All current servers, Apache and 389-ds, currently use the older dbm-based NSS databases which are prone to corruption when accessed in parallel.
ipa-server-certinstall will modify the certificates while the Apache and/or 389-ds services are running which can provoke such corruption.
Ideally the switch to sqlite databases would be done (mod_nss supports this) but given the complexity of that simply stopping the services while updating the databases is a safer bet.
Switching to sqlite would also spur a ton of doc changes to tell certutil to expect a sqlite db (prefix the db path with sql: or set an environment variable)
This was inspired by https://bugzilla.redhat.com/show_bug.cgi?id=1459339
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.5.3
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.4 (was: FreeIPA 4.5.3)
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)
sqlite NSS databases are now used, closing as invalid.
Metadata Update from @rcritten: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.