[Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.
Natxo Asenjo
natxo.asenjo at gmail.com
Thu Sep 15 12:25:51 UTC 2016
hi,
attached error_log
On Thu, Sep 15, 2016 at 1:09 PM, Natxo Asenjo <natxo.asenjo at gmail.com>
wrote:
>
>
> On Thu, Sep 15, 2016 at 1:03 PM, Ben Lipton <blipton at redhat.com> wrote:
>
>>
>> On 09/15/2016 03:04 AM, Natxo Asenjo wrote:
>>
>> Hi Ben,
>>
>> On Wed, Sep 14, 2016 at 2:45 PM, Ben Lipton <blipton at redhat.com> wrote:
>>
>> One other note - this could be a permissions issue. NSS seems to produce
>>> this confusing error message when it can't access the database, even if the
>>> format of the database is actually fine.
>>>
>>> $ sudo chown root:root /tmp/certs
>>> $ certutil -N -d /tmp/certs
>>> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
>>> certificate/key database is in an old, unsupported format.
>>>
>>
>> Thanks for the tip. What directory should I check? I have checked:
>>
>>
>> [root at kdc01 httpd]$ ls -ltrZ /etc/httpd/alias/
>> -rw-r-----. root apache unconfined_u:object_r:cert_t:s0 secmod.db.orig
>> -rw-r-----. root apache unconfined_u:object_r:cert_t:s0 key3.db.orig
>> -rw-r-----. root apache unconfined_u:object_r:cert_t:s0 cert8.db.orig
>> -rw-------. root root unconfined_u:object_r:cert_t:s0 install.log
>> -rw-rw----. root apache unconfined_u:object_r:cert_t:s0 pwdfile.txt
>> -rw-rw----. root apache unconfined_u:object_r:cert_t:s0 secmod.db
>> -r--r--r--. root root unconfined_u:object_r:cert_t:s0 cacert.asc.orig
>> -r--r--r--. root root unconfined_u:object_r:cert_t:s0 cacert.asc
>> lrwxrwxrwx. root root system_u:object_r:cert_t:s0 libnssckbi.so
>> -> ../../..//usr/lib/libnssckbi.so
>> -rw-rw----. root apache unconfined_u:object_r:cert_t:s0 key3.db
>> -rw-rw----. root apache unconfined_u:object_r:cert_t:s0 cert8.db
>>
>> [root at kdc01 httpd]$ ls -ltrdZ /etc/httpd/alias/
>> drwxr-xr-x. root root system_u:object_r:cert_t:s0 /etc/httpd/alias/
>>
>>
>> Those seem ok.
>> --
>> Groeten,
>> natxo
>>
>>
>> The other one I know about is:
>> # ls -ltrZ /etc/ipa/nssdb
>> total 80
>> -rw-------. 1 root root unconfined_u:object_r:cert_t:s0 40 Aug 22
>> 13:13 pwdfile.txt
>> -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 16384 Aug 22
>> 13:13 secmod.db
>> -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 16384 Aug 22
>> 13:13 key3.db
>> -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 65536 Aug 22
>> 13:13 cert8.db
>> # ls -ltrdZ /etc/ipa/nssdb
>> drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0 73 Sep 14 18:08
>> /etc/ipa/nssdb
>>
>> I still don't have any good ideas for why it would work for 5 minutes and
>> then give an error. If you manage to get a traceback for the
>> CertificateFormatError by enabling debug logging, that could be very
>> helpful.
>>
>
> I do not have that directory (centos 6.8):
>
> ls -ltrZ /etc/ipa/
> -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 default.conf
> -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 ca.crt
> drwxr-xr-x. root root system_u:object_r:etc_t:s0 html
> -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 server.conf.bak
> -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 server.conf
>
>
> I have enabled debugging:
>
> $ cat /etc/ipa/server.conf
> [global]
> debug = True
>
> Could I send you the logs privately?
>
>
> --
> --
> Groeten,
> natxo
>
--
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160915/f6323482/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: error_log
Type: application/octet-stream
Size: 473585 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160915/f6323482/attachment.obj>
More information about the Freeipa-users
mailing list