Re: [Freeipa-users] SEC_ERROR_LEGACY_DATABASE

Fri, 29 May 2015 02:22:15 -0700 

the other hosts do not have certificate set.

Thanks,
David


On 05/29/2015 02:05 AM, Petr Vobornik wrote:

On 05/29/2015 10:45 AM, David Lin wrote:

ipa host-find produces this
ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. 

and ipa host-show on only one of the hosts show
ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. 

all the other hosts are fine.
Does any other host have certificate set? I want to find out if it fails on a specific certificate and not on other(s) or if it fails for all hosts with certificate set.
SEC_ERROR_LEGACY_DATABASE error suggests that it fails on initialization of NSS database which is not dependent on stored certificate. 



Thanks!
David


On May 29, 2015, at 1:35 AM, Petr Vobornik <pvobo...@redhat.com> wrote:

On 05/29/2015 10:02 AM, Martin Kosek wrote:

On 05/29/2015 01:27 AM, David Lin wrote:

Hi,
When I try to add multiple hosts, on the web UI, when I go to the host 
tab,
This means that Web UI calls `ipa host-find` and couple of `ipa host-show` commands. Could you try it in CLI find out which command fails?
So other web ui tabs work? Does service tab work(services has some common logic with hosts)? 


I get

Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
certificate/key database is in an old, unsupported format.

What does this mean?
NSS returns SEC_ERROR_LEGACY_DATABASE when it can't read the database directory (for any reason, including non-existent directory) 



That's strange. CCIng Petr. Maybe /etc/httpd/alias NSS database was
somehow damaged? Although I doubt that, in that case Apache would not be 
able to serve https even.


+1




On one of the hosts, I do notice that when i do

ipa host-show

there is no certificate listed.


If you are using FreeIPA 4.1+, this is expected:

https://fedorahosted.org/freeipa/ticket/4449

Martin



--
Petr Vobornik









--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to