hi, I can reproduce this everytime. Restarting httpd fixes it for a while, but then ik stops working:
$ ipa cert-show 1 ipa: ERROR: cannot connect to ' https://kdc01.unix.domain.tld:443/ca/agent/ca/displayBySerial': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. [jose.admin@kdc01 ~]$ sudo /etc/init.d/httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [jose.admin@kdc01 ~]$ ipa cert-show 1 Certificate: MIIDnDCCAoSgAwIBAgIBATANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklY LklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcN MTIxMTA3MjEyNDE1WhcNMjAxMTA3MjEyNDE1WjA7MRkwFwYDVQQKExBVTklYLklS SVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCy2WVy7QkHiuENW/zkMeD4ILoqOruu YKvb2+rqeuI9iw+zBBt569XSxrgcyeTq0G63RjbXgrAzot4EhYg6MoepDVCn0Bnu rUfgbCf5R0Eboigjboh5MGnPylHefLRGARNUCwcTGA4uR9ZQL/rEUqWktmZjanYE vOP8UBeuq5WP5emaX8U03SzMA+cQT9w/zx0eAOYgZW5yx3aA5Q4Fu8qWqMGGAOA6 yDQWqmIpgxiFHHRa7hQK4AjeHgvaColaU979Lh5jAv/XwrYtok1G+UVEp45INpfx r5dLe03ognPFPZ0/xwbBqtt/2qn6rk4L4ukH4P9g4Rw0o7U1yJVx/SOJAgMBAAGj gaowgacwHwYDVR0jBBgwFoAUo5fkii64zz7qM/K8k9Yj3qmENmgwDwYDVR0TAQH/ BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFKOX5IouuM8+6jPyvJPW I96phDZoMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcwAYYoaHR0cDovL2tkYzAx LnVuaXguaXJpc3pvcmcubmw6ODAvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAQEA J28gdozd/ptOM5PTKKwyV+otO/wk3yErslxpNUhRZgSNUwT+t6tfF/j+jJRV5sX+ jy09c9Do+p3Hy9gRnIVJONDScvMV9nDc75C6JGXU+FdNJJ+Dbpep/RsQjHrZ+unw IyAWoOpBol8sGzN5tXbeo/M6mGFxaBTH1GKtgv4CKbzQAotvMaGxzKjScHRsGaer NSCZp/90yRJypC3MOosUFcFl4CoYHB42XDTzjvzZQcaFNcgYXOciujwwYHNzsSqY cIKFSWuWvN++7g4yxQMlu8QW0Ms/PntmTmO2cDdNI1tujVyBKe599y4O/Es/MBGt DtVA85ALksJOU27bjtvbBg== Subject: CN=Certificate Authority,O=UNIX.DOMAIN.TLD Issuer: CN=Certificate Authority,O=UNIX.DOMAIN.TLD Not Before: Wed Nov 07 21:24:15 2012 UTC Not After: Sat Nov 07 21:24:15 2020 UTC Fingerprint (MD5): 28:18:34:9d:03:99:b8:ff:2b:bd:55:0a:65:bf:d4:f2 Fingerprint (SHA1): 6f:e1:a4:4f:47:ec:9c:c4:ad:b9:b9:fc:e8:f4:33:4b:0a:cb:43:3e Serial number (hex): 0x1 Serial number: 1 And a few minutes later (5, maximum 10), then I get the SEC_ERROR_LEGACY_DATABASE error. No traceback in /var/log/httpd/error_log. This is the first CA domain controller. I am leaving this job in a few weeks, so I would like to leave everything working properly. Would it be better to upgrade the domain controllers to centos 7 (right now running centos 6.8, fully patched). Thanks for your input. -- regards, natxo On Thu, Sep 8, 2016 at 6:30 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > > > On Thu, Sep 8, 2016 at 3:25 PM, Rob Crittenden <rcrit...@redhat.com> > wrote: > >> Natxo Asenjo wrote: >> >>> I do see these errors: >>> [Wed Sep 07 15:56:13 2016] [error] ipa: INFO:: ping(): SUCCESS >>> [Wed Sep 07 15:56:13 2016] [error] ipa: INFO: : host_find(u'tftp-1801', >>> all=False, raw=False, version=u'2.49', no_members=False, >>> pkey_only=False): CertificateFormatError >>> [Wed Sep 07 15:56:44 2016] [error] ipa: INFO: : ping(): SUCCESS >>> [Wed Sep 07 15:56:44 2016] [error] ipa: INFO: : host_find(u'tftp-1801', >>> all=False, raw=False, version=u'2.49', no_members=False, >>> pkey_only=False): CertificateFormatError >>> [Wed Sep 07 15:57:57 2016] [error] ipa: INFO: : ping(): SUCCESS >>> [Wed Sep 07 15:57:58 2016] [error] ipa: INFO: : host_find(u'tftp-1801', >>> all=False, raw=False, version=u'2.49', no_members=False, >>> pkey_only=False): CertificateFormatErro >>> >>> >>> On Wed, Sep 7, 2016 at 4:01 PM, Natxo Asenjo <natxo.ase...@gmail.com >>> <mailto:natxo.ase...@gmail.com>> wrote: >>> >>> >>> alas, not woriking again. >>> >>> On the one kdc >>> >>> $ ipa host-find tftp-1801 >>> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) >>> The certificate/key database is in an old, unsupported format. >>> >>> On the other: >>> >>> $ ipa host-find tftp-1801 >>> -------------- >>> 1 host matched >>> -------------- >>> Host name: tftp-1801.sub.domain.tld >>> ..... >>> >>> After rebooting the kdc with the error, no new tracebacks in the >>> error_log >>> >> >> No new tracebacks but still not working? >> >> The CertificateFormatError is the server logging the equivalent of what >> you're seeing in the client. >> >> rob >> > > > that's right. > > Is there anything else I can look at? > > > -- > -- > Groeten, > natxo > -- -- Groeten, natxo
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project