<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi Rob:<div class=""><br class=""></div><div class="">First I wanted to thank you for all of your valuable input/tips. As you well know, everything about certs, certmonger, dogtag and FreeIPA can get very complicated - there’s no easy answer, so many things can go wrong :) </div><div class=""><br class=""></div><div class="">But, your answers to my questions got me thinking, gave me some clues, pointed me in the right direction.</div><div class=""><br class=""></div><div class="">I wanted to take the time to specifically thank you because these concepts have mystified me for quite a while, our FreeIPA system has been running for more than a year with everything regarding certs kinda wacky and with me just praying that that fact didn’t crash everything and make the most important function for us (ssh, sssd, authentication, sso) stop working.</div><div class=""><br class=""></div><div class="">With your help I have certainly not become an expert but have gone from pretty much clueless to having somewhat of a clue :) That’s progress !!</div><div class=""><br class=""></div><div class="">My issue with the CA certs themselves is solved thanks to you pointing out the issue with creating replicas in 3.0 which has been fixed in 3.3 - the issue that can be solved by manually exporting a new cacert.p12 file and boom, new replicas created with expired certs issue solved.</div><div class=""><br class=""></div><div class="">And then there was the issue of “sec error legacy database” which would manifest itself in various forms and can be caused by many things - it is temporarily solved by restarting httpd but then just comes right back. </div><div class=""><br class=""></div><div class="">Based on your input I started looking at the certs/certmonger/getcert list - on all my nodes/hosts and noticed that many of them had bogus certs with principal names pointed at hosts that no longer existed. No other way to describe them other than WTF !!.</div><div class=""><br class=""></div><div class="">My theory now is that all the nodes calling in to the CA with all those bogus certs were just overloading the CA and so after restarting httpd, it would temporarily clear up until all the nodes starting calling in to the CA again - or something like that.</div><div class=""><br class=""></div><div class="">Anyways, Ansible to the rescue….</div><div class=""><br class=""></div><div class="">I exported a list of hosts from my IPA system, that became my Ansible inventory file.</div><div class=""><br class=""></div><div class="">Now, throw together a quick playbook to look at every host, identify the bogus cert or certs and tell certmonger to stop tracking them.</div><div class=""><br class=""></div><div class="">The simple Ansible playbook follows here.</div><div class=""><br class=""></div><div class="">Run that against all hosts and bingo !!!  - my httpd logs on the CA are no longer getting spammed with bogus cert requests, “sec error legacy database” errors are not happening, etc , etc.</div><div class=""><br class=""></div><div class="">In short, my FreeIPA CA situation is now, I hope and pray, fairly stable.</div><div class=""><br class=""></div><div class="">So HUGE shout out to you Rob !!!</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div class="">---</div><div class="">- hosts: ipa-hosts</div><div class="">  gather_facts: False</div><div class=""><br class=""></div><div class="">  tasks:</div><div class=""><br class=""></div><div class="">  - name: get request id</div><div class="">    shell: ipa-getcert list -r | gawk -F\' '/Request/ {print $2}'</div><div class="">    register: my_id</div><div class=""><br class=""></div><div class="">  #- debug: var=my_id</div><div class=""><br class=""></div><div class="">  - name: kill bad certs</div><div class="">    shell: ipa-getcert stop-tracking -i {{ item }}</div><div class="">    with_items: "{{ my_id.stdout_lines }}"</div></div><div class=""><br class=""></div><div class=""><br class=""><div class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><table width="550px" bgcolor="#ffffff" border="0" cellpadding="0" cellspacing="0" style="color: rgb(51, 51, 51); font-size: 13.3333px; orphans: 2; widows: 2; font-family: 'Times New Roman';" class=""><tbody class=""><tr height="10" class=""></tr><tr border="0" cellspacing="0" cellpadding="0" class=""><td style="font-family: arial, sans-serif; margin: 0px; padding: 6px 0px 0px; color: rgb(136, 136, 136); width: 