I don't quite understand your situation - have the error happened during an addition of the host to the "ipaservers" group or during replica installation?

Certutil is a wonderful piece of software that returns "(SEC_ERROR_LEGACY_DATABASE)" in about 90% of most common cases but I have never seen an actual legacy database. Usually, this error means that the directory you're pointing the certutil tool to either does not exist or you don't have the permissions to read/write in this exact directory.


P.S.: I might have sent you this email twice because I am a bad person when it comes to the "Send" button, please reply to the email which has "freeipa-users" in CC :)

On 02/23/2017 10:38 PM, Steve Huston wrote:
I already had to do that previously to get other things to work; I had
solved it by changing line 582 of
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py from
"::1" to "localhost" before installing the server.  I did do this on
the to-be-promoted client as well, to no avail.

On Thu, Feb 23, 2017 at 4:25 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
Steve Huston wrote:
Next stage of my testing was to make a replica of the FreeIPA server,
and I started by doing a 'yum install ipa-server' and then moved on to
adding the host to the ipaservers group.  This fails every time
however, with the error:

ipa: ERROR: cannot connect to
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old,
unsupported format.

Searches on this seem to turn up things like expired certificates, or
"reboot httpd" (I went ahead and rebooted the whole ipa server), but
nothing concrete.  Suggestions?  Everything (server and soon-to-be
replica) running RHEL7.3 with all updates.

See the workaround in https://fedorahosted.org/freeipa/ticket/6575#comment:9


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to