Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Petr Vobornik]

On 09/16/2016 09:39 AM, Natxo Asenjo wrote:
> hi,
> 
> 
> Any clues?
> 

output of
   $ cat error_log | grep INFO -A 1 | cut -c -120
shows that first cert-show was successful. It was followed by cert-request.

cert-request internally called
- host-show
  - cert_show(1) success
  - cert_show(162) success
  -   ipaserver.plugins.dogtag.ra.get_certificate()
 https_request 'https://xx.xxx.xxx.xx:443/ca/agent/ca/displayBySerial'
  - cert_revoke(162, recvocation_reason=4)
 - cert_show(162) success
 - cert_show(1) - success
 - ipaserver.plugins.dogtag.ra.revoke_certificate()
   - https_request 'https://xx.xxx.xxx.xx:443/ca/agent/ca/doRevoke'

ends with:

NetworkError
[Thu Sep 15 13:08:23 2016] [error] ipa: DEBUG: response: NetworkError:
cannot connect to 'https://xx.xxx.xxx.xx:443/ca/agent/ca/doRevoke':
(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.

After it every other communication with CA ends with the issue in subject:

cert_show(u'15'): NetworkError
[Thu Sep 15 13:08:26 2016] [error] ipa: DEBUG: response: NetworkError:
cannot connect to
'https://xx.xxx.xxx.xxl:443/ca/agent/ca/displayBySerial':
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old,
unsupported format.

So the main issue is "NSS could not shutdown." Investigation of that is
beyond me.

Maybe a workaround can be do first revoke existing cert for the host and
then request a new one - which might trigger a different sequence of
calls and hopefully not reproduce the issue. But the issue will be still
present.

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Ben Lipton]

On 09/16/2016 03:39 AM, Natxo Asenjo wrote:

hi,


On Thu, Sep 15, 2016 at 2:25 PM, Natxo Asenjo > wrote:


hi,

attached error_log



Any clues?

Thanks!

--
--
Groeten,
natxo


Sorry, I'm not having any luck tracking down the answer. Maybe someone 
else has an idea.


Looking at the code, /etc/httpd/alias does seem to be the relevant database.

One last thought: does anything change if selinux is in permissive mode? 
Is there anything interesting in /var/log/audit/audit.log? Again, it 
doesn't make a whole lot of sense because it works sometimes, but maybe 
something is changing a few minutes after boot time?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Natxo Asenjo]

hi,


On Thu, Sep 15, 2016 at 2:25 PM, Natxo Asenjo 
wrote:

> hi,
>
> attached error_log
>


Any clues?

Thanks!

-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Natxo Asenjo]

On Thu, Sep 15, 2016 at 1:03 PM, Ben Lipton  wrote:

