[Freeipa-users] New install, unsupported format?

[Standa Laznicka]

Hello,
I don't quite understand your situation - have the error happened during 
an addition of the host to the "ipaservers" group or during replica 
installation?

Certutil is a wonderful piece of software that returns 
"(SEC_ERROR_LEGACY_DATABASE)" in about 90% of most common cases but I 
have never seen an actual legacy database. Usually, this error means 
that the directory you're pointing the certutil tool to either does not 
exist or you don't have the permissions to read/write in this exact 
directory.

Cheers,
Standa

P.S.: I might have sent you this email twice because I am a bad person 
when it comes to the "Send" button, please reply to the email which has 
"freeipa-users" in CC :)

On 02/23/2017 10:38 PM, Steve Huston wrote:
> I already had to do that previously to get other things to work; I had
> solved it by changing line 582 of
> /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py from
> "::1" to "localhost" before installing the server.  I did do this on
> the to-be-promoted client as well, to no avail.
>
> On Thu, Feb 23, 2017 at 4:25 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>> Steve Huston wrote:
>>> Next stage of my testing was to make a replica of the FreeIPA server,
>>> and I started by doing a 'yum install ipa-server' and then moved on to
>>> adding the host to the ipaservers group.  This fails every time
>>> however, with the error:
>>>
>>> ipa: ERROR: cannot connect to
>>> 'https://ipa.astro.princeton.edu/ipa/json':
>>> (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old,
>>> unsupported format.
>>>
>>> Searches on this seem to turn up things like expired certificates, or
>>> "reboot httpd" (I went ahead and rebooted the whole ipa server), but
>>> nothing concrete.  Suggestions?  Everything (server and soon-to-be
>>> replica) running RHEL7.3 with all updates.
>>>
>> See the workaround in https://fedorahosted.org/freeipa/ticket/6575#comment:9
>>
>> rob
>
>