Can I and how… delete all certs for all hosts
I mean, we only use FreeIPA for user login/sssd That said, do we even need those certs? <http://www.placeiq.com/> <http://www.placeiq.com/> <http://www.placeiq.com/> Jim Richard <https://twitter.com/placeiq> <https://twitter.com/placeiq> <https://twitter.com/placeiq> <https://www.facebook.com/PlaceIQ> <https://www.facebook.com/PlaceIQ> <https://www.linkedin.com/company/placeiq> <https://www.linkedin.com/company/placeiq> SYSTEM ADMINISTRATOR III (646) 338-8905 <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP> > On Sep 29, 2016, at 8:53 PM, Jim Richard <jrich...@placeiq.com> wrote: > > another interesting thing, my httpd/error_logs are constantly getting spammed > with: (I removed the stuff between the single quotes) > > Notice those names don’t match, should they? > > Me thinks not since those “principal=“ items are ALMOST all hosts that no > longer exist in the FreeIPA system. I rare few do exist. > > So, that’s weird :) > > [Thu Sep 29 20:44:59 2016] [error] ipa: INFO: > host/aerospike-cl1-203.nym1.placeiq....@placeiq.net > <mailto:host/aerospike-cl1-203.nym1.placeiq....@placeiq.net>: > cert_request(u’…………………..', > principal=u'host/sbtt-nyc1-028.thum01.nym1.placeiq....@placeiq.net > <mailto:principal=u'host/sbtt-nyc1-028.thum01.nym1.placeiq....@placeiq.net>', > add=True): CertificateOperationError > > [Thu Sep 29 20:45:06 2016] [error] ipa: INFO: > host/aerospike-cl2-210.nym1.placeiq....@placeiq.net > <mailto:host/aerospike-cl2-210.nym1.placeiq....@placeiq.net>: > cert_request(u’…………………..', > principal=u'host/017.prod07.nym1.placeiq....@placeiq.net > <mailto:principal=u'host/017.prod07.nym1.placeiq....@placeiq.net>', > add=True): CertificateOperationError > > [Thu Sep 29 20:45:09 2016] [error] ipa: INFO: > host/adsgateway-14.nym1.placeiq....@placeiq.net > <mailto:host/adsgateway-14.nym1.placeiq....@placeiq.net>: > cert_request(u’……………………...', > principal=u'host/025.prod07.nym1.placeiq....@placeiq.net > <mailto:principal=u'host/025.prod07.nym1.placeiq....@placeiq.net>', > add=True): CertificateOperationError > > [Thu Sep 29 20:45:29 2016] [error] ipa: INFO: > host/ttsandbox-022.nym1.placeiq....@placeiq.net > <mailto:host/ttsandbox-022.nym1.placeiq....@placeiq.net>: > cert_request(u’……………………….', > principal=u'host/sbtt-nyc1-022.thum01.nym1.placeiq....@placeiq.net > <mailto:principal=u'host/sbtt-nyc1-022.thum01.nym1.placeiq....@placeiq.net>', > add=True): CertificateOperationError > > > > > > > <http://www.placeiq.com/> <http://www.placeiq.com/> > <http://www.placeiq.com/> Jim Richard > <https://twitter.com/placeiq> <https://twitter.com/placeiq> > <https://twitter.com/placeiq> <https://www.facebook.com/PlaceIQ> > <https://www.facebook.com/PlaceIQ> > <https://www.linkedin.com/company/placeiq> > <https://www.linkedin.com/company/placeiq> > SYSTEM ADMINISTRATOR III > (646) 338-8905 > > > <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/> > > <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> > > <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> > > <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> > > <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> > > <http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/> > > <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> > > <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> > > <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> > > <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> > > <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> > > <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP> > > >> On Sep 29, 2016, at 8:11 AM, Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>> wrote: >> >> Natxo Asenjo wrote: >>> hi Jim, >>> >>> On Thu, Sep 29, 2016 at 7:37 AM, Jim Richard <jrich...@placeiq.com >>> <mailto:jrich...@placeiq.com> >>> <mailto:jrich...@placeiq.com <mailto:jrich...@placeiq.com>>> wrote: >>> >>> Thanks Rob, that worked. >>> >>> Still on the subject of certs, any idea how to solve this error: >>> >>> Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The >>> certificate/key database is in an old, unsupported format. >>> >>> I see that in the gui when querying hosts as well as from cli when I >>> ipa-show or ipa-find >>> >>> >>> I have had this too, and we did not find a solution (search my recent >>> posts on the archives). As a workaround I have created replicas and >>> decommissioned the older replicas. >> >> On the one hand I'm glad this fixed it for you. On the other it is a rather >> unsatisfying answer. Unfortunately NSS doesn't always provide the most >> context with its error messages. This error is usually seen when one tries >> to open a non-existent database, which in this case is a very strange thing, >> especially since it goes from working to non-working in the same apache >> process over a few minutes. >> >> I'm not sure how I'd troubleshoot this if it were easily reproducible. I >> suspect we'd need to figure out which database cannot be found (most likely >> /etc/httpd/alias) and go from there. An strace is a brute-force way to see >> the file open but finding the right process to attach to is a bit of an art. >> >> rob >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> <https://www.redhat.com/mailman/listinfo/freeipa-users> >> Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project