On 09/15/2016 03:04 AM, Natxo Asenjo wrote:
Hi Ben,

On Wed, Sep 14, 2016 at 2:45 PM, Ben Lipton <blip...@redhat.com <mailto:blip...@redhat.com>> wrote:

    One other note - this could be a permissions issue. NSS seems to
    produce this confusing error message when it can't access the
    database, even if the format of the database is actually fine.

    $ sudo chown root:root /tmp/certs
    $ certutil -N -d /tmp/certs
    certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
    certificate/key database is in an old, unsupported format.

Thanks for the tip. What directory should I check? I have checked:

[root@kdc01 httpd]$ ls -ltrZ /etc/httpd/alias/
-rw-r-----. root apache unconfined_u:object_r:cert_t:s0 secmod.db.orig
-rw-r-----. root apache unconfined_u:object_r:cert_t:s0 key3.db.orig
-rw-r-----. root apache unconfined_u:object_r:cert_t:s0 cert8.db.orig
-rw-------. root root   unconfined_u:object_r:cert_t:s0 install.log
-rw-rw----. root apache unconfined_u:object_r:cert_t:s0 pwdfile.txt
-rw-rw----. root apache unconfined_u:object_r:cert_t:s0 secmod.db
-r--r--r--. root root   unconfined_u:object_r:cert_t:s0 cacert.asc.orig
-r--r--r--. root root   unconfined_u:object_r:cert_t:s0 cacert.asc
lrwxrwxrwx. root root system_u:object_r:cert_t:s0 libnssckbi.so -> ../../..//usr/lib/libnssckbi.so
-rw-rw----. root apache unconfined_u:object_r:cert_t:s0 key3.db
-rw-rw----. root apache unconfined_u:object_r:cert_t:s0 cert8.db

[root@kdc01 httpd]$ ls -ltrdZ /etc/httpd/alias/
drwxr-xr-x. root root system_u:object_r:cert_t:s0 /etc/httpd/alias/

Those seem ok.

The other one I know about is:
# ls -ltrZ /etc/ipa/nssdb
total 80
-rw-------. 1 root root unconfined_u:object_r:cert_t:s0 40 Aug 22 13:13 pwdfile.txt -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 16384 Aug 22 13:13 secmod.db -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 16384 Aug 22 13:13 key3.db -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 65536 Aug 22 13:13 cert8.db
# ls -ltrdZ /etc/ipa/nssdb
drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0 73 Sep 14 18:08 /etc/ipa/nssdb

I still don't have any good ideas for why it would work for 5 minutes and then give an error. If you manage to get a traceback for the CertificateFormatError by enabling debug logging, that could be very helpful.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to