>
> On 09/15/2016 03:04 AM, Natxo Asenjo wrote:
>
> Hi Ben,
>
> On Wed, Sep 14, 2016 at 2:45 PM, Ben Lipton  wrote:
>
> One other note - this could be a permissions issue. NSS seems to produce
>> this confusing error message when it can't access the database, even if the
>> format of the database is actually fine.
>>
>> $ sudo chown root:root /tmp/certs
>> $ certutil -N -d /tmp/certs
>> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key
>> database is in an old, unsupported format.
>>
>
> Thanks for the tip. What directory should I check? I have checked:
>
>
> [root@kdc01 httpd]$ ls -ltrZ /etc/httpd/alias/
> -rw-r-. root apache unconfined_u:object_r:cert_t:s0  secmod.db.orig
> -rw-r-. root apache unconfined_u:object_r:cert_t:s0  key3.db.orig
> -rw-r-. root apache unconfined_u:object_r:cert_t:s0  cert8.db.orig
> -rw---. root root   unconfined_u:object_r:cert_t:s0  install.log
> -rw-rw. root apache unconfined_u:object_r:cert_t:s0  pwdfile.txt
> -rw-rw. root apache unconfined_u:object_r:cert_t:s0  secmod.db
> -r--r--r--. root root   unconfined_u:object_r:cert_t:s0  cacert.asc.orig
> -r--r--r--. root root   unconfined_u:object_r:cert_t:s0  cacert.asc
> lrwxrwxrwx. root root   system_u:object_r:cert_t:s0  libnssckbi.so ->
> ../../..//usr/lib/libnssckbi.so
> -rw-rw. root apache unconfined_u:object_r:cert_t:s0  key3.db
> -rw-rw. root apache unconfined_u:object_r:cert_t:s0  cert8.db
>
> [root@kdc01 httpd]$ ls -ltrdZ /etc/httpd/alias/
> drwxr-xr-x. root root system_u:object_r:cert_t:s0  /etc/httpd/alias/
>
>
> Those seem ok.
> --
> Groeten,
> natxo
>
>
> The other one I know about is:
> # ls -ltrZ /etc/ipa/nssdb
> total 80
> -rw---. 1 root root unconfined_u:object_r:cert_t:s040 Aug 22
> 13:13 pwdfile.txt
> -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 16384 Aug 22
> 13:13 secmod.db
> -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 16384 Aug 22
> 13:13 key3.db
> -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 65536 Aug 22
> 13:13 cert8.db
> # ls -ltrdZ /etc/ipa/nssdb
> drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0 73 Sep 14 18:08
> /etc/ipa/nssdb
>
> I still don't have any good ideas for why it would work for 5 minutes and
> then give an error. If you manage to get a traceback for the
> CertificateFormatError by enabling debug logging, that could be very
> helpful.
>

I do not have that directory (centos 6.8):

 ls -ltrZ /etc/ipa/
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   default.conf
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   ca.crt
drwxr-xr-x. root root system_u:object_r:etc_t:s0   html
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   server.conf.bak
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   server.conf


I have enabled debugging:

$ cat /etc/ipa/server.conf
[global]
debug = True

Could I send you the logs privately?


-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Ben Lipton]

On 09/15/2016 03:04 AM, Natxo Asenjo wrote:

Hi Ben,

On Wed, Sep 14, 2016 at 2:45 PM, Ben Lipton > wrote:


One other note - this could be a permissions issue. NSS seems to
produce this confusing error message when it can't access the
database, even if the format of the database is actually fine.

$ sudo chown root:root /tmp/certs
$ certutil -N -d /tmp/certs
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
certificate/key database is in an old, unsupported format.


Thanks for the tip. What directory should I check? I have checked:


[root@kdc01 httpd]$ ls -ltrZ /etc/httpd/alias/
-rw-r-. root apache unconfined_u:object_r:cert_t:s0 secmod.db.orig
-rw-r-. root apache unconfined_u:object_r:cert_t:s0 key3.db.orig
-rw-r-. root apache unconfined_u:object_r:cert_t:s0 cert8.db.orig
-rw---. root root   unconfined_u:object_r:cert_t:s0 install.log
-rw-rw. root apache unconfined_u:object_r:cert_t:s0 pwdfile.txt
-rw-rw. root apache unconfined_u:object_r:cert_t:s0 secmod.db
-r--r--r--. root root   unconfined_u:object_r:cert_t:s0 cacert.asc.orig
-r--r--r--. root root   unconfined_u:object_r:cert_t:s0 cacert.asc
lrwxrwxrwx. root root   system_u:object_r:cert_t:s0 libnssckbi.so -> 
../../..//usr/lib/libnssckbi.so

-rw-rw. root apache unconfined_u:object_r:cert_t:s0 key3.db
-rw-rw. root apache unconfined_u:object_r:cert_t:s0 cert8.db

[root@kdc01 httpd]$ ls -ltrdZ /etc/httpd/alias/
drwxr-xr-x. root root system_u:object_r:cert_t:s0 /etc/httpd/alias/


Those seem ok.
--
Groeten,
natxo


The other one I know about is:
# ls -ltrZ /etc/ipa/nssdb
total 80
-rw---. 1 root root unconfined_u:object_r:cert_t:s040 Aug 22 
13:13 pwdfile.txt
-rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 16384 Aug 22 
13:13 secmod.db
-rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 16384 Aug 22 
13:13 key3.db
-rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 65536 Aug 22 
13:13 cert8.db