550px; border-top-width: 8px; border-top-style: solid; border-top-color: rgb(103, 89, 163);" class=""><table width="100%" border="0" cellspacing="0" cellpadding="0" class=""><tbody class=""><tr class=""><th rowspan="3" style="border-right-width: 1px; border-right-style: solid; border-right-color: rgb(210, 210, 210); padding-right: 1px; width: 90px;" class=""><a href="http://www.placeiq.com/" target="_blank" style="color: rgb(17, 85, 204);" class=""></a><a href="http://www.placeiq.com/" target="_blank" style="color: rgb(17, 85, 204);" class=""></a><a href="http://www.placeiq.com/" target="_blank" style="color: rgb(17, 85, 204);" class=""><img src="https://ci3.googleusercontent.com/proxy/tFn1I-GEOnccUtv8DHHEc49-6g3x3CbuQKzbfl2Z1BObEy0Qz6QebJimpP96TK3Za5MXwXTuwBZaobKp22nYAG3NdxAC0Q=s0-d-e1-ft#https://marketing.placeiq.net/images/placeiq.png" alt="" style="width: 80px;" class=""></a></th><td align="left" style="font-family: sans-serif; margin: 0px; color: rgb(136, 136, 136); line-height: 10px; padding-left: 10px; padding-top: 5px;" class=""><span style="color: rgb(94, 95, 94); font-family: Trebuchet, sans-serif; font-size: 16px; font-weight: bold;" class="">Jim Richard</span></td><th rowspan="3" style="padding-right: 1px; width: 40px; padding-left: 5px;" class=""><a href="https://twitter.com/placeiq" target="_blank" style="color: rgb(17, 85, 204);" class=""></a><a href="https://twitter.com/placeiq" target="_blank" style="color: rgb(17, 85, 204);" class=""></a><a href="https://twitter.com/placeiq" target="_blank" style="color: rgb(17, 85, 204);" class=""><img src="https://ci4.googleusercontent.com/proxy/490PXYv9O6OiIp_DL4vuabJqVn53fMon5xNYZdftCVea9ySR2LcFDHe6Cdntb2G68uDAuA6FgLny8wKWLFWpsrPAt_FtLaE=s0-d-e1-ft#https://marketing.placeiq.net/images/twitter1.png" alt="" style="width: 35px;" class=""></a></th><th rowspan="3" style="padding-right: 1px; width: 40px;" class=""><a href="https://www.facebook.com/PlaceIQ" target="_blank" style="color: rgb(17, 85, 204);" class=""></a><a href="https://www.facebook.com/PlaceIQ" target="_blank" style="color: rgb(17, 85, 204);" class=""><img src="https://ci3.googleusercontent.com/proxy/fztHf1lRKLQYcAxebqfp2PYXCwVap3GobHVIbyp0j3NcuJOY16bUAZBibVOFf-fd1GsiuhrOfYy6dSwhlCwWU8ZUlw9OX5I=s0-d-e1-ft#https://marketing.placeiq.net/images/facebook.png" alt="" style="width: 35px;" class=""></a></th><th rowspan="3" style="padding-right: 1px; width: 40px;" class=""><a href="https://www.linkedin.com/company/placeiq" target="_blank" style="color: rgb(17, 85, 204);" class=""></a><a href="https://www.linkedin.com/company/placeiq" target="_blank" style="color: rgb(17, 85, 204);" class=""><img src="https://ci5.googleusercontent.com/proxy/H26ThD7R6DOqxoLTgzi6k5SMrHoF2Tj44xI_7XlD9KfOIiGwe1WIMc5iQBxUBA9EuIyJMdaRXrhZTOrnkrn8O9Rf1FP9UQU=s0-d-e1-ft#https://marketing.placeiq.net/images/linkedin.png" alt="" style="width: 35px;" class=""></a></th></tr><tr class=""><td align="left" style="font-family: Trebuchet, sans-serif; margin: 0px; font-size: 9px; text-transform: uppercase; font-weight: bold; color: rgb(136, 136, 136); line-height: 10px; padding-left: 10px; padding-top: 7px;" class=""><span rowspan="1" class="">SYSTEM ADMINISTRATOR III</span></td></tr><tr class=""><td align="left" style="font-family: sans-serif; margin: 0px; color: rgb(136, 136, 136); line-height: 10px; padding-left: 10px; padding-top: 3px;" class=""><font face="Georgia, sans-serif" class=""><span style="font-size: 10px;" class=""><i class="">(646) 338-8905 </i></span></font> </td></tr></tbody></table></td></tr></tbody></table><br style="color: rgb(51, 51, 51); font-family: 'Open Sans', sans-serif; font-size: 13.3333px; font-variant-ligatures: normal; line-height: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""><a href="http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/" target="_blank" style="color: rgb(17, 85, 204); font-family: 'Open Sans', sans-serif; font-size: 13.3333px; font-variant-ligatures: normal; line-height: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""></a><a href="http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/" target="_blank" style="color: rgb(17, 85, 204); font-family: 'Open Sans', sans-serif; font-size: 13.3333px; font-variant-ligatures: normal; line-height: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""></a><a href="http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/" target="_blank" style="color: rgb(17, 85, 204); font-family: 'Open Sans', sans-serif; font-size: 13.3333px; font-variant-ligatures: