Natxo Asenjo wrote:


On Wed, Sep 7, 2016 at 3:27 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    Natxo Asenjo wrote:

        hi,

        using centos 6.8 (server and client), when trying to view some
        hosts we
        get this error:


        $ ipa host-find host-1920.sub.domain.tld
        ipa: ERROR: Certificate format error:
        (SEC_ERROR_LEGACY_DATABASE) The
        certificate/key database is in an old, unsupported format.


        I saw a thread last year about this, but no solution.

        Any clues?


    /var/log/httpd/error_log may contain a traceback


This made me take a look at a replica and there I could not replicate
the error, I got the info I requested.

In the apache error file I saw indeed a traceback:

  [Sun Sep 04 03:21:31 2016] [error] ipa: ERROR: non-public:
XMLSyntaxError: None
[Sun Sep 04 03:21:31 2016] [error] Traceback (most recent call last):
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 334, in
wsgi_execute
[Sun Sep 04 03:21:31 2016] [error]     result =
self.Command[name](*args, **options)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 438, in __call__
[Sun Sep 04 03:21:31 2016] [error]     ret = self.run(*args, **options)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 750, in run
[Sun Sep 04 03:21:31 2016] [error]     return self.execute(*args, **options)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py", line 362, in
execute
[Sun Sep 04 03:21:31 2016] [error]     result =
api.Command['cert_show'](unicode(serial))['result']
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 438, in __call__
[Sun Sep 04 03:21:31 2016] [error]     ret = self.run(*args, **options)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 750, in run
[Sun Sep 04 03:21:31 2016] [error]     return self.execute(*args, **options)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py", line 493, in
execute
[Sun Sep 04 03:21:31 2016] [error]
result=self.Backend.ra.get_certificate(serial_number)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipaserver/plugins/dogtag.py", line
1489, in get_certificate
[Sun Sep 04 03:21:31 2016] [error]     parse_result =
self.get_parse_result_xml(http_body, parse_display_cert_xml)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipaserver/plugins/dogtag.py", line
1350, in get_parse_result_xml
[Sun Sep 04 03:21:31 2016] [error]     doc = etree.fromstring(xml_text,
parser)
[Sun Sep 04 03:21:31 2016] [error]   File "lxml.etree.pyx", line 2532,
in lxml.etree.fromstring (src/lxml/lxml.etree.c:48270)
[Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 1545, in
lxml.etree._parseMemoryDocument (src/lxml/lxml.etree.c:71812)
[Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 1424, in
lxml.etree._parseDoc (src/lxml/lxml.etree.c:70673)
[Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 938, in
lxml.etree._BaseParser._parseDoc (src/lxml/lxml.etree.c:67442)
[Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 539, in
lxml.etree._ParserContext._handleParseResultDoc
(src/lxml/lxml.etree.c:63824)
[Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 625, in
lxml.etree._handleParseResult (src/lxml/lxml.etree.c:64745)
[Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 576, in
lxml.etree._raiseParseError (src/lxml/lxml.etree.c:64260)
[Sun Sep 04 03:21:31 2016] [error] XMLSyntaxError: None


restarting httpd fixed the issue. Thanks!

Looking into apache never occurred to me, freeipa really is a web
service although it provides infrastructure services.

Yeah, there are a lot of moving parts, that's for sure.

Makes me wonder if httpd should be restarted as part of the upgrade.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to