On 11/18/2016 10:04 AM, Morgan Marodin wrote:
Hi Florence.
I've tried to configure the wrong certificate in nss.conf (/ipaCert/),
and with this Apache started.
So I think the problem is in the /Server-Cert/ stored in
//etc/httpd/alias/, even if all manul checks are ok.
These are logs with the wrong certificate test:
/# tail -f /var/log/httpd/error_log/
/[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid 7709] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Nov 18 09:34:32.584142 2016] [:warn] [pid 7709]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709]
nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com> -> ipaCert
[Fri Nov 18 09:34:32.844487 2016] [:info] [pid 7709] Configuring server
for SSL protocol
[Fri Nov 18 09:34:32.844635 2016] [:debug] [pid 7709]
nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
[Fri Nov 18 09:34:32.844657 2016] [:debug] [pid 7709]
nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
[Fri Nov 18 09:34:32.844668 2016] [:debug] [pid 7709]
nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
[Fri Nov 18 09:34:32.844677 2016] [:debug] [pid 7709]
nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
[Fri Nov 18 09:34:32.844684 2016] [:debug] [pid 7709]
nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
[Fri Nov 18 09:34:32.844738 2016] [:debug] [pid 7709]
nss_engine_init.c(906): Disabling TLS Session Tickets
[Fri Nov 18 09:34:32.844746 2016] [:debug] [pid 7709]
nss_engine_init.c(916): Enabling DHE key exchange
[Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709]
nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL
ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
[Fri Nov 18 09:34:32.844825 2016] [:debug] [pid 7709]
nss_engine_init.c(1140): Disable cipher: rsa_null_md5
...
[Fri Nov 18 09:34:32.845105 2016] [:debug] [pid 7709]
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
[Fri Nov 18 09:34:32.845110 2016] [:info] [pid 7709] Using nickname ipaCert.
[Fri Nov 18 09:34:32.847451 2016] [:error] [pid 7709] Misconfiguration
of certificate's CN and virtual name. The certificate CN has IPA RA. We
expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
as virtual name.
[Fri Nov 18 09:34:33.028056 2016] [auth_digest:notice] [pid 7709]
AH01757: generating secret for digest authentication ...
[Fri Nov 18 09:34:33.030039 2016] [lbmethod_heartbeat:notice] [pid 7709]
AH02282: No slotmem from mod_heartmonitor
[Fri Nov 18 09:34:33.030122 2016] [:warn] [pid 7709]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Fri Nov 18 09:34:33.030176 2016] [:debug] [pid 7709]
nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com> -> ipaCert
[Fri Nov 18 09:34:33.051481 2016] [mpm_prefork:notice] [pid 7709]
AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4
mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured
-- resuming normal operations
[Fri Nov 18 09:34:33.051551 2016] [core:notice] [pid 7709] AH00094:
Command line: '/usr/sbin/httpd -D FOREGROUND'
[Fri Nov 18 09:34:33.096050 2016] [proxy:debug] [pid 7717]
proxy_util.c(1838): AH00924: worker ajp://localhost shared already
initialized
[Fri Nov 18 09:34:33.096163 2016] [proxy:debug] [pid 7717]
proxy_util.c(1880): AH00926: worker ajp://localhost local already
initialized
...
[Fri Nov 18 09:34:33.105626 2016] [proxy:debug] [pid 7719]
proxy_util.c(1838): AH00924: worker
unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ shared already
initialized
[Fri Nov 18 09:34:33.105632 2016] [proxy:debug] [pid 7719]
proxy_util.c(1880): AH00926: worker
unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ local already
initialized
[Fri Nov 18 09:34:33.342762 2016] [:info] [pid 7717] Configuring server
for SSL protocol
[Fri Nov 18 09:34:33.342867 2016] [:debug] [pid 7717]
nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
[Fri Nov 18 09:34:33.342880 2016] [:debug] [pid 7717]
nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
[Fri Nov 18 09:34:33.342885 2016] [:debug] [pid 7717]
nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
[Fri Nov 18 09:34:33.342890 2016] [:debug] [pid 7717]
nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
[Fri Nov 18 09:34:33.342894 2016] [:debug] [pid 7717]
nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
[Fri Nov 18 09:34:33.342900 2016] [:debug] [pid 7717]
nss_engine_init.c(906): Disabling TLS Session Tickets
[Fri Nov 18 09:34:33.342904 2016] [:debug] [pid 7717]
nss_engine_init.c(916): Enabling DHE key exchange
[Fri Nov 18 09:34:33.342917 2016] [:debug] [pid 7717]
nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL
ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
[Fri Nov 18 09:34:33.342970 2016] [:debug] [pid 7717]
nss_engine_init.c(1140): Disable cipher: rsa_null_md5
...