# ls -ltrdZ /etc/ipa/nssdb
drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0 73 Sep 14 18:08 
/etc/ipa/nssdb


I still don't have any good ideas for why it would work for 5 minutes 
and then give an error. If you manage to get a traceback for the 
CertificateFormatError by enabling debug logging, that could be very 
helpful.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Natxo Asenjo]

Hi Ben,

On Wed, Sep 14, 2016 at 2:45 PM, Ben Lipton  wrote:

One other note - this could be a permissions issue. NSS seems to produce
> this confusing error message when it can't access the database, even if the
> format of the database is actually fine.
>
> $ sudo chown root:root /tmp/certs
> $ certutil -N -d /tmp/certs
> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key
> database is in an old, unsupported format.
>

Thanks for the tip. What directory should I check? I have checked:


[root@kdc01 httpd]$ ls -ltrZ /etc/httpd/alias/
-rw-r-. root apache unconfined_u:object_r:cert_t:s0  secmod.db.orig
-rw-r-. root apache unconfined_u:object_r:cert_t:s0  key3.db.orig
-rw-r-. root apache unconfined_u:object_r:cert_t:s0  cert8.db.orig
-rw---. root root   unconfined_u:object_r:cert_t:s0  install.log
-rw-rw. root apache unconfined_u:object_r:cert_t:s0  pwdfile.txt
-rw-rw. root apache unconfined_u:object_r:cert_t:s0  secmod.db
-r--r--r--. root root   unconfined_u:object_r:cert_t:s0  cacert.asc.orig
-r--r--r--. root root   unconfined_u:object_r:cert_t:s0  cacert.asc
lrwxrwxrwx. root root   system_u:object_r:cert_t:s0  libnssckbi.so ->
../../..//usr/lib/libnssckbi.so
-rw-rw. root apache unconfined_u:object_r:cert_t:s0  key3.db
-rw-rw. root apache unconfined_u:object_r:cert_t:s0  cert8.db

[root@kdc01 httpd]$ ls -ltrdZ /etc/httpd/alias/
drwxr-xr-x. root root system_u:object_r:cert_t:s0  /etc/httpd/alias/


Those seem ok.
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Ben Lipton]

This may be resolved already, but just in case it's helpful:

On 09/13/2016 11:26 AM, Rob Crittenden wrote:

Natxo Asenjo wrote:

hi,


On Mon, Sep 12, 2016 at 9:48 PM, Rob Crittenden > wrote:

Natxo Asenjo wrote:

hi,

I can reproduce this everytime. Restarting httpd fixes it for a
while,
but then ik stops working:

$ ipa cert-show 1
ipa: ERROR: cannot connect to
'https://kdc01.unix.domain.tld:443/ca/agent/ca/displayBySerial
':
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in
an old,
unsupported format.


It is very strange that it goes from a working to a non-working 
state.


I have only two suggestions:

1. Create /etc/ipa/server.conf with a [global] section and
debug=True in it, restart httpd. Your log will be quite a bit more
verbose but given it reproduces so quickly hopefully won't be too
big a deal. That might show something.


+1 to this. With debug=True there should be tracebacks for your 
CertificateFormatErrors.


2. Try brute force with strace. Finding the right httpd process to
strace can be frustrating but usually there are only 8 and they
rotate so eventually you should get the right one.


Could I send you the log files privately?


Sure.

rob

One other note - this could be a permissions issue. NSS seems to produce 
this confusing error message when it can't access the database, even if 
the format of the database is actually fine.


