Hi Pavel:
Yes, my httpd logs were flooded with cert errors from hosts trying to renew
bogus certs.
How 100 or so out of 1000 hosts ended up with certs that were not valid is
unknown at this time but using Ansible I cleaned all those up and it looks like
I’m in good shape now.
Here’s the playbook I used to find certs that were problematic and tell
certmonger to stop tracking them:
---
- hosts: ipa-hosts
gather_facts: False
tasks:
- name: get request id
shell: ipa-getcert list -r |gawk -F\' '/Request/ {print $2}'
register: my_id
#- debug: var=my_id
- name: kill bad certs
shell: ipa-getcert stop-tracking -i {{ item }}
with_items: "{{ my_id.stdout_lines }}"
<http://www.placeiq.com/> <http://www.placeiq.com/> <http://www.placeiq.com/>
Jim Richard <https://twitter.com/placeiq> <https://twitter.com/placeiq>
<https://twitter.com/placeiq> <https://www.facebook.com/PlaceIQ>
<https://www.facebook.com/PlaceIQ> <https://www.linkedin.com/company/placeiq>
<https://www.linkedin.com/company/placeiq>
SYSTEM ADMINISTRATOR III
(646) 338-8905
<http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/>
<http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/>
<http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/>
<http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/>
<http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/>
<http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/>
<http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/>
<http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/>
<http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/>
<http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/>
<http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/>
<http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP>
> On Sep 30, 2016, at 3:42 AM, Pavel Vomacka <pvoma...@redhat.com> wrote:
>
> Ah, ok, does /var/log/httpd/error_log contain any error after looking at
> hosts using GUI? And could you please send output of ipactl status after the
> error ocurres?
>
> On 09/30/2016 02:40 AM, Jim Richard wrote:
>> Hi Paul, 3.0.0 on Centos 6.8
>>
>>
>> <http://www.placeiq.com/> Jim Richard <https://twitter.com/placeiq>
>> <https://www.facebook.com/PlaceIQ>
>> <https://www.linkedin.com/company/placeiq>
>> SYSTEM ADMINISTRATOR III
>> (646) 338-8905
>>
>> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP>
>>
>>
>>> On Sep 29, 2016, at 11:58 AM, Pavel Vomacka <pvoma...@redhat.com
>>> <mailto:pvoma...@redhat.com>> wrote:
>>>
>>> Hello,
>>>
>>> which version of FreeIPA do you use?
>>> On 09/28/2016 12:42 AM, Jim Richard wrote:
>>>> When I try to look at hosts under the hosts tab. ipactl restart or just
>>>> restarting httpd seems to clear it up for a short period.
>>>>
>>>> Three replicas in the environment, it only happens when I look at hosts
>>>> using the GUI at one of the three replicas.
>>>>
>>>>
>>>> Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key
>>>> database is in an old, unsupported format.
>>>>
>>>>
>>>> <http://www.placeiq.com/> Jim Richard <https://twitter.com/placeiq>
>>>> <https://www.facebook.com/PlaceIQ>
>>>> <https://www.linkedin.com/company/placeiq>
>>>> SYSTEM ADMINISTRATOR III
>>>> (646) 338-8905
>>>>
>>>> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP>
>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> Pavel^3 Vomacka
>>
>
> --
> Pavel^3 Vomacka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
