Hi Rob. I've just tried to remove the group write to the *.db files, but it's not the problem.
*[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.confNSSNickname Server-Cert* I've tried to run manually *dirsrv.target* and *krb5kdc.service*, and it works, services went up. The same for *ntpd*, *named-pkcs11.service*, *smb.service*, *winbind.service*, *kadmin.service*, *memcached.service* and *pki-tomcatd.target*. But if I try to start *httpd.service*: *[root@mlv-ipa01 ~]# tail -f /var/log/messagesNov 17 16:46:06 mlv-ipa01 systemd[1]: Starting The Apache HTTP Server...Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabledNov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURENov 17 16:46:07 mlv-ipa01 kill: kill: cannot find process ""Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: control process exited, code=exited status=1Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to start The Apache HTTP Server.Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit httpd.service entered failed state.Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service failed.* Any other ideas? Please let me know, thanks. Morgan 2016-11-17 16:11 GMT+01:00 Rob Crittenden <[email protected]>: > Morgan Marodin wrote: > > Hi Florence. > > > > Thanks for your support. > > > > Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all > > permissions and certificates are good: > > /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/ > > total 184 > > -r--r--r-- 1 root root 1345 Sep 7 2015 cacert.asc > > -rw-rw---- 1 root apache 65536 Nov 17 11:06 cert8.db > > -rw-r-----. 1 root apache 65536 Sep 4 2015 cert8.db.orig > > -rw-------. 1 root root 4833 Sep 4 2015 install.log > > -rw-rw---- 1 root apache 16384 Nov 17 11:06 key3.db > > -rw-r-----. 1 root apache 16384 Sep 4 2015 key3.db.orig > > lrwxrwxrwx 1 root root 24 Nov 17 10:24 libnssckbi.so -> > > /usr/lib64/libnssckbi.so > > -rw-rw---- 1 root apache 20 Sep 7 2015 pwdfile.txt > > -rw-rw---- 1 root apache 16384 Sep 7 2015 secmod.db > > -rw-r-----. 1 root apache 16384 Sep 4 2015 secmod.db.orig/ > > Eventually you'll want to remove group write on the *.db files. > > > And password validations seems ok, too: > > /[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f > > /etc/httpd/alias/pwdfile.txt > good > > > Enabling mod-nss debug I can see these logs: > > /[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log > > [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid 10660] AH01232: > > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) > > [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660] > > NSSSessionCacheTimeout is deprecated. Ignoring. > > [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660] > > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com > > <http://mlv-ipa01.ipa.mydomain.com> -> Server-Cert > > [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660] Configuring server > > for SSL protocol > > [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660] > > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 > > [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660] > > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 > > [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660] > > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 > > [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660] > > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) > > [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660] > > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) > > [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660] > > nss_engine_init.c(906): Disabling TLS Session Tickets > > [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660] > > nss_engine_init.c(916): Enabling DHE key exchange > > [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660] > > nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL > > ciphers > > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_ > gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_ > gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_ > gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_ > gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_ > 256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] > > [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660] > > [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660] Using nickname > > Server-Cert. > [snip] > > [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660] Certificate not > > found: 'Server-Cert' > > Can you shows what this returns: > > # grep NSSNickname /etc/httpd/conf.d/nss.conf > > > Do you think there is a kerberos problem? > > It definitely is not. > > You can bring the system up in a minimal way by manually starting the > [email protected] service and then krb5kdc. This will at least let your > users authenticate. The management framework (GUI) runs through Apache > so that will be down until we can get Apache started again. > > rob > > > > > Please let me know, thanks. > > Bye, Morgan > > > > 2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud <[email protected] > > <mailto:[email protected]>>: > > > > On 11/17/2016 12:09 PM, Morgan Marodin wrote: > > > > Hello. > > > > This morning I've tried to upgrade my IPA server, but the upgrade > > failed, and now the service doesn't start! :( > > > > If I try lo launch the upgrade manually this is the output: > > /[root@mlv-ipa01 download]# ipa-server-upgrade > > > > Upgrading IPA: > > [1/8]: saving configuration > > [2/8]: disabling listeners > > [3/8]: enabling DS global lock > > [4/8]: starting directory server > > [5/8]: updating schema > > [6/8]: upgrading server > > [7/8]: stopping directory server > > [8/8]: restoring configuration > > Done. > > Update complete > > Upgrading IPA services > > Upgrading the configuration of the IPA services > > [Verifying that root certificate is published] > > [Migrate CRL publish directory] > > CRL tree already moved > > [Verifying that CA proxy configuration is correct] > > [Verifying that KDC configuration is using ipa-kdb backend] > > [Fix DS schema file syntax] > > Syntax already fixed > > [Removing RA cert from DS NSS database] > > RA cert already removed > > [Enable sidgen and extdom plugins by default] > > [Updating HTTPD service IPA configuration] > > [Updating mod_nss protocol versions] > > Protocol versions already updated > > [Updating mod_nss cipher suite] > > [Fixing trust flags in /etc/httpd/alias] > > Trust flags already processed > > [Exporting KRA agent PEM file] > > KRA is not enabled > > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and > run > > command ipa-server-upgrade manually. > > Unexpected error - see /var/log/ipaupgrade.log for details: > > CalledProcessError: Command '/bin/systemctl start httpd.service' > > returned non-zero exit status 1 > > The ipa-server-upgrade command failed. See > > /var/log/ipaupgrade.log for > > more information/ > > > > These are error logs of Apache: > > /[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] [pid 5664] > > AH01232: > > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) > > [Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664] > > NSSSessionCacheTimeout is deprecated. Ignoring. > > [Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664] > > Certificate not > > found: 'Server-Cert'/ > > > > The problem seems to be the /Server-Cert /that could not be > found. > > But if I try to execute the certutil command manually I can see > it:/ > > [root@mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/ > > Certificate Nickname > Trust > > Attributes > > > > SSL,S/MIME,JAR/XPI > > Signing-Cert > u,u,u > > ipaCert > u,u,u > > Server-Cert > Pu,u,u > > IPA.MYDOMAIN.COM <http://IPA.MYDOMAIN.COM> > > <http://IPA.MYDOMAIN.COM> IPA > > CA CT,C,C/ > > > > Could you help me? > > What could I try to do to restart my service? > > > > Hi, > > > > I would first make sure that httpd is using /etc/httpd/alias as NSS > > DB (check the directive NSSCertificateDatabase in > > /etc/httpd/conf.d/nss.conf). > > Then it may be a file permission issue: the NSS DB should belong to > > root:apache (the relevant files are cert8.db, key3.db and secmod.db). > > You should also find a pwdfile.txt in the same directory, containing > > the NSS DB password. Check that the password is valid using > > certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt > > (if the command succeeds then the password in pwdfile is OK). > > > > You can also enable mod-nss debug in /etc/httpd/conf/nss.conf by > > setting "LogLevel debug", and check the output in > > /var/log/httpd/error_log. > > > > HTH, > > Flo. > > > > Thanks, Morgan > > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > <https://www.redhat.com/mailman/listinfo/freeipa-users> > > Go to http://freeipa.org for more info on the project > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