$ sudo chown root:root /tmp/certs
$ certutil -N -d /tmp/certs
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The 
certificate/key database is in an old, unsupported format.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Rob Crittenden]

Natxo Asenjo wrote:

hi,


On Mon, Sep 12, 2016 at 9:48 PM, Rob Crittenden > wrote:

Natxo Asenjo wrote:

hi,

I can reproduce this everytime. Restarting httpd fixes it for a
while,
but then ik stops working:

$ ipa cert-show 1
ipa: ERROR: cannot connect to
'https://kdc01.unix.domain.tld:443/ca/agent/ca/displayBySerial
':
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in
an old,
unsupported format.


It is very strange that it goes from a working to a non-working state.

I have only two suggestions:

1. Create /etc/ipa/server.conf with a [global] section and
debug=True in it, restart httpd. Your log will be quite a bit more
verbose but given it reproduces so quickly hopefully won't be too
big a deal. That might show something.

2. Try brute force with strace. Finding the right httpd process to
strace can be frustrating but usually there are only 8 and they
rotate so eventually you should get the right one.


Could I send you the log files privately?


Sure.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Natxo Asenjo]

hi,


On Mon, Sep 12, 2016 at 9:48 PM, Rob Crittenden  wrote:

> Natxo Asenjo wrote:
>
>> hi,
>>
>> I can reproduce this everytime. Restarting httpd fixes it for a while,
>> but then ik stops working:
>>
>> $ ipa cert-show 1
>> ipa: ERROR: cannot connect to
>> 'https://kdc01.unix.domain.tld:443/ca/agent/ca/displayBySerial':
>> (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old,
>> unsupported format.
>>
>
> It is very strange that it goes from a working to a non-working state.
>
> I have only two suggestions:
>
> 1. Create /etc/ipa/server.conf with a [global] section and debug=True in
> it, restart httpd. Your log will be quite a bit more verbose but given it
> reproduces so quickly hopefully won't be too big a deal. That might show
> something.
>
> 2. Try brute force with strace. Finding the right httpd process to strace
> can be frustrating but usually there are only 8 and they rotate so
> eventually you should get the right one.
>

Could I send you the log files privately?
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Rob Crittenden]

Natxo Asenjo wrote:

hi,

I can reproduce this everytime. Restarting httpd fixes it for a while,
but then ik stops working:

$ ipa cert-show 1
ipa: ERROR: cannot connect to
'https://kdc01.unix.domain.tld:443/ca/agent/ca/displayBySerial':
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old,
unsupported format.


It is very strange that it goes from a working to a non-working state.

I have only two suggestions:

1. Create /etc/ipa/server.conf with a [global] section and debug=True in 
it, restart httpd. Your log will be quite a bit more verbose but given 
it reproduces so quickly hopefully won't be too big a deal. That might 
show something.


2. Try brute force with strace. Finding the right httpd process to 
strace can be frustrating but usually there are only 8 and they rotate 
so eventually you should get the right one.


