[Freeipa-users] Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.
Vinny Del Signore
vdel at us.ibm.com
Tue May 16 21:48:58 UTC 2017
Hello all,
I was hoping someone may have seen this issue or suggest how to further
troubleshoot.
We had FreeIPA configured a few years ago by a team that is now gone.
Several months ago we had an issue where passwords seemed to expire and
authentication started failing for users. For example we were not able to
login to the LDAP server via ssh as an LDAP user, shows "Permission
denied":
[fred at fred ~]$ ssh cr0777kk at biobb-ss
cr0777kk at biobb-ss's password:
Permission denied, please try again.
cr0777kk at biobb-ss's password:
Permission denied, please try again.
cr0777kk at biobb-ss's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[fred at fred ~]$
We checked the user status in LDAP and it is not locked and has the correct
permissions. Then we noticed that the server is marked as LOCKED by
kerberos in kerberos log:
[/var/log/krb5kdc.log]
root ldap-p1 ~
# grep biobb-ss /var/log/krb5kdc.log | tail
May 16 15:49:51 ldap-p1.freeipa.example.com krb5kdc[20459](info): AS_REQ (4
etypes {18 17 16 23}) 10.107.179.53: LOCKED_OUT:
host/biobb-ss.freeipa.example.com at FREEIPA.EXAMPLE.COM for
krbtgt/FREEIPA.EXAMPLE.COM at FREEIPA.EXAMPLE.COM, Clients credentials have
been revoked
May 16 15:50:59 ldap-p1.freeipa.example.com krb5kdc[20459](info): AS_REQ (4
etypes {18 17 16 23}) 10.107.179.53: LOCKED_OUT:
host/biobb-ss.freeipa.example.com at FREEIPA.EXAMPLE.COM for
krbtgt/FREEIPA.EXAMPLE.COM at FREEIPA.EXAMPLE.COM, Clients credentials have
been revoked
May 16 15:50:59 ldap-p1.freeipa.example.com krb5kdc[20457](info): AS_REQ (4
etypes {18 17 16 23}) 10.107.179.53: LOCKED_OUT:
host/biobb-ss.freeipa.example.com at FREEIPA.EXAMPLE.COM for
krbtgt/FREEIPA.EXAMPLE.COM at FREEIPA.EXAMPLE.COM, Clients credentials have
been revoked
May 16 15:50:59 ldap-p1.freeipa.example.com krb5kdc[20458](info): AS_REQ (4
etypes {18 17 16 23}) 10.107.179.53: LOCKED_OUT:
host/biobb-ss.freeipa.example.com at FREEIPA.EXAMPLE.COM for
krbtgt/FREEIPA.EXAMPLE.COM at FREEIPA.EXAMPLE.COM, Clients credentials have
been revoked
root ldap-p1 ~
#
For this we have a Workaround which is to re-enroll the server in LDAP DB:
On the LDAP server, we execute these commands:
# kinit <LDAP_Admin>
# ipa host-del biobb-ss.freeipa.example.com
# ipa host-add biobb-ss.freeipa.example.com --password xxxxxxxxxxx
# ipa hostgroup-add-member dev --hosts=biobb-ss.freeipa.example.com
This was working for a couple of months, but now when we try the second
command (to delete the server from the LDAP DB), it fails. And if we re
execute the same command it shows different errors in the order below:
Here is what we see now:
# ipa host-del host.freeipa.example.comm
# ipa: ERROR: cannot connect to
'https://host.freeipa.example.com:443/ca/agent/ca/displayBySerial':
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
# ipa host-del host.freeipa.example.comm
# ipa: ERROR: cannot connect to
'https://host.freeipa.example.com:443/ca/agent/ca/displayBySerial':
(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.
# ipa host-del host.freeipa.example.comm
# ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
certificate/key database is in an old, unsupported format.
Any help appreciated. Thank you in advance.
-Vin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170516/3271bc0e/attachment.htm>
More information about the Freeipa-users
mailing list