Re: [Freeipa-users] Replica created with expired certs

Fri, 30 Sep 2016 01:57:39 -0700 

Jim Richard wrote:

Can I and how…

delete all certs for all hosts

I mean, we only use FreeIPA for user login/sssd

That said, do we even need those certs?


There is no simple answer, really.
Yes, you can deleted all certs for all hosts (not recommended as some of those are for IPA services). I doubt it would do anything positive and if the certificate is tracked by certmonger on the client it would eventually renew.
Do you need the certs? Only you would know that, but chances are the vast majority aren't being used.
In 3.0 when a client is registered a host certificate is obtained for it. This certificate was never used and in 4.something it isn't requested at all unless an option is passed to ipa-client-install. 

rob





<http://www.placeiq.com/><http://www.placeiq.com/><http://www.placeiq.com/>
Jim Richard
<https://twitter.com/placeiq><https://twitter.com/placeiq><https://twitter.com/placeiq>
<https://www.facebook.com/PlaceIQ><https://www.facebook.com/PlaceIQ>
<https://www.linkedin.com/company/placeiq><https://www.linkedin.com/company/placeiq>
SYSTEM ADMINISTRATOR III
/(646) 338-8905 /


<http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-a!

dvertising
-initiative-nai-as-100th-member/>PlaceIQ:Location

Data Accuracy
<http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP>




On Sep 29, 2016, at 8:53 PM, Jim Richard <jrich...@placeiq.com
<mailto:jrich...@placeiq.com>> wrote:

another interesting thing, my httpd/error_logs are constantly getting
spammed with: (I removed the stuff between the single quotes)

Notice those names don’t match, should they?

Me thinks not since those “principal=“ items are ALMOST all hosts that
no longer exist in the FreeIPA system. I rare few do exist.

So, that’s weird :)

[Thu Sep 29 20:44:59 2016] [error] ipa: INFO:
host/aerospike-cl1-203.nym1.placeiq....@placeiq.net
<mailto:host/aerospike-cl1-203.nym1.placeiq....@placeiq.net>:
cert_request(u’…………………..',
principal=u'host/sbtt-nyc1-028.thum01.nym1.placeiq....@placeiq.net
<mailto:principal=u'host/sbtt-nyc1-028.thum01.nym1.placeiq....@placeiq.net>',
add=True): CertificateOperationError

[Thu Sep 29 20:45:06 2016] [error] ipa: INFO:
host/aerospike-cl2-210.nym1.placeiq....@placeiq.net
<mailto:host/aerospike-cl2-210.nym1.placeiq....@placeiq.net>:
cert_request(u’…………………..',
principal=u'host/017.prod07.nym1.placeiq....@placeiq.net
<mailto:principal=u'host/017.prod07.nym1.placeiq....@placeiq.net>',
add=True): CertificateOperationError

[Thu Sep 29 20:45:09 2016] [error] ipa: INFO:
host/adsgateway-14.nym1.placeiq....@placeiq.net
<mailto:host/adsgateway-14.nym1.placeiq....@placeiq.net>:
cert_request(u’……………………...',
principal=u'host/025.prod07.nym1.placeiq....@placeiq.net
<mailto:principal=u'host/025.prod07.nym1.placeiq....@placeiq.net>',
add=True): CertificateOperationError

[Thu Sep 29 20:45:29 2016] [error] ipa: INFO:
host/ttsandbox-022.nym1.placeiq....@placeiq.net
<mailto:host/ttsandbox-022.nym1.placeiq....@placeiq.net>:
cert_request(u’……………………….',
principal=u'host/sbtt-nyc1-022.thum01.nym1.placeiq....@placeiq.net
<mailto:principal=u'host/sbtt-nyc1-022.thum01.nym1.placeiq....@placeiq.net>',
add=True): CertificateOperationError






<http://www.placeiq.com/><http://www.placeiq.com/><http://www.placeiq.com/>
Jim Richard
<https://twitter.com/placeiq><https://twitter.com/placeiq><https://twitter.com/placeiq>
<https://www.facebook.com/PlaceIQ><https://www.facebook.com/PlaceIQ>
<https://www.linkedin.com/company/placeiq><https://www.linkedin.com/company/placeiq>
SYSTEM ADMINISTRATOR III
/(646) 338-8905 /


<http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-!

advertisin
g-initiative-nai-as-100th-member/>PlaceIQ:Location

Data Accuracy
<http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP>




On Sep 29, 2016, at 8:11 AM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

Natxo Asenjo wrote:

hi Jim,

On Thu, Sep 29, 2016 at 7:37 AM, Jim Richard <jrich...@placeiq.com
<mailto:jrich...@placeiq.com>
<mailto:jrich...@placeiq.com>> wrote:

   Thanks Rob, that worked.

   Still on the subject of certs, any idea how to solve this error:

   Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
   certificate/key database is in an old, unsupported format.

   I see that in the gui when querying hosts as well as from cli when I
   ipa-show or ipa-find


I have had this too, and we did not find a solution (search my recent
posts on the archives). As a workaround I have created replicas and
decommissioned the older replicas.


On the one hand I'm glad this fixed it for you. On the other it is a
rather unsatisfying answer. Unfortunately NSS doesn't always provide
the most context with its error messages. This error is usually seen
when one tries to open a non-existent database, which in this case is
a very strange thing, especially since it goes from working to
non-working in the same apache process over a few minutes.

I'm not sure how I'd troubleshoot this if it were easily
reproducible. I suspect we'd need to figure out which database cannot
be found (most likely /etc/httpd/alias) and go from there. An strace
is a brute-force way to see the file open but finding the right
process to attach to is a bit of an art.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to