I think the problem is the upgrade from freeipa-* to ipa-*, which does not run 
the scripts cortectly.
Previously I had to run:

/usr/sbin/ipa-ldap-updater --upgrade --quiet >/dev/null || 
:/usr/sbin/ipa-upgradeconfig --quiet >/dev/null || :

/bin/systemctl enable ipa.service 

Noe I also needed:

python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()'
if certutil -L -d /etc/pki/nssdb -n 'IPA CA' -a >"$tempfile" 
2>>/var/log/ipaupgrade.log; then
    certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i "$tempfile" 
>>/var/log/ipaupgrade.log 2>&1
elif certutil -L -d /etc/pki/nssdb -n 'External CA cert' -a >"$tempfile" 
2>>/var/log/ipaupgrade.log; then
    certutil -A -d /etc/ipa/nssdb -n 'External CA cert' -t C,, -a -i 
"$tempfile" >>/var/log/ipaupgrade.log 2>&1
rm -f "$tempfile"

And also the ipa commands work correctly.


Il 16 Luglio 2015 14:01:47 CEST, Nicola Canepa <canep...@mmfg.it> ha scritto:
>I upgraded from freeipa 4.0 to ipa-4.1.0
>Users continue to be authenticated, and web GUI works, but from command
>line for every ipa command (after autheiticating with kinit), I get:
>> [root@ldap-01 ~]# ipa config-show
>> ipa: ERROR: cannot connect to 'https://ldap-01.mmfg.it/ipa/json': 
>> (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an
>> unsupported format.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to