[Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

Natxo Asenjo natxo.asenjo at gmail.com
Thu Sep 15 11:09:51 UTC 2016 

On Thu, Sep 15, 2016 at 1:03 PM, Ben Lipton <blipton at redhat.com> wrote:

>
> On 09/15/2016 03:04 AM, Natxo Asenjo wrote:
>
> Hi Ben,
>
> On Wed, Sep 14, 2016 at 2:45 PM, Ben Lipton <blipton at redhat.com> wrote:
>
> One other note - this could be a permissions issue. NSS seems to produce
>> this confusing error message when it can't access the database, even if the
>> format of the database is actually fine.
>>
>> $ sudo chown root:root /tmp/certs
>> $ certutil -N -d /tmp/certs
>> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key
>> database is in an old, unsupported format.
>>
>
> Thanks for the tip. What directory should I check? I have checked:
>
>
> [root at kdc01 httpd]$ ls -ltrZ /etc/httpd/alias/
> -rw-r-----. root apache unconfined_u:object_r:cert_t:s0  secmod.db.orig
> -rw-r-----. root apache unconfined_u:object_r:cert_t:s0  key3.db.orig
> -rw-r-----. root apache unconfined_u:object_r:cert_t:s0  cert8.db.orig
> -rw-------. root root   unconfined_u:object_r:cert_t:s0  install.log
> -rw-rw----. root apache unconfined_u:object_r:cert_t:s0  pwdfile.txt
> -rw-rw----. root apache unconfined_u:object_r:cert_t:s0  secmod.db
> -r--r--r--. root root   unconfined_u:object_r:cert_t:s0  cacert.asc.orig
> -r--r--r--. root root   unconfined_u:object_r:cert_t:s0  cacert.asc
> lrwxrwxrwx. root root   system_u:object_r:cert_t:s0      libnssckbi.so ->
> ../../..//usr/lib/libnssckbi.so
> -rw-rw----. root apache unconfined_u:object_r:cert_t:s0  key3.db
> -rw-rw----. root apache unconfined_u:object_r:cert_t:s0  cert8.db
>
> [root at kdc01 httpd]$ ls -ltrdZ /etc/httpd/alias/
> drwxr-xr-x. root root system_u:object_r:cert_t:s0      /etc/httpd/alias/
>
>
> Those seem ok.
> --
> Groeten,
> natxo
>
>
> The other one I know about is:
> # ls -ltrZ /etc/ipa/nssdb
> total 80
> -rw-------. 1 root root unconfined_u:object_r:cert_t:s0    40 Aug 22
> 13:13 pwdfile.txt
> -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 16384 Aug 22
> 13:13 secmod.db
> -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 16384 Aug 22
> 13:13 key3.db
> -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 65536 Aug 22
> 13:13 cert8.db
> # ls -ltrdZ /etc/ipa/nssdb
> drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0 73 Sep 14 18:08
> /etc/ipa/nssdb
>
> I still don't have any good ideas for why it would work for 5 minutes and
> then give an error. If you manage to get a traceback for the
> CertificateFormatError by enabling debug logging, that could be very
> helpful.
>

I do not have that directory (centos 6.8):

 ls -ltrZ /etc/ipa/
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   default.conf
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   ca.crt
drwxr-xr-x. root root system_u:object_r:etc_t:s0       html
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   server.conf.bak
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   server.conf


I have enabled debugging:

$ cat /etc/ipa/server.conf
[global]
debug = True

Could I send you the logs privately?


-- 
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160915/a481ce1e/attachment.htm>

More information about the Freeipa-users mailing list