[Fri Nov 18 09:34:33.343233 2016] [:debug] [pid 7717]
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
[Fri Nov 18 09:34:33.343237 2016] [:info] [pid 7717] Using nickname ipaCert.
[Fri Nov 18 09:34:33.344533 2016] [:error] [pid 7717] Misconfiguration
of certificate's CN and virtual name. The certificate CN has IPA RA. We
expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
as virtual name.
[Fri Nov 18 09:34:33.364061 2016] [:info] [pid 7718] Configuring server
for SSL protocol
[Fri Nov 18 09:34:33.364156 2016] [:debug] [pid 7718]
nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
[Fri Nov 18 09:34:33.364167 2016] [:debug] [pid 7718]
nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
[Fri Nov 18 09:34:33.364172 2016] [:debug] [pid 7718]
nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
[Fri Nov 18 09:34:33.364176 2016] [:debug] [pid 7718]
nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
[Fri Nov 18 09:34:33.364180 2016] [:debug] [pid 7718]
nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
[Fri Nov 18 09:34:33.364187 2016] [:debug] [pid 7718]
nss_engine_init.c(906): Disabling TLS Session Tickets
[Fri Nov 18 09:34:33.364191 2016] [:debug] [pid 7718]
nss_engine_init.c(916): Enabling DHE key exchange
[Fri Nov 18 09:34:33.364202 2016] [:debug] [pid 7718]
nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL
ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
[Fri Nov 18 09:34:33.364240 2016] [:debug] [pid 7718]
nss_engine_init.c(1140): Disable cipher: rsa_null_md5
...
[Fri Nov 18 09:34:33.364611 2016] [:debug] [pid 7718]
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
[Fri Nov 18 09:34:33.364625 2016] [:info] [pid 7718] Using nickname ipaCert.
[Fri Nov 18 09:34:33.365549 2016] [:error] [pid 7718] Misconfiguration
of certificate's CN and virtual name. The certificate CN has IPA RA. We
expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
as virtual name.
[Fri Nov 18 09:34:33.369972 2016] [:info] [pid 7720] Configuring server
for SSL protocol
[Fri Nov 18 09:34:33.370200 2016] [:debug] [pid 7720]
nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
[Fri Nov 18 09:34:33.370224 2016] [:debug] [pid 7720]
nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
[Fri Nov 18 09:34:33.370239 2016] [:debug] [pid 7720]
nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
[Fri Nov 18 09:34:33.370255 2016] [:debug] [pid 7720]
nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
[Fri Nov 18 09:34:33.370269 2016] [:debug] [pid 7720]
nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
[Fri Nov 18 09:34:33.370286 2016] [:debug] [pid 7720]
nss_engine_init.c(906): Disabling TLS Session Tickets
[Fri Nov 18 09:34:33.370301 2016] [:debug] [pid 7720]
nss_engine_init.c(916): Enabling DHE key exchange
[Fri Nov 18 09:34:33.370322 2016] [:debug] [pid 7720]
nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL
ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
[Fri Nov 18 09:34:33.370383 2016] [:debug] [pid 7720]
nss_engine_init.c(1140): Disable cipher: rsa_null_md5
...
[Fri Nov 18 09:34:33.371418 2016] [:debug] [pid 7720]
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
[Fri Nov 18 09:34:33.371437 2016] [:info] [pid 7720] Using nickname ipaCert.
[Fri Nov 18 09:34:33.371486 2016] [:info] [pid 7716] Configuring server
for SSL protocol
[Fri Nov 18 09:34:33.372383 2016] [:debug] [pid 7716]
nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
[Fri Nov 18 09:34:33.372439 2016] [:debug] [pid 7716]
nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
[Fri Nov 18 09:34:33.372459 2016] [:debug] [pid 7716]
nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
[Fri Nov 18 09:34:33.372484 2016] [:debug] [pid 7716]
nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
[Fri Nov 18 09:34:33.372513 2016] [:debug] [pid 7716]
nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
[Fri Nov 18 09:34:33.372534 2016] [:debug] [pid 7716]
nss_engine_init.c(906): Disabling TLS Session Tickets
[Fri Nov 18 09:34:33.372553 2016] [:debug] [pid 7716]
nss_engine_init.c(916): Enabling DHE key exchange
[Fri Nov 18 09:34:33.372580 2016] [:debug] [pid 7716]
nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL
ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
[Fri Nov 18 09:34:33.372627 2016] [:debug] [pid 7716]
nss_engine_init.c(1140): Disable cipher: rsa_null_md5
...
