Sigbjorn Lie wrote:
On 20/02/14 21:38, Rob Crittenden wrote:

I am surprised too. I dumped the PKI CA certificate from /etc/pki/nssdb
before and after I updated it into text files, and diff'ed them. No
differences was reported.

I can't think of a reason it would be using the sqlite database at
all. You don't have NSS_DEFAULT_DB_TYPE set somewhere do you? I'd find
it hard to believe that this would be set EVERYWHERE.

If we want to brute force things, trying strace against a client that
isn't working to confirm that it is trying to open cert9 might give us
a data point at least.

I have NSS_DEFAULT_DB_TYPE set to "sql".

Oh, ok, that's why then. You're telling NSS to use sqlite databases and we only configure the older database style so the client isn't finding its CA cert.

So you can either not set that or migrate all the client databases. I'm a little surprised the servers aren't blowing up on you too.


Freeipa-users mailing list

Reply via email to