Re: [Freeipa-users] SEC_ERROR_LEGACY_DATABASE
On 05/29/2015 11:18 AM, David Lin wrote: the other hosts do not have certificate set. What IPA version is it? host-find/show should use /etc/httpd/alias dir, as Martin wrote. Could you check if there is anything wrong with this directory, e.g. missing files, missing dir, wrong SELinux context. Do you have selinux error? My default installation has: ls -l -a -Z /etc/httpd/alias/ drwxr-xr-x. root root system_u:object_r:cert_t:s0 . drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .. -r--r--r--. root root unconfined_u:object_r:cert_t:s0 cacert.asc -rw-rw. root apache unconfined_u:object_r:cert_t:s0 cert8.db -rw-r-. root apache system_u:object_r:cert_t:s0 cert8.db.orig -rw---. root root system_u:object_r:cert_t:s0 install.log -rw-rw. root apache unconfined_u:object_r:cert_t:s0 key3.db -rw-r-. root apache system_u:object_r:cert_t:s0 key3.db.orig lrwxrwxrwx. root root system_u:object_r:cert_t:s0 libnssckbi.so -> ../../..//usr/lib64/libnssckbi.so -rw-rw. root apache unconfined_u:object_r:cert_t:s0 pwdfile.txt -rw-rw. root apache unconfined_u:object_r:cert_t:s0 secmod.db -rw-r-. root apache system_u:object_r:cert_t:s0 secmod.db.orig ls -l -a -Z /etc/httpd/ drwxr-xr-x. root root system_u:object_r:cert_t:s0 alias Other way could to check if the initialization really uses the /etc/httpd/alias dir. This could be done by inserting print dbdir into def load_certificate function in /usr/lib/python2.7/site-packages/ipalib/x509.py, line ~ 112 ouput will be in /var/log/httpd/error_log Thanks, David On 05/29/2015 02:05 AM, Petr Vobornik wrote: On 05/29/2015 10:45 AM, David Lin wrote: ipa host-find produces this ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. and ipa host-show on only one of the hosts show ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. all the other hosts are fine. Does any other host have certificate set? I want to find out if it fails on a specific certificate and not on other(s) or if it fails for all hosts with certificate set. SEC_ERROR_LEGACY_DATABASE error suggests that it fails on initialization of NSS database which is not dependent on stored certificate. Thanks! David On May 29, 2015, at 1:35 AM, Petr Vobornik wrote: On 05/29/2015 10:02 AM, Martin Kosek wrote: On 05/29/2015 01:27 AM, David Lin wrote: Hi, When I try to add multiple hosts, on the web UI, when I go to the host tab, This means that Web UI calls `ipa host-find` and couple of `ipa host-show` commands. Could you try it in CLI find out which command fails? So other web ui tabs work? Does service tab work(services has some common logic with hosts)? I get Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. What does this mean? NSS returns SEC_ERROR_LEGACY_DATABASE when it can't read the database directory (for any reason, including non-existent directory) That's strange. CCIng Petr. Maybe /etc/httpd/alias NSS database was somehow damaged? Although I doubt that, in that case Apache would not be able to serve https even. +1 On one of the hosts, I do notice that when i do ipa host-show there is no certificate listed. If you are using FreeIPA 4.1+, this is expected: https://fedorahosted.org/freeipa/ticket/4449 Martin -- Petr Vobornik -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SEC_ERROR_LEGACY_DATABASE
the other hosts do not have certificate set. Thanks, David On 05/29/2015 02:05 AM, Petr Vobornik wrote: On 05/29/2015 10:45 AM, David Lin wrote: ipa host-find produces this ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. and ipa host-show on only one of the hosts show ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. all the other hosts are fine. Does any other host have certificate set? I want to find out if it fails on a specific certificate and not on other(s) or if it fails for all hosts with certificate set. SEC_ERROR_LEGACY_DATABASE error suggests that it fails on initialization of NSS database which is not dependent on stored certificate. Thanks! David On May 29, 2015, at 1:35 AM, Petr Vobornik wrote: On 05/29/2015 10:02 AM, Martin Kosek wrote: On 05/29/2015 01:27 AM, David Lin wrote: Hi, When I try to add multiple hosts, on the web UI, when I go to the host tab, This means that Web UI calls `ipa host-find` and couple of `ipa host-show` commands. Could you try it in CLI find out which command fails? So other web ui tabs work? Does service tab work(services has some common logic with hosts)? I get Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. What does this mean? NSS returns SEC_ERROR_LEGACY_DATABASE when it can't read the database directory (for any reason, including non-existent directory) That's strange. CCIng Petr. Maybe /etc/httpd/alias NSS database was somehow damaged? Although I doubt that, in that case Apache would not be able to serve https even. +1 On one of the hosts, I do notice that when i do ipa host-show there is no certificate listed. If you are using FreeIPA 4.1+, this is expected: https://fedorahosted.org/freeipa/ticket/4449 Martin -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SEC_ERROR_LEGACY_DATABASE