[Fri Nov 18 09:34:33.373712 2016] [:debug] [pid 7716]
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
[Fri Nov 18 09:34:33.373734 2016] [:info] [pid 7716] Using nickname ipaCert.
[Fri Nov 18 09:34:33.374652 2016] [:error] [pid 7716] Misconfiguration
of certificate's CN and virtual name. The certificate CN has IPA RA. We
expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
as virtual name.
[Fri Nov 18 09:34:33.372295 2016] [:error] [pid 7720] Misconfiguration
of certificate's CN and virtual name. The certificate CN has IPA RA. We
expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
as virtual name.
[Fri Nov 18 09:34:33.412689 2016] [:info] [pid 7719] Configuring server
for SSL protocol
[Fri Nov 18 09:34:33.412791 2016] [:debug] [pid 7719]
nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
[Fri Nov 18 09:34:33.412803 2016] [:debug] [pid 7719]
nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
[Fri Nov 18 09:34:33.412807 2016] [:debug] [pid 7719]
nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
[Fri Nov 18 09:34:33.412812 2016] [:debug] [pid 7719]
nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
[Fri Nov 18 09:34:33.412817 2016] [:debug] [pid 7719]
nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
[Fri Nov 18 09:34:33.412824 2016] [:debug] [pid 7719]
nss_engine_init.c(906): Disabling TLS Session Tickets
[Fri Nov 18 09:34:33.412828 2016] [:debug] [pid 7719]
nss_engine_init.c(916): Enabling DHE key exchange
[Fri Nov 18 09:34:33.412840 2016] [:debug] [pid 7719]
nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL
ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
[Fri Nov 18 09:34:33.412891 2016] [:debug] [pid 7719]
nss_engine_init.c(1140): Disable cipher: rsa_null_md5
...
[Fri Nov 18 09:34:33.413159 2016] [:debug] [pid 7719]
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
[Fri Nov 18 09:34:33.413164 2016] [:info] [pid 7719] Using nickname ipaCert.
[Fri Nov 18 09:34:33.414462 2016] [:error] [pid 7719] Misconfiguration
of certificate's CN and virtual name. The certificate CN has IPA RA. We
expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
as virtual name.
[Fri Nov 18 09:34:35.558286 2016] [:error] [pid 7715] ipa: WARNING:
session memcached servers not running
[Fri Nov 18 09:34:35.559653 2016] [:error] [pid 7714] ipa: WARNING:
session memcached servers not running
[Fri Nov 18 09:34:37.511457 2016] [:error] [pid 7714] ipa: INFO: ***
PROCESS START ***
[Fri Nov 18 09:34:37.517899 2016] [:error] [pid 7715] ipa: INFO: ***
PROCESS START ***
[Fri Nov 18 09:34:51.498536 2016] [:info] [pid 7717] Connection to child
1 established (server mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com>, client 192.168.0.239)
[Fri Nov 18 09:34:51.510292 2016] [:info] [pid 7717] SSL input filter
read failed.
[Fri Nov 18 09:34:51.510311 2016] [:error] [pid 7717] SSL Library Error:
-12285 Unable to find the certificate or key necessary for authentication
[Fri Nov 18 09:34:51.510356 2016] [:info] [pid 7717] Connection to child
1 closed (server mlv-ipa01.ipa.mydomain.com:443
<http://mlv-ipa01.ipa.mydomain.com:443>, client 192.168.0.239)
[Fri Nov 18 09:35:18.790760 2016] [mpm_prefork:notice] [pid 7709]
AH00170: caught SIGWINCH, shutting down gracefully/
Is possible to delete /Server-Cert/ from //etc/httpd/alias/ and reimport
it from the original certificates of /mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com>/?
Where are stored the original certificates?
Hi Morgan,
with ldapsearch you should be able to find the certificate:
ldapsearch -h ipaserver.ipadomain -p 389 -D "cn=directory manager" -w
password -LLL -b
krbprincipalname=HTTP/ipaserver.ipadomain@IPADOMAIN,cn=services,cn=accounts,dc=IPADOMAIN
The cert will be stored in the field "usercertificate".
HTH,
Flo.
Please let me know, thanks.
Bye, Morgan
2016-11-17 17:09 GMT+01:00 Florence Blanc-Renaud <[email protected]
<mailto:[email protected]>>:
On 11/17/2016 04:51 PM, Morgan Marodin wrote:
Hi Rob.
I've just tried to remove the group write to the *.db files, but
it's
not the problem.
