On Thu, Sep 15, 2016 at 1:03 PM, Ben Lipton <blip...@redhat.com> wrote:
> > On 09/15/2016 03:04 AM, Natxo Asenjo wrote: > > Hi Ben, > > On Wed, Sep 14, 2016 at 2:45 PM, Ben Lipton <blip...@redhat.com> wrote: > > One other note - this could be a permissions issue. NSS seems to produce >> this confusing error message when it can't access the database, even if the >> format of the database is actually fine. >> >> $ sudo chown root:root /tmp/certs >> $ certutil -N -d /tmp/certs >> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key >> database is in an old, unsupported format. >> > > Thanks for the tip. What directory should I check? I have checked: > > > [root@kdc01 httpd]$ ls -ltrZ /etc/httpd/alias/ > -rw-r-----. root apache unconfined_u:object_r:cert_t:s0 secmod.db.orig > -rw-r-----. root apache unconfined_u:object_r:cert_t:s0 key3.db.orig > -rw-r-----. root apache unconfined_u:object_r:cert_t:s0 cert8.db.orig > -rw-------. root root unconfined_u:object_r:cert_t:s0 install.log > -rw-rw----. root apache unconfined_u:object_r:cert_t:s0 pwdfile.txt > -rw-rw----. root apache unconfined_u:object_r:cert_t:s0 secmod.db > -r--r--r--. root root unconfined_u:object_r:cert_t:s0 cacert.asc.orig > -r--r--r--. root root unconfined_u:object_r:cert_t:s0 cacert.asc > lrwxrwxrwx. root root system_u:object_r:cert_t:s0 libnssckbi.so -> > ../../..//usr/lib/libnssckbi.so > -rw-rw----. root apache unconfined_u:object_r:cert_t:s0 key3.db > -rw-rw----. root apache unconfined_u:object_r:cert_t:s0 cert8.db > > [root@kdc01 httpd]$ ls -ltrdZ /etc/httpd/alias/ > drwxr-xr-x. root root system_u:object_r:cert_t:s0 /etc/httpd/alias/ > > > Those seem ok. > -- > Groeten, > natxo > > > The other one I know about is: > # ls -ltrZ /etc/ipa/nssdb > total 80 > -rw-------. 1 root root unconfined_u:object_r:cert_t:s0 40 Aug 22 > 13:13 pwdfile.txt > -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 16384 Aug 22 > 13:13 secmod.db > -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 16384 Aug 22 > 13:13 key3.db > -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 65536 Aug 22 > 13:13 cert8.db > # ls -ltrdZ /etc/ipa/nssdb > drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0 73 Sep 14 18:08 > /etc/ipa/nssdb > > I still don't have any good ideas for why it would work for 5 minutes and > then give an error. If you manage to get a traceback for the > CertificateFormatError by enabling debug logging, that could be very > helpful. > I do not have that directory (centos 6.8): ls -ltrZ /etc/ipa/ -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 default.conf -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 ca.crt drwxr-xr-x. root root system_u:object_r:etc_t:s0 html -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 server.conf.bak -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 server.conf I have enabled debugging: $ cat /etc/ipa/server.conf [global] debug = True Could I send you the logs privately? -- -- Groeten, natxo
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project