Natxo Asenjo wrote:
hi Jim,

On Thu, Sep 29, 2016 at 7:37 AM, Jim Richard <
<>> wrote:

    Thanks Rob, that worked.

    Still on the subject of certs, any idea how to solve this error:

    Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
    certificate/key database is in an old, unsupported format.

    I see that in the gui when querying hosts as well as from cli when I
    ipa-show or ipa-find

I have had this too, and we did not find a solution (search my recent
posts on the archives). As a workaround I have created replicas and
decommissioned the older replicas.

On the one hand I'm glad this fixed it for you. On the other it is a rather unsatisfying answer. Unfortunately NSS doesn't always provide the most context with its error messages. This error is usually seen when one tries to open a non-existent database, which in this case is a very strange thing, especially since it goes from working to non-working in the same apache process over a few minutes.

I'm not sure how I'd troubleshoot this if it were easily reproducible. I suspect we'd need to figure out which database cannot be found (most likely /etc/httpd/alias) and go from there. An strace is a brute-force way to see the file open but finding the right process to attach to is a bit of an art.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to