normal; line-height: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""></a><a href="http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/" target="_blank" style="color: rgb(17, 85, 204); font-family: 'Open Sans', sans-serif; font-size: 13.3333px; font-variant-ligatures: normal; line-height: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""></a><a href="http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/" target="_blank" style="color: rgb(17, 85, 204); font-family: 'Open Sans', sans-serif; font-size: 13.3333px; font-variant-ligatures: normal; line-height: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""></a><a href="http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/" target="_blank" style="color: rgb(17, 85, 204); font-family: 'Open Sans', sans-serif; font-size: 13.3333px; font-variant-ligatures: normal; line-height: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""></a><a href="http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/" target="_blank" style="color: rgb(17, 85, 204); font-family: 'Open Sans', sans-serif; font-size: 13.3333px; font-variant-ligatures: normal; line-height: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""></a><a href="http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/" target="_blank" style="color: rgb(17, 85, 204); font-family: 'Open Sans', sans-serif; font-size: 13.3333px; font-variant-ligatures: normal; line-height: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""></a><a href="http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/" target="_blank" style="color: rgb(17, 85, 204); font-family: 'Open Sans', sans-serif; font-size: 13.3333px; font-variant-ligatures: normal; line-height: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""></a><a href="http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/" target="_blank" style="color: rgb(17, 85, 204); font-family: 'Open Sans', sans-serif; font-size: 13.3333px; font-variant-ligatures: normal; line-height: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""></a><a href="http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/" target="_blank" style="color: rgb(17, 85, 204); font-family: 'Open Sans', sans-serif; font-size: 13.3333px; font-variant-ligatures: normal; line-height: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""></a><a href="http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP" target="_blank" style="color: rgb(17, 85, 204); font-family: 'Open Sans', sans-serif; font-size: 13.3333px; font-variant-ligatures: normal; line-height: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class=""><img src="https://ci4.googleusercontent.com/proxy/Xqk1hkB7_SIclVudOCHTV4jF9HPS8rkm5ra85H3FdxdydnNjbFxrkPYiZpJiyPlJR_2zweGqjJ4dD1Ei6RoSWk09h_iYqQQ2w6KGm9Rp9RvSwhQH2RGkEAq_3Q=s0-d-e1-ft#https://marketing.placeiq.net/images/LocationDataAccuracy-V1.1-01.png" alt="PlaceIQ:Location Data Accuracy" style="float: left;" class=""></a></div><br class="Apple-interchange-newline"><br class="Apple-interchange-newline">
</div>
<br class=""><div><blockquote type="cite" class=""><div class="">On Sep 30, 2016, at 4:53 AM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" class="">rcritten@redhat.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Jim Richard wrote:<br class=""><blockquote type="cite" class="">Can I and how…<br class=""><br class="">delete all certs for all hosts<br class=""><br class="">I mean, we only use FreeIPA for user login/sssd<br class=""><br class="">That said, do we even need those certs?<br class=""></blockquote><br class="">There is no simple answer, really.<br class=""><br class="">Yes, you can deleted all certs for all hosts (not recommended as some of those are for IPA services). I doubt it would do anything positive and if the certificate is tracked by certmonger on the client it would eventually renew.<br class=""><br class="">Do you need the certs? Only you would know that, but chances are the vast majority aren't being used.<br class=""><br class="">In 3.0 when a client is registered a host certificate is obtained for it. This certificate was never used and in 4.something it isn't requested at all unless an option is passed to ipa-client-install.