Jim Richard wrote:
another interesting thing, my httpd/error_logs are constantly getting
spammed with: (I removed the stuff between the single quotes)

Notice those names don’t match, should they?

Me thinks not since those “principal=“ items are ALMOST all hosts that
no longer exist in the FreeIPA system. I rare few do exist.

So, that’s weird :)

I suspect that certmonger is still tracking certificate(s) on those hosts. You should be able to clear things up on those hosts with something like:

# ipa-getcert list
# ipa-getcert stop-tracking -i <request_id found above>

It's hard to say if the hostname mismatch is expected or not, it depends on how the requests were done initially. The first value in the log represents the principal that did the BIND, so the host to look on is aerospike-cl1-203.nym1.placeiq.net. The second hostname is the principal that the certificate is being requested _for_. This is basically a delegated request.

rob


[Thu Sep 29 20:44:59 2016] [error] ipa: INFO:
host/aerospike-cl1-203.nym1.placeiq....@placeiq.net
<mailto:host/aerospike-cl1-203.nym1.placeiq....@placeiq.net>:
cert_request(u’…………………..',
principal=u'host/sbtt-nyc1-028.thum01.nym1.placeiq....@placeiq.net
<mailto:principal=u'host/sbtt-nyc1-028.thum01.nym1.placeiq....@placeiq.net>',
add=True): CertificateOperationError

[Thu Sep 29 20:45:06 2016] [error] ipa: INFO:
host/aerospike-cl2-210.nym1.placeiq....@placeiq.net
<mailto:host/aerospike-cl2-210.nym1.placeiq....@placeiq.net>:
cert_request(u’…………………..',
principal=u'host/017.prod07.nym1.placeiq....@placeiq.net
<mailto:principal=u'host/017.prod07.nym1.placeiq....@placeiq.net>',
add=True): CertificateOperationError

[Thu Sep 29 20:45:09 2016] [error] ipa: INFO:
host/adsgateway-14.nym1.placeiq....@placeiq.net
<mailto:host/adsgateway-14.nym1.placeiq....@placeiq.net>:
cert_request(u’……………………...',
principal=u'host/025.prod07.nym1.placeiq....@placeiq.net
<mailto:principal=u'host/025.prod07.nym1.placeiq....@placeiq.net>',
add=True): CertificateOperationError

[Thu Sep 29 20:45:29 2016] [error] ipa: INFO:
host/ttsandbox-022.nym1.placeiq....@placeiq.net
<mailto:host/ttsandbox-022.nym1.placeiq....@placeiq.net>:
cert_request(u’……………………….',
principal=u'host/sbtt-nyc1-022.thum01.nym1.placeiq....@placeiq.net
<mailto:principal=u'host/sbtt-nyc1-022.thum01.nym1.placeiq....@placeiq.net>',
add=True): CertificateOperationError






<http://www.placeiq.com/><http://www.placeiq.com/><http://www.placeiq.com/>
Jim Richard
<https://twitter.com/placeiq><https://twitter.com/placeiq><https://twitter.com/placeiq>
<https://www.facebook.com/PlaceIQ><https://www.facebook.com/PlaceIQ>
<https://www.linkedin.com/company/placeiq><https://www.linkedin.com/company/placeiq>
SYSTEM ADMINISTRATOR III
/(646) 338-8905 /


<http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-a!
dvertising
-initiative-nai-as-100th-member/>PlaceIQ:Location
Data Accuracy
<http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP>



On Sep 29, 2016, at 8:11 AM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

Natxo Asenjo wrote:
hi Jim,

On Thu, Sep 29, 2016 at 7:37 AM, Jim Richard <jrich...@placeiq.com
<mailto:jrich...@placeiq.com>
<mailto:jrich...@placeiq.com>> wrote:

   Thanks Rob, that worked.

   Still on the subject of certs, any idea how to solve this error:

   Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
   certificate/key database is in an old, unsupported format.

   I see that in the gui when querying hosts as well as from cli when I
   ipa-show or ipa-find


I have had this too, and we did not find a solution (search my recent
posts on the archives). As a workaround I have created replicas and
decommissioned the older replicas.

On the one hand I'm glad this fixed it for you. On the other it is a
rather unsatisfying answer. Unfortunately NSS doesn't always provide
the most context with its error messages. This error is usually seen
when one tries to open a non-existent database, which in this case is
a very strange thing, especially since it goes from working to
non-working in the same apache process over a few minutes.

I'm not sure how I'd troubleshoot this if it were easily reproducible.
I suspect we'd need to figure out which database cannot be found (most
likely /etc/httpd/alias) and go from there. An strace is a brute-force
way to see the file open but finding the right process to attach to is
a bit of an art.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to