On 09/15/2016 03:04 AM, Natxo Asenjo wrote:
Hi Ben,
On Wed, Sep 14, 2016 at 2:45 PM, Ben Lipton <blip...@redhat.com
<mailto:blip...@redhat.com>> wrote:
One other note - this could be a permissions issue. NSS seems to
produce this confusing error message when it can't access the
database, even if the format of the database is actually fine.
$ sudo chown root:root /tmp/certs
$ certutil -N -d /tmp/certs
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
certificate/key database is in an old, unsupported format.
Thanks for the tip. What directory should I check? I have checked:
[root@kdc01 httpd]$ ls -ltrZ /etc/httpd/alias/
-rw-r-----. root apache unconfined_u:object_r:cert_t:s0 secmod.db.orig
-rw-r-----. root apache unconfined_u:object_r:cert_t:s0 key3.db.orig
-rw-r-----. root apache unconfined_u:object_r:cert_t:s0 cert8.db.orig
-rw-------. root root unconfined_u:object_r:cert_t:s0 install.log
-rw-rw----. root apache unconfined_u:object_r:cert_t:s0 pwdfile.txt
-rw-rw----. root apache unconfined_u:object_r:cert_t:s0 secmod.db
-r--r--r--. root root unconfined_u:object_r:cert_t:s0 cacert.asc.orig
-r--r--r--. root root unconfined_u:object_r:cert_t:s0 cacert.asc
lrwxrwxrwx. root root system_u:object_r:cert_t:s0 libnssckbi.so ->
../../..//usr/lib/libnssckbi.so
-rw-rw----. root apache unconfined_u:object_r:cert_t:s0 key3.db
-rw-rw----. root apache unconfined_u:object_r:cert_t:s0 cert8.db
[root@kdc01 httpd]$ ls -ltrdZ /etc/httpd/alias/
drwxr-xr-x. root root system_u:object_r:cert_t:s0 /etc/httpd/alias/
Those seem ok.
--
Groeten,
natxo
The other one I know about is:
# ls -ltrZ /etc/ipa/nssdb
total 80
-rw-------. 1 root root unconfined_u:object_r:cert_t:s0 40 Aug 22
13:13 pwdfile.txt
-rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 16384 Aug 22
13:13 secmod.db
-rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 16384 Aug 22
13:13 key3.db
-rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 65536 Aug 22
13:13 cert8.db
# ls -ltrdZ /etc/ipa/nssdb
drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0 73 Sep 14 18:08
/etc/ipa/nssdb
I still don't have any good ideas for why it would work for 5 minutes
and then give an error. If you manage to get a traceback for the
CertificateFormatError by enabling debug logging, that could be very
helpful.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project