[Freeipa-users] Replica created with expired certs
Rob Crittenden
rcritten at redhat.com
Thu Sep 29 12:11:11 UTC 2016
Natxo Asenjo wrote:
> hi Jim,
>
> On Thu, Sep 29, 2016 at 7:37 AM, Jim Richard <jrichard at placeiq.com
> <mailto:jrichard at placeiq.com>> wrote:
>
> Thanks Rob, that worked.
>
> Still on the subject of certs, any idea how to solve this error:
>
> Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
> certificate/key database is in an old, unsupported format.
>
> I see that in the gui when querying hosts as well as from cli when I
> ipa-show or ipa-find
>
>
> I have had this too, and we did not find a solution (search my recent
> posts on the archives). As a workaround I have created replicas and
> decommissioned the older replicas.
On the one hand I'm glad this fixed it for you. On the other it is a
rather unsatisfying answer. Unfortunately NSS doesn't always provide the
most context with its error messages. This error is usually seen when
one tries to open a non-existent database, which in this case is a very
strange thing, especially since it goes from working to non-working in
the same apache process over a few minutes.
I'm not sure how I'd troubleshoot this if it were easily reproducible. I
suspect we'd need to figure out which database cannot be found (most
likely /etc/httpd/alias) and go from there. An strace is a brute-force
way to see the file open but finding the right process to attach to is a
bit of an art.
rob
More information about the Freeipa-users
mailing list