rob


[jose.admin@kdc01 ~]$ sudo /etc/init.d/httpd restart
Stopping httpd:[  OK  ]
Starting httpd:[  OK  ]
[jose.admin@kdc01 ~]$ ipa cert-show 1
   Certificate:
MIIDnDCCAoSgAwIBAgIBATANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklY
LklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcN
MTIxMTA3MjEyNDE1WhcNMjAxMTA3MjEyNDE1WjA7MRkwFwYDVQQKExBVTklYLklS
SVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCy2WVy7QkHiuENW/zkMeD4ILoqOruu
YKvb2+rqeuI9iw+zBBt569XSxrgcyeTq0G63RjbXgrAzot4EhYg6MoepDVCn0Bnu
rUfgbCf5R0Eboigjboh5MGnPylHefLRGARNUCwcTGA4uR9ZQL/rEUqWktmZjanYE
vOP8UBeuq5WP5emaX8U03SzMA+cQT9w/zx0eAOYgZW5yx3aA5Q4Fu8qWqMGGAOA6
yDQWqmIpgxiFHHRa7hQK4AjeHgvaColaU979Lh5jAv/XwrYtok1G+UVEp45INpfx
r5dLe03ognPFPZ0/xwbBqtt/2qn6rk4L4ukH4P9g4Rw0o7U1yJVx/SOJAgMBAAGj
gaowgacwHwYDVR0jBBgwFoAUo5fkii64zz7qM/K8k9Yj3qmENmgwDwYDVR0TAQH/
BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFKOX5IouuM8+6jPyvJPW
I96phDZoMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcwAYYoaHR0cDovL2tkYzAx
LnVuaXguaXJpc3pvcmcubmw6ODAvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAQEA
J28gdozd/ptOM5PTKKwyV+otO/wk3yErslxpNUhRZgSNUwT+t6tfF/j+jJRV5sX+
jy09c9Do+p3Hy9gRnIVJONDScvMV9nDc75C6JGXU+FdNJJ+Dbpep/RsQjHrZ+unw
IyAWoOpBol8sGzN5tXbeo/M6mGFxaBTH1GKtgv4CKbzQAotvMaGxzKjScHRsGaer
NSCZp/90yRJypC3MOosUFcFl4CoYHB42XDTzjvzZQcaFNcgYXOciujwwYHNzsSqY
cIKFSWuWvN++7g4yxQMlu8QW0Ms/PntmTmO2cDdNI1tujVyBKe599y4O/Es/MBGt
DtVA85ALksJOU27bjtvbBg==
   Subject: CN=Certificate Authority,O=UNIX.DOMAIN.TLD
   Issuer: CN=Certificate Authority,O=UNIX.DOMAIN.TLD
   Not Before: Wed Nov 07 21:24:15 2012 UTC
   Not After: Sat Nov 07 21:24:15 2020 UTC
   Fingerprint (MD5): 28:18:34:9d:03:99:b8:ff:2b:bd:55:0a:65:bf:d4:f2
   Fingerprint (SHA1):
6f:e1:a4:4f:47:ec:9c:c4:ad:b9:b9:fc:e8:f4:33:4b:0a:cb:43:3e
   Serial number (hex): 0x1
   Serial number: 1

And a few minutes later (5, maximum 10), then I get the
SEC_ERROR_LEGACY_DATABASE error. No traceback in /var/log/httpd/error_log.

This is the first CA domain controller.

I am leaving this job in a few weeks, so I would like to leave
everything working properly. Would it be better to upgrade the domain
controllers to centos 7 (right now running centos 6.8, fully patched).

Thanks for your input.

--
regards,
natxo



On Thu, Sep 8, 2016 at 6:30 PM, Natxo Asenjo > wrote:



On Thu, Sep 8, 2016 at 3:25 PM, Rob Crittenden > wrote:

Natxo Asenjo wrote:

I do see these errors:
[Wed Sep 07 15:56:13 2016] [error] ipa: INFO:: ping(): SUCCESS
[Wed Sep 07 15:56:13 2016] [error] ipa: INFO: :
host_find(u'tftp-1801',
all=False, raw=False, version=u'2.49', no_members=False,
pkey_only=False): CertificateFormatError
[Wed Sep 07 15:56:44 2016] [error] ipa: INFO: : ping(): SUCCESS
[Wed Sep 07 15:56:44 2016] [error] ipa: INFO: :
host_find(u'tftp-1801',
all=False, raw=False, version=u'2.49', no_members=False,
pkey_only=False): CertificateFormatError
[Wed Sep 07 15:57:57 2016] [error] ipa: INFO: : ping(): SUCCESS
[Wed Sep 07 15:57:58 2016] [error] ipa: INFO: :
host_find(u'tftp-1801',
all=False, raw=False, version=u'2.49', no_members=False,
pkey_only=False): CertificateFormatErro


On Wed, Sep 7, 2016 at 4:01 PM, Natxo Asenjo

>> wrote:


 alas, not woriking again.

 On the one kdc

 $ ipa host-find tftp-1801
 ipa: ERROR: Certificate format error:
(SEC_ERROR_LEGACY_DATABASE)
 The certificate/key database is in an old, unsupported
format.

