[Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.
Ben Lipton
blipton at redhat.com
Wed Sep 14 12:45:55 UTC 2016
This may be resolved already, but just in case it's helpful:
On 09/13/2016 11:26 AM, Rob Crittenden wrote:
> Natxo Asenjo wrote:
>> hi,
>>
>>
>> On Mon, Sep 12, 2016 at 9:48 PM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>> Natxo Asenjo wrote:
>>
>> hi,
>>
>> I can reproduce this everytime. Restarting httpd fixes it for a
>> while,
>> but then ik stops working:
>>
>> $ ipa cert-show 1
>> ipa: ERROR: cannot connect to
>> 'https://kdc01.unix.domain.tld:443/ca/agent/ca/displayBySerial
>> <https://kdc01.unix.domain.tld:443/ca/agent/ca/displayBySerial>':
>> (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in
>> an old,
>> unsupported format.
>>
>>
>> It is very strange that it goes from a working to a non-working
>> state.
>>
>> I have only two suggestions:
>>
>> 1. Create /etc/ipa/server.conf with a [global] section and
>> debug=True in it, restart httpd. Your log will be quite a bit more
>> verbose but given it reproduces so quickly hopefully won't be too
>> big a deal. That might show something.
+1 to this. With debug=True there should be tracebacks for your
CertificateFormatErrors.
>>
>> 2. Try brute force with strace. Finding the right httpd process to
>> strace can be frustrating but usually there are only 8 and they
>> rotate so eventually you should get the right one.
>>
>>
>> Could I send you the log files privately?
>
> Sure.
>
> rob
>
One other note - this could be a permissions issue. NSS seems to produce
this confusing error message when it can't access the database, even if
the format of the database is actually fine.
$ sudo chown root:root /tmp/certs
$ certutil -N -d /tmp/certs
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
certificate/key database is in an old, unsupported format.
More information about the Freeipa-users
mailing list