Hi Florence. Thanks for your support.
Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all permissions and certificates are good: *[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/total 184-r--r--r-- 1 root root 1345 Sep 7 2015 cacert.asc-rw-rw---- 1 root apache 65536 Nov 17 11:06 cert8.db-rw-r-----. 1 root apache 65536 Sep 4 2015 cert8.db.orig-rw-------. 1 root root 4833 Sep 4 2015 install.log-rw-rw---- 1 root apache 16384 Nov 17 11:06 key3.db-rw-r-----. 1 root apache 16384 Sep 4 2015 key3.db.origlrwxrwxrwx 1 root root 24 Nov 17 10:24 libnssckbi.so -> /usr/lib64/libnssckbi.so-rw-rw---- 1 root apache 20 Sep 7 2015 pwdfile.txt-rw-rw---- 1 root apache 16384 Sep 7 2015 secmod.db-rw-r-----. 1 root apache 16384 Sep 4 2015 secmod.db.orig* And password validations seems ok, too: *[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txtcertutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"< 0> rsa **************************************** NSS Certificate DB:Server-Cert< 1> rsa **************************************** NSS Certificate DB:Signing-Cert< 2> rsa **************************************** NSS Certificate DB:ipaCert* Enabling mod-nss debug I can see these logs: *[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log[Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid 10660] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660] NSSSessionCacheTimeout is deprecated. Ignoring.[Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660] nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> -> Server-Cert[Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660] Configuring server for SSL protocol[Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660] nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0[Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660] nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1[Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660] nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2[Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660] nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)[Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660] nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)[Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660] nss_engine_init.c(906): Disabling TLS Session Tickets[Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660] nss_engine_init.c(916): Enabling DHE key exchange[Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660] nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL ciphers [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_null_md5[Thu Nov 17 15:05:11.003483 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_null_sha[Thu Nov 17 15:05:11.003491 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_rc4_40_md5[Thu Nov 17 15:05:11.003509 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_rc4_128_md5[Thu Nov 17 15:05:11.003632 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_rc4_128_sha[Thu Nov 17 15:05:11.003740 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_rc2_40_md5[Thu Nov 17 15:05:11.003747 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_des_sha[Thu Nov 17 15:05:11.003802 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_3des_sha[Thu Nov 17 15:05:11.003902 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_des_sha[Thu Nov 17 15:05:11.004001 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: rsa_aes_128_sha[Thu Nov 17 15:05:11.004167 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: rsa_aes_256_sha[Thu Nov 17 15:05:11.004180 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: null_sha_256[Thu Nov 17 15:05:11.004191 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: aes_128_sha_256[Thu Nov 17 15:05:11.004285 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: aes_256_sha_256[Thu Nov 17 15:05:11.004352 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: camelia_128_sha[Thu Nov 17 15:05:11.004437 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_des_56_sha[Thu Nov 17 15:05:11.004509 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_rc4_56_sha[Thu Nov 17 15:05:11.004606 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: camelia_256_sha[Thu Nov 17 15:05:11.004668 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: rsa_aes_128_gcm_sha_256[Thu Nov 17 15:05:11.004724 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: rsa_aes_256_gcm_sha_384[Thu Nov 17 15:05:11.004806 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: fips_3des_sha[Thu Nov 17 15:05:11.004881 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: fips_des_sha[Thu Nov 17 15:05:11.004956 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_3des_sha[Thu Nov 17 15:05:11.005027 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_aes_128_sha[Thu Nov 17 15:05:11.005106 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_aes_256_sha[Thu Nov 17 15:05:11.005173 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_camellia_128_sha[Thu Nov 17 15:05:11.005238 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_camellia_256_sha[Thu Nov 17 15:05:11.005309 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_aes_128_sha256[Thu Nov 17 15:05:11.005380 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_aes_256_sha256[Thu Nov 17 15:05:11.005452 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_aes_128_gcm_sha_256[Thu Nov 17 15:05:11.005524 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_aes_256_gcm_sha_384[Thu Nov 17 15:05:11.005596 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_ecdsa_null_sha[Thu Nov 17 15:05:11.005655 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_ecdsa_rc4_128_sha[Thu Nov 17 15:05:11.005698 