 On the other:

 $ ipa host-find tftp-1801
 --
   

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Natxo Asenjo]

On Thu, Sep 8, 2016 at 3:25 PM, Rob Crittenden  wrote:

> Natxo Asenjo wrote:
>
>> I do see these errors:
>> [Wed Sep 07 15:56:13 2016] [error] ipa: INFO:: ping(): SUCCESS
>> [Wed Sep 07 15:56:13 2016] [error] ipa: INFO: : host_find(u'tftp-1801',
>> all=False, raw=False, version=u'2.49', no_members=False,
>> pkey_only=False): CertificateFormatError
>> [Wed Sep 07 15:56:44 2016] [error] ipa: INFO: : ping(): SUCCESS
>> [Wed Sep 07 15:56:44 2016] [error] ipa: INFO: : host_find(u'tftp-1801',
>> all=False, raw=False, version=u'2.49', no_members=False,
>> pkey_only=False): CertificateFormatError
>> [Wed Sep 07 15:57:57 2016] [error] ipa: INFO: : ping(): SUCCESS
>> [Wed Sep 07 15:57:58 2016] [error] ipa: INFO: : host_find(u'tftp-1801',
>> all=False, raw=False, version=u'2.49', no_members=False,
>> pkey_only=False): CertificateFormatErro
>>
>>
>> On Wed, Sep 7, 2016 at 4:01 PM, Natxo Asenjo > > wrote:
>>
>>
>> alas, not woriking again.
>>
>> On the one kdc
>>
>> $ ipa host-find tftp-1801
>> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE)
>> The certificate/key database is in an old, unsupported format.
>>
>> On the other:
>>
>> $ ipa host-find tftp-1801
>> --
>> 1 host matched
>> --
>>Host name: tftp-1801.sub.domain.tld
>> .
>>
>> After rebooting the kdc with the error, no new tracebacks in the
>> error_log
>>
>
> No new tracebacks but still not working?
>
> The CertificateFormatError is the server logging the equivalent of what
> you're seeing in the client.
>
> rob
>


that's right.

Is there anything else I can look at?


-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Natxo Asenjo]

I do see these errors:
[Wed Sep 07 15:56:13 2016] [error] ipa: INFO:: ping(): SUCCESS
[Wed Sep 07 15:56:13 2016] [error] ipa: INFO: : host_find(u'tftp-1801',
all=False, raw=False, version=u'2.49', no_members=False, pkey_only=False):
CertificateFormatError
[Wed Sep 07 15:56:44 2016] [error] ipa: INFO: : ping(): SUCCESS
[Wed Sep 07 15:56:44 2016] [error] ipa: INFO: : host_find(u'tftp-1801',
all=False, raw=False, version=u'2.49', no_members=False, pkey_only=False):
CertificateFormatError
[Wed Sep 07 15:57:57 2016] [error] ipa: INFO: : ping(): SUCCESS
[Wed Sep 07 15:57:58 2016] [error] ipa: INFO: : host_find(u'tftp-1801',
all=False, raw=False, version=u'2.49', no_members=False, pkey_only=False):
CertificateFormatErro


On Wed, Sep 7, 2016 at 4:01 PM, Natxo Asenjo  wrote:

>
> alas, not woriking again.
>
> On the one kdc
>
> $ ipa host-find tftp-1801
> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
> certificate/key database is in an old, unsupported format.
>
> On the other:
>
> $ ipa host-find tftp-1801
> --
> 1 host matched
> --
>   Host name: tftp-1801.sub.domain.tld
> .
>
> After rebooting the kdc with the error, no new tracebacks in the error_log
>
> Strange
>
> --
> --
> Groeten,
> natxo
>



-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Natxo Asenjo]

alas, not woriking again.

On the one kdc

$ ipa host-find tftp-1801
ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
certificate/key database is in an old, unsupported format.

On the other:

$ ipa host-find tftp-1801
--
1 host matched
--
  Host name: tftp-1801.sub.domain.tld
.

