This may be resolved already, but just in case it's helpful:
On 09/13/2016 11:26 AM, Rob Crittenden wrote:
Natxo Asenjo wrote:
hi,
On Mon, Sep 12, 2016 at 9:48 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:
Natxo Asenjo wrote:
hi,
I can reproduce this everytime. Restarting httpd fixes it for a
while,
but then ik stops working:
$ ipa cert-show 1
ipa: ERROR: cannot connect to
'https://kdc01.unix.domain.tld:443/ca/agent/ca/displayBySerial
<https://kdc01.unix.domain.tld:443/ca/agent/ca/displayBySerial>':
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in
an old,
unsupported format.
It is very strange that it goes from a working to a non-working
state.
I have only two suggestions:
1. Create /etc/ipa/server.conf with a [global] section and
debug=True in it, restart httpd. Your log will be quite a bit more
verbose but given it reproduces so quickly hopefully won't be too
big a deal. That might show something.
+1 to this. With debug=True there should be tracebacks for your
CertificateFormatErrors.
2. Try brute force with strace. Finding the right httpd process to
strace can be frustrating but usually there are only 8 and they
rotate so eventually you should get the right one.
Could I send you the log files privately?
Sure.
rob
One other note - this could be a permissions issue. NSS seems to produce
this confusing error message when it can't access the database, even if
the format of the database is actually fine.
$ sudo chown root:root /tmp/certs
$ certutil -N -d /tmp/certs
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
certificate/key database is in an old, unsupported format.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project