<br class=""><br class="">rob<br class=""><br class=""><blockquote type="cite" class=""><br class=""><br class=""><br class=""><<a href="http://www.placeiq.com/" class="">http://www.placeiq.com/</a>><<a href="http://www.placeiq.com/" class="">http://www.placeiq.com/</a>><<a href="http://www.placeiq.com/" class="">http://www.placeiq.com/</a>><br class="">Jim Richard<br class=""><<a href="https://twitter.com/placeiq" class="">https://twitter.com/placeiq</a>><<a href="https://twitter.com/placeiq" class="">https://twitter.com/placeiq</a>><<a href="https://twitter.com/placeiq" class="">https://twitter.com/placeiq</a>><br class=""><<a href="https://www.facebook.com/PlaceIQ" class="">https://www.facebook.com/PlaceIQ</a>><<a href="https://www.facebook.com/PlaceIQ" class="">https://www.facebook.com/PlaceIQ</a>><br class=""><<a href="https://www.linkedin.com/company/placeiq" class="">https://www.linkedin.com/company/placeiq</a>><<a href="https://www.linkedin.com/company/placeiq" class="">https://www.linkedin.com/company/placeiq</a>><br class="">SYSTEM ADMINISTRATOR III<br class="">/(646) 338-8905 /<br class=""><br class=""><br class=""><<a href="http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/" class="">http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/</a>><<a href="http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/" class="">http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/</a>><<a href="http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/" class="">http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/</a>><<a href="http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/" class="">http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/</a>><<a href="http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/" class="">http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/</a>><<a href="http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/" class="">http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/</a>><<a href="http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/" class="">http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/</a>><<a href="http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/" class="">http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/</a>><<a href="http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/" class="">http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/</a>><<a href="http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/" class="">http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/</a>><<a href="http://placeiq.com/2016/04/13/placeiq-joins-the-network-a" class="">http://placeiq.com/2016/04/13/placeiq-joins-the-network-a</a>!<br class=""></blockquote>dvertising<br class="">-initiative-nai-as-100th-member/>PlaceIQ:Location<br class=""><blockquote type="cite" class="">Data Accuracy<br class=""><<a href="http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP" class="">http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP</a>><br class=""><br class=""><br class=""><br class=""><blockquote type="cite" class="">On Sep 29, 2016, at 8:53 PM, Jim Richard <<a href="mailto:jrichard@placeiq.com" class="">jrichard@placeiq.com</a><br class=""><<a href="mailto:jrichard@placeiq.com" class="">mailto:jrichard@placeiq.com</a>>> wrote:<br class=""><br class="">another interesting thing, my httpd/error_logs are constantly getting<br class="">spammed with: (I removed the stuff between the single quotes)<br class=""><br class="">Notice those names don’t match, should they?<br class=""><br class="">Me thinks not since those “principal=“ items are ALMOST all hosts that<br class="">no longer exist in the FreeIPA system. I rare few do exist.<br class=""><br class="">So, that’s weird :)<br class=""><br class="">[Thu Sep 29 20:44:59 2016] [error] ipa: INFO:<br class=""><a href="mailto:host/aerospike-cl1-203.nym1.placeiq.net@placeiq.net" class="">host/aerospike-cl1-203.nym1.placeiq.net@PLACEIQ.NET</a><br class=""><mailto:host/aerospike-cl1-203.nym1.placeiq.net@placeiq.net>:<br class="">cert_request(u’…………………..',<br class="">principal=u'host/sbtt-nyc1-028.thum01.nym1.placeiq.net@PLACEIQ.NET<br class=""><mailto:principal=u'host/sbtt-nyc1-028.thum01.nym1.placeiq.net@placeiq.net>',<br class="">add=True): CertificateOperationError<br class=""><br class="">[Thu Sep 29 20:45:06 2016] [error] ipa: INFO:<br class="">host/aerospike-cl2-210.nym1.placeiq.net@PLACEIQ.NET<br class=""><mailto:host/aerospike-cl2-210.nym1.placeiq.net@placeiq.net>:<br class="">cert_request(u’…………………..',<br class="">principal=u'host/017.prod07.nym1.placeiq.net@PLACEIQ.NET<br class=""><mailto:principal=u'host/017.prod07.nym1.placeiq.net@placeiq.net>',<br class="">add=True): CertificateOperationError<br class=""><br class="">[Thu Sep 29 20:45:09 2016] [error] ipa: INFO:<br class="">host/adsgateway-14.nym1.placeiq.net@PLACEIQ.NET<br