After rebooting the kdc with the error, no new tracebacks in the error_log

Strange

-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Rob Crittenden]

Natxo Asenjo wrote:



On Wed, Sep 7, 2016 at 3:27 PM, Rob Crittenden > wrote:

Natxo Asenjo wrote:

hi,

using centos 6.8 (server and client), when trying to view some
hosts we
get this error:


$ ipa host-find host-1920.sub.domain.tld
ipa: ERROR: Certificate format error:
(SEC_ERROR_LEGACY_DATABASE) The
certificate/key database is in an old, unsupported format.


I saw a thread last year about this, but no solution.

Any clues?


/var/log/httpd/error_log may contain a traceback


This made me take a look at a replica and there I could not replicate
the error, I got the info I requested.

In the apache error file I saw indeed a traceback:

  [Sun Sep 04 03:21:31 2016] [error] ipa: ERROR: non-public:
XMLSyntaxError: None
[Sun Sep 04 03:21:31 2016] [error] Traceback (most recent call last):
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 334, in
wsgi_execute
[Sun Sep 04 03:21:31 2016] [error] result =
self.Command[name](*args, **options)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 438, in __call__
[Sun Sep 04 03:21:31 2016] [error] ret = self.run(*args, **options)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 750, in run
[Sun Sep 04 03:21:31 2016] [error] return self.execute(*args, **options)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py", line 362, in
execute
[Sun Sep 04 03:21:31 2016] [error] result =
api.Command['cert_show'](unicode(serial))['result']
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 438, in __call__
[Sun Sep 04 03:21:31 2016] [error] ret = self.run(*args, **options)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 750, in run
[Sun Sep 04 03:21:31 2016] [error] return self.execute(*args, **options)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py", line 493, in
execute
[Sun Sep 04 03:21:31 2016] [error]
result=self.Backend.ra.get_certificate(serial_number)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipaserver/plugins/dogtag.py", line
1489, in get_certificate
[Sun Sep 04 03:21:31 2016] [error] parse_result =
self.get_parse_result_xml(http_body, parse_display_cert_xml)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipaserver/plugins/dogtag.py", line
1350, in get_parse_result_xml
[Sun Sep 04 03:21:31 2016] [error] doc = etree.fromstring(xml_text,
parser)
[Sun Sep 04 03:21:31 2016] [error]   File "lxml.etree.pyx", line 2532,
in lxml.etree.fromstring (src/lxml/lxml.etree.c:48270)
[Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 1545, in
lxml.etree._parseMemoryDocument (src/lxml/lxml.etree.c:71812)
[Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 1424, in
lxml.etree._parseDoc (src/lxml/lxml.etree.c:70673)
[Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 938, in
lxml.etree._BaseParser._parseDoc (src/lxml/lxml.etree.c:67442)
[Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 539, in
lxml.etree._ParserContext._handleParseResultDoc
(src/lxml/lxml.etree.c:63824)
[Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 625, in
lxml.etree._handleParseResult (src/lxml/lxml.etree.c:64745)
[Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 576, in
lxml.etree._raiseParseError (src/lxml/lxml.etree.c:64260)
[Sun Sep 04 03:21:31 2016] [error] XMLSyntaxError: None


restarting httpd fixed the issue. Thanks!

Looking into apache never occurred to me, freeipa really is a web
service although it provides infrastructure services.


Yeah, there are a lot of moving parts, that's for sure.

Makes me wonder if httpd should be restarted as part of the upgrade.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Natxo Asenjo]

On Wed, Sep 7, 2016 at 3:27 PM, Rob Crittenden  wrote:

> Natxo Asenjo wrote:
>
>> hi,
>>
>> using centos 6.8 (server and client), when trying to view some hosts we
>> get this error:
>>
>>
>> $ ipa host-find host-1920.sub.domain.tld
>> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
>> certificate/key database is in an old, unsupported format.
>>
>>
>> I saw a thread last year about this, but no solution.
>>
>> Any clues?
>>
>
> /var/log/httpd/error_log may contain a traceback


This made me take a look at a replica and there I could not replicate the
error, I got the info I requested.