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_ecdsa_3des_sha[Thu Nov 17 15:05:11.005814 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_ecdsa_aes_128_sha[Thu Nov 17 15:05:11.005859 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_ecdsa_aes_256_sha[Thu Nov 17 15:05:11.005904 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_ecdsa_null_sha[Thu Nov 17 15:05:11.005948 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_ecdsa_rc4_128_sha[Thu Nov 17 15:05:11.005993 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_ecdsa_3des_sha[Thu Nov 17 15:05:11.006037 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: ecdhe_ecdsa_aes_128_sha[Thu Nov 17 15:05:11.006081 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: ecdhe_ecdsa_aes_256_sha[Thu Nov 17 15:05:11.006124 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_rsa_null_sha[Thu Nov 17 15:05:11.006181 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_rsa_128_sha[Thu Nov 17 15:05:11.006223 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_rsa_3des_sha[Thu Nov 17 15:05:11.006261 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_rsa_aes_128_sha[Thu Nov 17 15:05:11.006304 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_rsa_aes_256_sha[Thu Nov 17 15:05:11.006348 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_rsa_null[Thu Nov 17 15:05:11.006391 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_rsa_rc4_128_sha[Thu Nov 17 15:05:11.006428 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_rsa_3des_sha[Thu Nov 17 15:05:11.006466 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_sha[Thu Nov 17 15:05:11.006503 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_256_sha[Thu Nov 17 15:05:11.006541 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_anon_null_sha[Thu Nov 17 15:05:11.006580 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_anon_rc4_128sha[Thu Nov 17 15:05:11.006622 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_anon_3des_sha[Thu Nov 17 15:05:11.006649 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_anon_aes_128_sha[Thu Nov 17 15:05:11.006682 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_anon_aes_256_sha[Thu Nov 17 15:05:11.006725 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_ecdsa_aes_128_sha_256[Thu Nov 17 15:05:11.006730 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_rsa_aes_128_sha_256[Thu Nov 17 15:05:11.006734 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: ecdhe_ecdsa_aes_128_gcm_sha_256[Thu Nov 17 15:05:11.006737 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_ecdsa_aes_256_sha_384[Thu Nov 17 15:05:11.006740 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_rsa_aes_256_sha_384[Thu Nov 17 15:05:11.006743 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: ecdhe_ecdsa_aes_256_gcm_sha_384[Thu Nov 17 15:05:11.006746 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_256_gcm_sha_384[Thu Nov 17 15:05:11.006749 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256[Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660] Using nickname Server-Cert.[Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660] Certificate not found: 'Server-Cert'[root@mlv-ipa01 ~]# tail -f /var/log/messagesNov 17 15:05:04 mlv-ipa01 systemd[1]: Starting Identity, Policy, Audit...Nov 17 15:05:07 mlv-ipa01 ipactl: Existing service file detected!Nov 17 15:05:07 mlv-ipa01 ipactl: Assuming stale, cleaning and proceedingNov 17 15:05:07 mlv-ipa01 systemd[1]: Starting 389 Directory Server IPA-MYDOMAIN-COM....Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.799208210 +0100] SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password.Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.803853873 +0100] SSL alert: Security Initialization: Enabling default cipher set.Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.805145890 +0100] SSL alert: Configured NSS CiphersNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.806316182 +0100] SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.807723387 +0100] SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.808923825 +0100] SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.810155882 +0100] SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.811325853 +0100] SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.812784224 +0100] SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.813976726 +0100] SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.815120447 +0100] SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.816327755 +0100] SSL alert: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.817977411 +0100] SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.819254448 +0100] SSL alert: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.820464679 +0100] SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.821632382 +0100] SSL alert: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.822786869 +0100] SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.823971028 +0100] SSL alert: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.825053303 +0100] SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.826194181 +0100] SSL alert: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.827825315 +0100] SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.829462992 +0100] SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.830793383 +0100] SSL alert: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.832242224 +0100] SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.833873583 +0100] SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabledNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.885093482 +0100] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.886826410 +0100] 389-Directory/1.3.5.10 <http://1.3.5.10> B2016.309.1527 starting upNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.924968051 +0100] default_mr_indexer_create: warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5MatchNov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.960936427 +0100] WARNING: changelog: entry cache size 2097152 B is less than db size 15654912 B; We recommend to increase the entry cache size nsslapd-cachememsize.Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.051517901 +0100] schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup!Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.088107275 +0100] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.089975405 +0100] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.091605059 +0100] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.093396173 +0100] NSACLPlugin - The ACL target ou=sudoers,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.095072910 +0100] NSACLPlugin - The ACL target cn=users,cn=compat,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.097647403 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.099159503 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.100703471 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.102286938 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.103852482 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.105586463 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.107026360 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.108476210 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.110187640 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.111655019 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.113841889 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.133500119 +0100] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.135098802 +0100] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=com does not existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.363531779 +0100] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not existNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.373037600 +0100] Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ipa,dc=mydomain,dc=com--no CoS Templates found, which should be added before the CoS Definition.Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.412160395 +0100] set_krb5_creds - Could not get initial credentials for principal [ldap/[email protected] <[email protected]>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.417620890 +0100] schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds!Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.430081973 +0100] slapd started. Listening on All Interfaces port 389 for LDAP requestsNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.431273848 +0100] Listening on All Interfaces port 636 for LDAPS requestsNov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.432861124 +0100] Listening on /var/run/slapd-IPA-MYDOMAIN-COM.socket for LDAPI requestsNov 17 15:05:08 mlv-ipa01 systemd[1]: Started 389 Directory Server IPA-MYDOMAIN-COM..Nov 17 15:05:09 mlv-ipa01 systemd[1]: Starting Kerberos 5 KDC...Nov 17 15:05:09 mlv-ipa01 systemd[1]: Started Kerberos 5 KDC.Nov 17 15:05:09 mlv-ipa01 systemd[1]: Starting Kerberos 5 Password-changing and Administration...Nov 17 15:05:09 mlv-ipa01 systemd[1]: Started Kerberos 5 Password-changing and Administration.Nov 17 15:05:09 mlv-ipa01 systemd[1]: Starting Generate rndc key for BIND (DNS)...Nov 17 15:05:09 mlv-ipa01 systemd[1]: Started Generate rndc key for BIND (DNS).Nov 17 15:05:09 mlv-ipa01 systemd[1]: Starting Berkeley Internet Name Domain (DNS) with native PKCS#11...Nov 17 15:05:09 mlv-ipa01 bash: zone localhost.localdomain/IN: loaded serial 0Nov 17 15:05:09 mlv-ipa01 bash: zone localhost/IN: loaded serial 0Nov 17 15:05:09 mlv-ipa01 bash: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0Nov 17 15:05:09 mlv-ipa01 bash: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0Nov 17 15:05:09 mlv-ipa01 bash: zone 0.in-addr.arpa/IN: loaded serial 0Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: starting BIND 9.9.4-RedHat-9.9.4-38.el7_3 -u namedNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--with-geoip' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: ----------------------------------------------------Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: BIND 9 is maintained by Internet Systems Consortium,Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: Inc. (ISC), a non-profit 501(c)(3) public-benefitNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: corporation. Support and training for BIND 9 areNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: available at https://www.isc.org/support <https://www.isc.org/support>Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: ----------------------------------------------------Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: adjusted limit on open files from 4096 to 1048576Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: found 8 CPUs, using 8 worker threadsNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: using 8 UDP listeners per interfaceNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: using up to 4096 socketsNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: loading configuration from '/etc/named.conf'Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: reading built-in trusted keys from file '/etc/named.iscdlv.key'Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: initializing GeoIP Country (IPv4) (type 1) DBNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GEO-106FREE 20160607 Build 1 Copyright (c) 2016 MaxMindNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: