The prelink trick worked, it's all "green" now. However, both the "ipsec checknss" and "ipsec initnss" commands result in the mentioned error. See below:
--------------------------------------- [root@fr4 logs]# ipsec checknss Initializing NSS database See 'man pluto' if you want to protect the NSS database with a password certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. Failed to initialize nss database sql:/etc/ipsec.d [root@fr4 logs]# ipsec initnss Initializing NSS database See 'man pluto' if you want to protect the NSS database with a password certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. Failed to initialize nss database sql:/etc/ipsec.d --------------------------------------- Tomas -----Original Message----- From: Paul Wouters [mailto:[email protected]] Sent: Friday, September 25, 2015 8:21 PM To: Tomas France Cc: [email protected] Subject: Re: [Swan] Cannot compile Libreswan 3.14 and newer on CentOS 5 On Fri, 25 Sep 2015, Tomas France wrote: > Subject: Re: [Swan] Cannot compile Libreswan 3.14 and newer on CentOS > 5 > > OK, one more problem it seems. The RPM is installed and "ipsec verify" > shows all green, except for "prelink" which shows "present" in yellow > but that's probably not important for now. it only matters if you will run in FIPS mode, in which case I recommend: prelink -ua rpm -e prelink > But when starting the ipsec service, I now get this error: > > ---------------------- > certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The > certificate/key database is in an old, unsupported format. > Failed to initialize nss database sql:/etc/ipsec.d .Initializing NSS > database See 'man pluto' if you want to protect the NSS database with > a password > > certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The > certificate/key database is in an old, unsupported format. > Failed to initialize nss database sql:/etc/ipsec.d > ---------------------- > > I have not seen anything similar before. The ipsec service should automatically have migrated that. Can you run: ipsec checknss it should convert from the old db files to the new db files. Or if you never used NSS before and have no certificates or raw keys generated, you can start a fresh one using: ipsec initnss Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