On 05/29/2015 10:45 AM, David Lin wrote: ipa host-find produces this ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. and ipa host-show on only one of the hosts show ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. all the other hosts are fine. Does any other host have certificate set? I want to find out if it fails on a specific certificate and not on other(s) or if it fails for all hosts with certificate set. SEC_ERROR_LEGACY_DATABASE error suggests that it fails on initialization of NSS database which is not dependent on stored certificate. Thanks! David On May 29, 2015, at 1:35 AM, Petr Vobornik wrote: On 05/29/2015 10:02 AM, Martin Kosek wrote: On 05/29/2015 01:27 AM, David Lin wrote: Hi, When I try to add multiple hosts, on the web UI, when I go to the host tab, This means that Web UI calls `ipa host-find` and couple of `ipa host-show` commands. Could you try it in CLI find out which command fails? So other web ui tabs work? Does service tab work(services has some common logic with hosts)? I get Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. What does this mean? NSS returns SEC_ERROR_LEGACY_DATABASE when it can't read the database directory (for any reason, including non-existent directory) That's strange. CCIng Petr. Maybe /etc/httpd/alias NSS database was somehow damaged? Although I doubt that, in that case Apache would not be able to serve https even. +1 On one of the hosts, I do notice that when i do ipa host-show there is no certificate listed. If you are using FreeIPA 4.1+, this is expected: https://fedorahosted.org/freeipa/ticket/4449 Martin -- Petr Vobornik -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SEC_ERROR_LEGACY_DATABASE
ipa host-find produces this ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. and ipa host-show on only one of the hosts show ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. all the other hosts are fine. Thanks! David > On May 29, 2015, at 1:35 AM, Petr Vobornik wrote: > > On 05/29/2015 10:02 AM, Martin Kosek wrote: >> On 05/29/2015 01:27 AM, David Lin wrote: >>> Hi, >>> When I try to add multiple hosts, on the web UI, when I go to the host >>> tab, > > This means that Web UI calls `ipa host-find` and couple of `ipa host-show` > commands. Could you try it in CLI find out which command fails? > > So other web ui tabs work? Does service tab work(services has some common > logic with hosts)? > >> I get >>> Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The >>> certificate/key database is in an old, unsupported format. >>> >>> What does this mean? > > NSS returns SEC_ERROR_LEGACY_DATABASE when it can't read the database > directory (for any reason, including non-existent directory) > >> >> That's strange. CCIng Petr. Maybe /etc/httpd/alias NSS database was >> somehow damaged? Although I doubt that, in that case Apache would not be >> able to serve https even. > > +1 > >> >>> On one of the hosts, I do notice that when i do >>> >>> ipa host-show >>> >>> there is no certificate listed. >> >> If you are using FreeIPA 4.1+, this is expected: >> >> https://fedorahosted.org/freeipa/ticket/4449 >> >> Martin >> > > -- > Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SEC_ERROR_LEGACY_DATABASE
On 05/29/2015 10:02 AM, Martin Kosek wrote: On 05/29/2015 01:27 AM, David Lin wrote: Hi, When I try to add multiple hosts, on the web UI, when I go to the host tab, This means that Web UI calls `ipa host-find` and couple of `ipa host-show` commands. Could you try it in CLI find out which command fails? So other web ui tabs work? Does service tab work(services has some common logic with hosts)? I get Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. What does this mean? NSS returns SEC_ERROR_LEGACY_DATABASE when it can't read the database directory (for any reason, including non-existent directory) That's strange. CCIng Petr. Maybe /etc/httpd/alias NSS database was somehow damaged? Although I doubt that, in that case Apache would not be able to serve https even. +1 On one of the hosts, I do notice that when i do ipa host-show there is no certificate listed. If you are using FreeIPA 4.1+, this is expected: https://fedorahosted.org/freeipa/ticket/4449 Martin -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SEC_ERROR_LEGACY_DATABASE
On 05/29/2015 01:27 AM, David Lin wrote: Hi, When I try to add multiple hosts, on the web UI, when I go to the host tab, I get Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. What does this mean? That's strange. CCIng Petr. Maybe /etc/httpd/alias NSS database was somehow damaged? Although I doubt that, in that case Apache would not be able to serve https even. On one of the hosts, I do notice that when i do ipa host-show there is no certificate listed. If you are using FreeIPA 4.1+, this is expected: https://fedorahosted.org/freeipa/ticket/4449 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] SEC_ERROR_LEGACY_DATABASE
Hi, When I try to add multiple hosts, on the web UI, when I go to the host tab, I get Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. What does this mean? On one of the hosts, I do notice that when i do ipa host-show there is no certificate listed. Thanks, David -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project