class=""><mailto:host/adsgateway-14.nym1.placeiq.net@placeiq.net>:<br class="">cert_request(u’……………………...',<br class="">principal=u'host/025.prod07.nym1.placeiq.net@PLACEIQ.NET<br class=""><mailto:principal=u'host/025.prod07.nym1.placeiq.net@placeiq.net>',<br class="">add=True): CertificateOperationError<br class=""><br class="">[Thu Sep 29 20:45:29 2016] [error] ipa: INFO:<br class="">host/ttsandbox-022.nym1.placeiq.net@PLACEIQ.NET<br class=""><mailto:host/ttsandbox-022.nym1.placeiq.net@placeiq.net>:<br class="">cert_request(u’……………………….',<br class="">principal=u'host/sbtt-nyc1-022.thum01.nym1.placeiq.net@PLACEIQ.NET<br class=""><mailto:principal=u'host/sbtt-nyc1-022.thum01.nym1.placeiq.net@placeiq.net>',<br class="">add=True): CertificateOperationError<br class=""><br class=""><br class=""><br class=""><br class=""><br class=""><br class=""><http://www.placeiq.com/><http://www.placeiq.com/><http://www.placeiq.com/><br class="">Jim Richard<br class=""><https://twitter.com/placeiq><https://twitter.com/placeiq><https://twitter.com/placeiq><br class=""><https://www.facebook.com/PlaceIQ><https://www.facebook.com/PlaceIQ><br class=""><https://www.linkedin.com/company/placeiq><https://www.linkedin.com/company/placeiq><br class="">SYSTEM ADMINISTRATOR III<br class="">/(646) 338-8905 /<br class=""><br class=""><br class=""><http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-!<br class=""></blockquote></blockquote>advertisin<br class="">g-initiative-nai-as-100th-member/>PlaceIQ:Location<br class=""><blockquote type="cite" class=""><blockquote type="cite" class="">Data Accuracy<br class=""><<a href="http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP" class="">http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP</a>><br class=""><br class=""><br class=""><br class=""><blockquote type="cite" class="">On Sep 29, 2016, at 8:11 AM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" class="">rcritten@redhat.com</a><br class=""><<a href="mailto:rcritten@redhat.com" class="">mailto:rcritten@redhat.com</a>>> wrote:<br class=""><br class="">Natxo Asenjo wrote:<br class=""><blockquote type="cite" class="">hi Jim,<br class=""><br class="">On Thu, Sep 29, 2016 at 7:37 AM, Jim Richard <<a href="mailto:jrichard@placeiq.com" class="">jrichard@placeiq.com</a><br class=""><<a href="mailto:jrichard@placeiq.com" class="">mailto:jrichard@placeiq.com</a>><br class=""><<a href="mailto:jrichard@placeiq.com" class="">mailto:jrichard@placeiq.com</a>>> wrote:<br class=""><br class="">   Thanks Rob, that worked.<br class=""><br class="">   Still on the subject of certs, any idea how to solve this error:<br class=""><br class="">   Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The<br class="">   certificate/key database is in an old, unsupported format.<br class=""><br class="">   I see that in the gui when querying hosts as well as from cli when I<br class="">   ipa-show or ipa-find<br class=""><br class=""><br class="">I have had this too, and we did not find a solution (search my recent<br class="">posts on the archives). As a workaround I have created replicas and<br class="">decommissioned the older replicas.<br class=""></blockquote><br class="">On the one hand I'm glad this fixed it for you. On the other it is a<br class="">rather unsatisfying answer. Unfortunately NSS doesn't always provide<br class="">the most context with its error messages. This error is usually seen<br class="">when one tries to open a non-existent database, which in this case is<br class="">a very strange thing, especially since it goes from working to<br class="">non-working in the same apache process over a few minutes.<br class=""><br class="">I'm not sure how I'd troubleshoot this if it were easily<br class="">reproducible. I suspect we'd need to figure out which database cannot<br class="">be found (most likely /etc/httpd/alias) and go from there. An strace<br class="">is a brute-force way to see the file open but finding the right<br class="">process to attach to is a bit of an art.<br class=""><br class="">rob<br class=""><br class="">--<br class="">Manage your subscription for the Freeipa-users mailing list:<br class=""><a href="https://www.redhat.com/mailman/listinfo/freeipa-users" class="">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br class="">Go to http://freeipa.org for more info on the project<br class=""></blockquote><br class=""></blockquote><br class=""></blockquote><br class=""></div></div></blockquote></div><br class=""></div></div></body></html>