[Freeipa-users] New install, unsupported format?

Steve Huston huston at astro.princeton.edu
Fri Feb 24 13:28:13 UTC 2017 

On Fri, Feb 24, 2017 at 2:31 AM, Standa Laznicka <slaznick at redhat.com> wrote:
> Hello,
> I don't quite understand your situation - have the error happened during an
> addition of the host to the "ipaservers" group or during replica
> installation?

It was during the addition of the host.  In fact, any 'ipa' command
fails with the same error, even 'ipa help'.  I could understand if the
CA needs to be setup before these commands work, but then I'm pretty
sure I followed the order of the instructions for creating a replica
and this was the result.

Interestingly, when I first started to do this, I had other failures
related to the directory level.  I later realized that it's because I
was trying to create the replica on the test VM that I hadn't yet
upgraded from RHEL6 to RHEL7 so was trying to use IPA 3.x.  In that
instance, the command to add the soon-to-be replica to ipaservers
succeeded, but the command to create the replica failed with needing
the replica file (which I later realized what was going on and
reinstalled the VM as I intended originally).

> Certutil is a wonderful piece of software that returns
> "(SEC_ERROR_LEGACY_DATABASE)" in about 90% of most common cases but I have
> never seen an actual legacy database. Usually, this error means that the
> directory you're pointing the certutil tool to either does not exist or you
> don't have the permissions to read/write in this exact directory.

Everything else on the server seems to be working fine, and the error
containing the URL to the running server leads me to believe it's a
problem with communication between the two.  However there is no
firewalling on either host (yet) so I'm not sure why they wouldn't be
able to communicate.  I did run an strace of the process and didn't
see anything highly useful, in fact the only connect syscall I saw was
to the socket of the local nscd.

Debug output of 'ipa -d help':
ipa: DEBUG: Starting external process
ipa: DEBUG: args=keyctl search @s user
ipa_session_cookie:admin at ASTRO.PRINCETON.EDU
ipa: DEBUG: Process finished, return code=1
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=keyctl_search: Required key not available

ipa: DEBUG: failed to find session_cookie in persistent storage for
principal 'admin at ASTRO.PRINCETON.EDU'
ipa: INFO: trying https://ipa.astro.princeton.edu/ipa/json
ipa: DEBUG: Created connection context.rpcclient_49093200
ipa: INFO: Forwarding 'schema' to json server
'https://ipa.astro.princeton.edu/ipa/json'
ipa: DEBUG: NSSConnection init ipa.astro.princeton.edu
ipa: DEBUG: Destroyed connection context.rpcclient_49093200
ipa: ERROR: cannot connect to
'https://ipa.astro.princeton.edu/ipa/json':
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old,
unsupported format.

> Cheers,
> Standa
>
> P.S.: I might have sent you this email twice because I am a bad person when
> it comes to the "Send" button, please reply to the email which has
> "freeipa-users" in CC :)

No worries :D

> On 02/23/2017 10:38 PM, Steve Huston wrote:
>>
>> I already had to do that previously to get other things to work; I had
>> solved it by changing line 582 of
>> /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py from
>> "::1" to "localhost" before installing the server.  I did do this on
>> the to-be-promoted client as well, to no avail.
>>
>> On Thu, Feb 23, 2017 at 4:25 PM, Rob Crittenden <rcritten at redhat.com>
>> wrote:
>>>
>>> Steve Huston wrote:
>>>>
>>>> Next stage of my testing was to make a replica of the FreeIPA server,
>>>> and I started by doing a 'yum install ipa-server' and then moved on to
>>>> adding the host to the ipaservers group.  This fails every time
>>>> however, with the error:
>>>>
>>>> ipa: ERROR: cannot connect to
>>>> 'https://ipa.astro.princeton.edu/ipa/json':
>>>> (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old,
>>>> unsupported format.
>>>>
>>>> Searches on this seem to turn up things like expired certificates, or
>>>> "reboot httpd" (I went ahead and rebooted the whole ipa server), but
>>>> nothing concrete.  Suggestions?  Everything (server and soon-to-be
>>>> replica) running RHEL7.3 with all updates.
>>>>
>>> See the workaround in
>>> https://fedorahosted.org/freeipa/ticket/6575#comment:9
>>>
>>> rob
>>
>>
>>
>



-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |    ICBM Address: 40.346344   -74.652242
    345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
    (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'

More information about the Freeipa-users mailing list