initializing GeoIP Country (IPv6) (type 12) DBNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GEO-106FREE 20160607 Build 1 CopyNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP City (IPv4) (type 2) DB not availableNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP City (IPv4) (type 6) DB not availableNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP City (IPv6) (type 30) DB not availableNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP City (IPv6) (type 31) DB not availableNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP Region (type 3) DB not availableNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP Region (type 7) DB not availableNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP ISP (type 4) DB not availableNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP Org (type 5) DB not availableNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP AS (type 9) DB not availableNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP Domain (type 11) DB not availableNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP NetSpeed (type 10) DB not availableNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: using default UDP/IPv4 port range: [1024, 65535]Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: using default UDP/IPv6 port range: [1024, 65535]Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: listening on IPv6 interfaces, port 53Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: listening on IPv4 interface lo, 127.0.0.1#53Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: listening on IPv4 interface eth0, 192.168.0.65#53Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: generating session key for dynamic DNSNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: sizing zone task pool based on 6 zonesNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind'Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: bind-dyndb-ldap version 10.0 compiled at 16:25:21 Nov 4 2016, compiler 4.8.5 20150623 (Red Hat 4.8.5-11)Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: option 'serial_autoincrement' is not supported, ignoringNov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: automatic empty zone: 10.IN-ADDR.ARPA...Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: command channel listening on 127.0.0.1#953Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: command channel listening on ::1#953Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: managed-keys-zone: loaded serial 10165Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: ignoring inherited 'forward first;' for zone '.' - did you want 'forward only;' to override automatic empty zone '10.IN-ADDR.ARPA'?...Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: zone ipa.mydomain.com/IN <http://ipa.mydomain.com/IN>: loaded serial 1479391509Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: zone ipa.mydomain.com/IN <http://ipa.mydomain.com/IN>: sending notifies (serial 1479391509)Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: 1 master zones from LDAP instance 'ipa' loaded (1 zones defined, 0 inactive, 0 failed to load)Nov 17 15:05:10 mlv-ipa01 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabledNov 17 15:05:11 mlv-ipa01 systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURENov 17 15:05:11 mlv-ipa01 kill: kill: cannot find process ""Nov 17 15:05:11 mlv-ipa01 systemd[1]: httpd.service: control process exited, code=exited status=1Nov 17 15:05:11 mlv-ipa01 systemd[1]: Failed to start The Apache HTTP Server.Nov 17 15:05:11 mlv-ipa01 systemd[1]: Unit httpd.service entered failed state.Nov 17 15:05:11 mlv-ipa01 systemd[1]: httpd.service failed.Nov 17 15:05:11 mlv-ipa01 systemctl[10657]: Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.Nov 17 15:05:11 mlv-ipa01 ipactl: Failed to start httpd ServiceNov 17 15:05:11 mlv-ipa01 ipactl: Shutting downNov 17 15:05:11 mlv-ipa01 systemd[1]: Stopping Kerberos 5 KDC...Nov 17 15:05:11 mlv-ipa01 systemd[1]: Stopped Kerberos 5 KDC.Nov 17 15:05:11 mlv-ipa01 systemd[1]: Stopping Kerberos 5 Password-changing and Administration...Nov 17 15:05:11 mlv-ipa01 systemd[1]: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENTNov 17 15:05:11 mlv-ipa01 systemd[1]: Stopped Kerberos 5 Password-changing and Administration.Nov 17 15:05:11 mlv-ipa01 systemd[1]: Unit kadmin.service entered failed state.Nov 17 15:05:11 mlv-ipa01 systemd[1]: kadmin.service failed.Nov 17 15:05:11 mlv-ipa01 systemd[1]: Stopping Berkeley Internet Name Domain (DNS) with native PKCS#11...Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: received control channel command 'stop'Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: shutting down: flushing changesNov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: stopping command channel on 127.0.0.1#953Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: stopping command channel on ::1#953Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: zone ipa.mydomain.com/IN <http://ipa.mydomain.com/IN>: shutting downNov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: no longer listening on ::#53Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: no longer listening on 127.0.0.1#53Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: no longer listening on 192.168.0.65#53Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: exitingNov 17 15:05:11 mlv-ipa01 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with native PKCS#11.Nov 17 15:05:11 mlv-ipa01 systemd[1]: Stopping IPA memcached daemon, increases IPA server performance...Nov 17 15:05:11 mlv-ipa01 systemd[1]: Stopped IPA memcached daemon, increases IPA server performance.Nov 17 15:05:11 mlv-ipa01 