat.com
Tue Sep 13 15:26:25 UTC 2016
Natxo Asenjo wrote:
> hi,
>
>
> On Mon, Sep 12, 2016 at 9:48 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Natxo Asenjo wrote:
>
> hi,
>
> I can reproduce this everytime. Restarting httpd fixes it for a
> while,
> but then ik stops working:
>
> $ ipa cert-show 1
> ipa: ERROR: cannot connect to
> 'https://kdc01.unix.domain.tld:443/ca/agent/ca/displayBySerial
> <https://kdc01.unix.domain.tld:443/ca/agent/ca/displayBySerial>':
> (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in
> an old,
> unsupported format.
>
>
> It is very strange that it goes from a working to a non-working state.
>
> I have only two suggestions:
>
> 1. Create /etc/ipa/server.conf with a [global] section and
> debug=True in it, restart httpd. Your log will be quite a bit more
> verbose but given it reproduces so quickly hopefully won't be too
> big a deal. That might show something.
>
> 2. Try brute force with strace. Finding the right httpd process to
> strace can be frustrating but usually there are only 8 and they
> rotate so eventually you should get the right one.
>
>
> Could I send you the log files privately?
Sure.
rob
More information about the Freeipa-users
mailing list