In the apache error file I saw indeed a traceback:

 [Sun Sep 04 03:21:31 2016] [error] ipa: ERROR: non-public: XMLSyntaxError:
None
[Sun Sep 04 03:21:31 2016] [error] Traceback (most recent call last):
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 334, in
wsgi_execute
[Sun Sep 04 03:21:31 2016] [error] result = self.Command[name](*args,
**options)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 438, in __call__
[Sun Sep 04 03:21:31 2016] [error] ret = self.run(*args, **options)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 750, in run
[Sun Sep 04 03:21:31 2016] [error] return self.execute(*args, **options)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py", line 362, in
execute
[Sun Sep 04 03:21:31 2016] [error] result =
api.Command['cert_show'](unicode(serial))['result']
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 438, in __call__
[Sun Sep 04 03:21:31 2016] [error] ret = self.run(*args, **options)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 750, in run
[Sun Sep 04 03:21:31 2016] [error] return self.execute(*args, **options)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py", line 493, in
execute
[Sun Sep 04 03:21:31 2016] [error]
result=self.Backend.ra.get_certificate(serial_number)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipaserver/plugins/dogtag.py", line 1489,
in get_certificate
[Sun Sep 04 03:21:31 2016] [error] parse_result =
self.get_parse_result_xml(http_body, parse_display_cert_xml)
[Sun Sep 04 03:21:31 2016] [error]   File
"/usr/lib/python2.6/site-packages/ipaserver/plugins/dogtag.py", line 1350,
in get_parse_result_xml
[Sun Sep 04 03:21:31 2016] [error] doc = etree.fromstring(xml_text,
parser)
[Sun Sep 04 03:21:31 2016] [error]   File "lxml.etree.pyx", line 2532, in
lxml.etree.fromstring (src/lxml/lxml.etree.c:48270)
[Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 1545, in
lxml.etree._parseMemoryDocument (src/lxml/lxml.etree.c:71812)
[Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 1424, in
lxml.etree._parseDoc (src/lxml/lxml.etree.c:70673)
[Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 938, in
lxml.etree._BaseParser._parseDoc (src/lxml/lxml.etree.c:67442)
[Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 539, in
lxml.etree._ParserContext._handleParseResultDoc
(src/lxml/lxml.etree.c:63824)
[Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 625, in
lxml.etree._handleParseResult (src/lxml/lxml.etree.c:64745)
[Sun Sep 04 03:21:31 2016] [error]   File "parser.pxi", line 576, in
lxml.etree._raiseParseError (src/lxml/lxml.etree.c:64260)
[Sun Sep 04 03:21:31 2016] [error] XMLSyntaxError: None


restarting httpd fixed the issue. Thanks!

Looking into apache never occurred to me, freeipa really is a web service
although it provides infrastructure services.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Rob Crittenden]

Natxo Asenjo wrote:

hi,

using centos 6.8 (server and client), when trying to view some hosts we
get this error:


$ ipa host-find host-1920.sub.domain.tld
ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
certificate/key database is in an old, unsupported format.


I saw a thread last year about this, but no solution.

Any clues?


/var/log/httpd/error_log may contain a traceback.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Natxo Asenjo]

On Wed, Sep 7, 2016 at 2:10 PM, Natxo Asenjo  wrote:

> hi,
>
> using centos 6.8 (server and client), when trying to view some hosts we
> get this error:
>
>
> $ ipa host-find host-1920.sub.domain.tld
> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
> certificate/key database is in an old, unsupported format.
>

this is happening wih all the host objects (all enrolled with
certificates). I don't usually look at the hosts objects that much, but
yesterday patches were applied and the ipa-server package was updated
(among other things):

Updated ipa-server-3.0.0-50.el6.centos.1.i686
Update 3.0.0-50.el6.centos.2.i686

So it looks like this is the culprit?


--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

[Natxo Asenjo]

hi,

using centos 6.8 (server and client), when trying to view some hosts we get
this error:


$ ipa host-find host-1920.sub.domain.tld
ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
certificate/key database is in an old, unsupported format.


I saw a thread last year about this, but no solution.

Any clues?

Thanks
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project