Re: [Freeipa-users] Certificate format error reported by GUI

[Jim Richard]

Hi Pavel:

Yes, my httpd logs were flooded with cert errors from hosts trying to renew 
bogus certs.

How 100 or so out of 1000 hosts ended up with certs that were not valid is 
unknown at this time but using Ansible I cleaned all those up and it looks like 
I’m in good shape now.

Here’s the playbook I used to find certs that were problematic and tell 
certmonger to stop tracking them:

---
- hosts: ipa-hosts
  gather_facts: False

  tasks:

  - name: get request id
shell: ipa-getcert list -r |gawk -F\' '/Request/ {print $2}'
register: my_id

  #- debug: var=my_id

  - name: kill bad certs
shell: ipa-getcert stop-tracking -i {{ item }}
with_items: "{{ my_id.stdout_lines }}"


     
Jim Richard    
    
    

SYSTEM ADMINISTRATOR III
(646) 338-8905  

 

 

 

 

 

 

 

 

 

 

 

 



> On Sep 30, 2016, at 3:42 AM, Pavel Vomacka  wrote:
> 
> Ah, ok, does /var/log/httpd/error_log contain any error after looking at 
> hosts using GUI? And could you please send output of ipactl status after the 
> error ocurres? 
> 
> On 09/30/2016 02:40 AM, Jim Richard wrote:
>> Hi Paul, 3.0.0 on Centos 6.8
>> 
>> 
>>     Jim Richard    
>>    
>> 
>> SYSTEM ADMINISTRATOR III
>> (646) 338-8905  
>>  
>> 
>> 
>> 
>>> On Sep 29, 2016, at 11:58 AM, Pavel Vomacka >> > wrote:
>>> 
>>> Hello,
>>> 
>>> which version of FreeIPA do you use?
>>> On 09/28/2016 12:42 AM, Jim Richard wrote:
 When I try to look at hosts under the hosts tab. ipactl restart or just 
 restarting httpd seems to clear it up for a short period.
 
 Three replicas in the environment, it only happens when I look at hosts 
 using the GUI at one of the three replicas.
 
 
 Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key 
 database is in an old, unsupported format.
 
 
   Jim Richard    
    
 
 SYSTEM ADMINISTRATOR III
 (646) 338-8905  
  
 
 
 
 
 
>>> 
>>> -- 
>>> Pavel^3 Vomacka
>> 
> 
> -- 
> Pavel^3 Vomacka

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate format error reported by GUI

[Pavel Vomacka]

Ah, ok, does /var/log/httpd/error_log contain any error after looking at 
hosts using GUI? And could you please send output of ipactl status after 
the error ocurres?



On 09/30/2016 02:40 AM, Jim Richard wrote:

Hi Paul, 3.0.0 on Centos 6.8


 	Jim Richard 	 
 


SYSTEM ADMINISTRATOR III
/(646) 338-8905 /


PlaceIQ:Location Data Accuracy 





On Sep 29, 2016, at 11:58 AM, Pavel Vomacka > wrote:


Hello,

which version of FreeIPA do you use?

On 09/28/2016 12:42 AM, Jim Richard wrote:
When I try to look at hosts under the hosts tab. ipactl restart or 
just restarting httpd seems to clear it up for a short period.


Three replicas in the environment, it only happens when I look at 
hosts using the GUI at one of the three replicas.



Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The 
certificate/key database is in an old, unsupported format.



 	Jim Richard 
 	 


SYSTEM ADMINISTRATOR III
/(646) 338-8905 /


PlaceIQ:Location Data Accuracy 









--
Pavel^3 Vomacka




--
Pavel^3 Vomacka

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate format error reported by GUI

[Jim Richard]

Hi Paul, 3.0.0 on Centos 6.8


     
Jim Richard    
    
    

SYSTEM ADMINISTRATOR III
(646) 338-8905  

 

 

 

 

 

 

 

 

 

 

 

 



> On Sep 29, 2016, at 11:58 AM, Pavel Vomacka  wrote:
> 
> Hello,
> 
> which version of FreeIPA do you use?
> On 09/28/2016 12:42 AM, Jim Richard wrote:
>> When I try to look at hosts under the hosts tab. ipactl restart or just 
>> restarting httpd seems to clear it up for a short period.
>> 
>> Three replicas in the environment, it only happens when I look at hosts 
>> using the GUI at one of the three replicas.
>> 
>> 
>> Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key 
>> database is in an old, unsupported format.
>> 
>> 
>>     Jim Richard    
>>    
>> 
>> SYSTEM ADMINISTRATOR III
>> (646) 338-8905  
>>  
>> 
>> 
>> 
>> 
>> 
> 
> -- 
> Pavel^3 Vomacka

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate format error reported by GUI

[Pavel Vomacka]

Hello,

which version of FreeIPA do you use?

On 09/28/2016 12:42 AM, Jim Richard wrote:
When I try to look at hosts under the hosts tab. ipactl restart or 
just restarting httpd seems to clear it up for a short period.


Three replicas in the environment, it only happens when I look at 
hosts using the GUI at one of the three replicas.



Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The 
certificate/key database is in an old, unsupported format.



 	Jim Richard 	 
 


SYSTEM ADMINISTRATOR III
/(646) 338-8905 /


PlaceIQ:Location Data Accuracy 









--
Pavel^3 Vomacka

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Certificate format error reported by GUI

[Jim Richard]

When I try to look at hosts under the hosts tab. ipactl restart or just 
restarting httpd seems to clear it up for a short period.

Three replicas in the environment, it only happens when I look at hosts using 
the GUI at one of the three replicas.


Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key 
database is in an old, unsupported format.


     
Jim Richard    
    
    

SYSTEM ADMINISTRATOR III
(646) 338-8905  

 

 

 

 

 

 

 

 

 

 

 

 



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project