systemctl[10685]: Warning: httpd.service changed on disk. Run 'systemctl daemon-reload' to reload units.Nov 17 15:05:11 mlv-ipa01 systemd[1]: Stopping 389 Directory Server IPA-MYDOMAIN-COM....Nov 17 15:05:11 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:11.357603144 +0100] slapd shutting down - signaling operation threads - op stack size 1 max work q size 1 max work q stack size 1Nov 17 15:05:11 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:11.359785218 +0100] slapd shutting down - waiting for 25 threads to terminateNov 17 15:05:11 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:11.361826680 +0100] slapd shutting down - closing down internal subsystems and pluginsNov 17 15:05:13 mlv-ipa01 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_996))Nov 17 15:05:13 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:13.811837199 +0100] Waiting for 4 database threads to stopNov 17 15:05:14 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:14.000534924 +0100] All database threads now stoppedNov 17 15:05:14 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:14.015405431 +0100] slapd shutting down - freed 1 work q stack objects - freed 1 op stack objectsNov 17 15:05:14 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:14.437288197 +0100] slapd stopped.Nov 17 15:05:14 mlv-ipa01 systemd[1]: Stopped 389 Directory Server IPA-MYDOMAIN-COM..Nov 17 15:05:14 mlv-ipa01 ipactl: Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failedNov 17 15:05:14 mlv-ipa01 ipactl: Aborting ipactlNov 17 15:05:14 mlv-ipa01 ipactl: Starting Directory ServiceNov 17 15:05:14 mlv-ipa01 ipactl: Starting krb5kdc ServiceNov 17 15:05:14 mlv-ipa01 ipactl: Starting kadmin ServiceNov 17 15:05:14 mlv-ipa01 ipactl: Starting named ServiceNov 17 15:05:14 mlv-ipa01 ipactl: Starting ipa_memcached ServiceNov 17 15:05:14 mlv-ipa01 ipactl: Starting httpd ServiceNov 17 15:05:14 mlv-ipa01 systemd[1]: ipa.service: main process exited, code=exited, status=1/FAILURENov 17 15:05:14 mlv-ipa01 systemd[1]: Failed to start Identity, Policy, Audit.Nov 17 15:05:14 mlv-ipa01 systemd[1]: Unit ipa.service entered failed state.Nov 17 15:05:14 mlv-ipa01 systemd[1]: ipa.service failed*. Do you think there is a kerberos problem? Please let me know, thanks. Bye, Morgan 2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud <[email protected]>: > On 11/17/2016 12:09 PM, Morgan Marodin wrote: > >> Hello. >> >> This morning I've tried to upgrade my IPA server, but the upgrade >> failed, and now the service doesn't start! :( >> >> If I try lo launch the upgrade manually this is the output: >> /[root@mlv-ipa01 download]# ipa-server-upgrade >> >> Upgrading IPA: >> [1/8]: saving configuration >> [2/8]: disabling listeners >> [3/8]: enabling DS global lock >> [4/8]: starting directory server >> [5/8]: updating schema >> [6/8]: upgrading server >> [7/8]: stopping directory server >> [8/8]: restoring configuration >> Done. >> Update complete >> Upgrading IPA services >> Upgrading the configuration of the IPA services >> [Verifying that root certificate is published] >> [Migrate CRL publish directory] >> CRL tree already moved >> [Verifying that CA proxy configuration is correct] >> [Verifying that KDC configuration is using ipa-kdb backend] >> [Fix DS schema file syntax] >> Syntax already fixed >> [Removing RA cert from DS NSS database] >> RA cert already removed >> [Enable sidgen and extdom plugins by default] >> [Updating HTTPD service IPA configuration] >> [Updating mod_nss protocol versions] >> Protocol versions already updated >> [Updating mod_nss cipher suite] >> [Fixing trust flags in /etc/httpd/alias] >> Trust flags already processed >> [Exporting KRA agent PEM file] >> KRA is not enabled >> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run >> command ipa-server-upgrade manually. >> Unexpected error - see /var/log/ipaupgrade.log for details: >> CalledProcessError: Command '/bin/systemctl start httpd.service' >> returned non-zero exit status 1 >> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >> more information/ >> >> These are error logs of Apache: >> /[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] [pid 5664] AH01232: >> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) >> [Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664] >> NSSSessionCacheTimeout is deprecated. Ignoring. >> [Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664] Certificate not >> found: 'Server-Cert'/ >> >> The problem seems to be the /Server-Cert /that could not be found. >> But if I try to execute the certutil command manually I can see it:/ >> [root@mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/ >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> Signing-Cert u,u,u >> ipaCert u,u,u >> Server-Cert Pu,u,u >> IPA.MYDOMAIN.COM <http://IPA.MYDOMAIN.COM> IPA >> CA CT,C,C/ >> >> Could you help me? >> What could I try to do to restart my service? >> >> Hi, > > I would first make sure that httpd is using /etc/httpd/alias as NSS DB > (check the directive NSSCertificateDatabase in /etc/httpd/conf.d/nss.conf). > Then it may be a file permission issue: the NSS DB should belong to > root:apache (the relevant files are cert8.db, key3.db and secmod.db). > You should also find a pwdfile.txt in the same directory, containing the > NSS DB password. Check that the password is valid using > certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt > (if the command succeeds then the password in pwdfile is OK). > > You can also enable mod-nss debug in /etc/httpd/conf/nss.conf by setting > "LogLevel debug", and check the output in /var/log/httpd/error_log. > > HTH, > Flo. > >> Thanks, Morgan >> >> >> > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
