[Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.
Natxo Asenjo
natxo.asenjo at gmail.com
Thu Sep 15 11:09:51 UTC 2016
On Thu, Sep 15, 2016 at 1:03 PM, Ben Lipton <blipton at redhat.com> wrote:
>
> On 09/15/2016 03:04 AM, Natxo Asenjo wrote:
>
> Hi Ben,
>
> On Wed, Sep 14, 2016 at 2:45 PM, Ben Lipton <blipton at redhat.com> wrote:
>
> One other note - this could be a permissions issue. NSS seems to produce
>> this confusing error message when it can't access the database, even if the
>> format of the database is actually fine.
>>
>> $ sudo chown root:root /tmp/certs
>> $ certutil -N -d /tmp/certs
>> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key
>> database is in an old, unsupported format.
>>
>
> Thanks for the tip. What directory should I check? I have checked:
>
>
> [root at kdc01 httpd]$ ls -ltrZ /etc/httpd/alias/
> -rw-r-----. root apache unconfined_u:object_r:cert_t:s0 secmod.db.orig
> -rw-r-----. root apache unconfined_u:object_r:cert_t:s0 key3.db.orig
> -rw-r-----. root apache unconfined_u:object_r:cert_t:s0 cert8.db.orig
> -rw-------. root root unconfined_u:object_r:cert_t:s0 install.log
> -rw-rw----. root apache unconfined_u:object_r:cert_t:s0 pwdfile.txt
> -rw-rw----. root apache unconfined_u:object_r:cert_t:s0 secmod.db
> -r--r--r--. root root unconfined_u:object_r:cert_t:s0 cacert.asc.orig
> -r--r--r--. root root unconfined_u:object_r:cert_t:s0 cacert.asc
> lrwxrwxrwx. root root system_u:object_r:cert_t:s0 libnssckbi.so ->
> ../../..//usr/lib/libnssckbi.so
> -rw-rw----. root apache unconfined_u:object_r:cert_t:s0 key3.db
> -rw-rw----. root apache unconfined_u:object_r:cert_t:s0 cert8.db
>
> [root at kdc01 httpd]$ ls -ltrdZ /etc/httpd/alias/
> drwxr-xr-x. root root system_u:object_r:cert_t:s0 /etc/httpd/alias/
>
>
> Those seem ok.
> --
> Groeten,
> natxo
>
>
> The other one I know about is:
> # ls -ltrZ /etc/ipa/nssdb
> total 80
> -rw-------. 1 root root unconfined_u:object_r:cert_t:s0 40 Aug 22
> 13:13 pwdfile.txt
> -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 16384 Aug 22
> 13:13 secmod.db
> -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 16384 Aug 22
> 13:13 key3.db
> -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 65536 Aug 22
> 13:13 cert8.db
> # ls -ltrdZ /etc/ipa/nssdb
> drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0 73 Sep 14 18:08
> /etc/ipa/nssdb
>
> I still don't have any good ideas for why it would work for 5 minutes and
> then give an error. If you manage to get a traceback for the
> CertificateFormatError by enabling debug logging, that could be very
> helpful.
>
I do not have that directory (centos 6.8):
ls -ltrZ /etc/ipa/
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 default.conf
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 ca.crt
drwxr-xr-x. root root system_u:object_r:etc_t:s0 html
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 server.conf.bak
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 server.conf
I have enabled debugging:
$ cat /etc/ipa/server.conf
[global]
debug = True
Could I send you the logs privately?
--
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160915/a481ce1e/attachment.htm>
More information about the Freeipa-users
mailing list