/[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
NSSNickname Server-Cert/
I've tried to run manually /dirsrv.target/ and
/krb5kdc.service/, and it
works, services went up.
The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
/winbind.service/, /kadmin.service/, /memcached.service/ and
/pki-tomcatd.target/.
But if I try to start /httpd.service/:
/[root@mlv-ipa01 ~]# tail -f /var/log/messages
Nov 17 16:46:06 mlv-ipa01 systemd[1]: Starting The Apache HTTP
Server...
Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy: ipa :
INFO KDC
proxy enabled
Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: main process
exited, code=exited, status=1/FAILURE
Nov 17 16:46:07 mlv-ipa01 kill: kill: cannot find process ""
Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: control process
exited, code=exited status=1
Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to start The Apache
HTTP
Server.
Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit httpd.service entered
failed
state.
Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service failed./
Any other ideas?
Hi,
- Does the NSS Db contain the private key for Server-Cert? If yes,
the command
$ certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
should display a line like this one:
< 0> rsa 01a6cbd773f3d785ffa44233148dcb8ade266ea5 NSS
Certificate DB:Server-Cert
- Is your system running with SElinux enforcing? If yes, you can
check if there were SElinux permission denials using
$ ausearch -m avc --start recent
- If the certificate was expired, I believe you would see a
different message, but it doesn't hurt to check its validity
$ certutil -L -d /etc/httpd/alias/ -n Server-Cert | egrep "Not
Before|Not After"
Flo.
Please let me know, thanks.
Morgan
2016-11-17 16:11 GMT+01:00 Rob Crittenden <[email protected]
<mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>:
Morgan Marodin wrote:
> Hi Florence.
>
> Thanks for your support.
>
> Yes, httpd is using /etc/httpd/alias as NSS DB. And seems
that all
> permissions and certificates are good:
> /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/
> total 184
> -r--r--r-- 1 root root 1345 Sep 7 2015 cacert.asc
> -rw-rw---- 1 root apache 65536 Nov 17 11:06 cert8.db
> -rw-r-----. 1 root apache 65536 Sep 4 2015 cert8.db.orig
> -rw-------. 1 root root 4833 Sep 4 2015 install.log
> -rw-rw---- 1 root apache 16384 Nov 17 11:06 key3.db
> -rw-r-----. 1 root apache 16384 Sep 4 2015 key3.db.orig
> lrwxrwxrwx 1 root root 24 Nov 17 10:24 libnssckbi.so ->
> /usr/lib64/libnssckbi.so
> -rw-rw---- 1 root apache 20 Sep 7 2015 pwdfile.txt
> -rw-rw---- 1 root apache 16384 Sep 7 2015 secmod.db
> -rw-r-----. 1 root apache 16384 Sep 4 2015 secmod.db.orig/
Eventually you'll want to remove group write on the *.db files.
> And password validations seems ok, too:
> /[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f
> /etc/httpd/alias/pwdfile.txt
good
> Enabling mod-nss debug I can see these logs:
> /[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log
> [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid
10660] AH01232:
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660]
> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com>
<http://mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com>>
> <http://mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com>
<http://mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com>>> -> Server-Cert
> [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660]
Configuring server
> for SSL protocol
> [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660]
> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
> [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660]
> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
> [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660]
> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
> [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660]
> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
> [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660]
> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
> [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660]
> nss_engine_init.c(906): Disabling TLS Session Tickets
> [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660]
> nss_engine_init.c(916): Enabling DHE key exchange
> [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660]
> nss_engine_init.c(1077): NSSCipherSuite: Configuring
permitted SSL
> ciphers
>
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
> [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660]
> [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660]
Using nickname
> Server-Cert.
[snip]
> [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660]
Certificate not
> found: 'Server-Cert'
Can you shows what this returns:
# grep NSSNickname /etc/httpd/conf.d/nss.conf
> Do you think there is a kerberos problem?
It definitely is not.
You can bring the system up in a minimal way by manually
starting the
[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>> service
and then
krb5kdc. This will at least let your
users authenticate. The management framework (GUI) runs
through Apache
so that will be down until we can get Apache started again.
rob
>
> Please let me know, thanks.
> Bye, Morgan
>
> 2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud
<[email protected] <mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>
> <mailto:[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>>:
>
> On 11/17/2016 12:09 PM, Morgan Marodin wrote:
>
> Hello.
>
> This morning I've tried to upgrade my IPA server,
but the
upgrade
> failed, and now the service doesn't start! :(
>
> If I try lo launch the upgrade manually this is
the output:
> /[root@mlv-ipa01 download]# ipa-server-upgrade
>
> Upgrading IPA:
> [1/8]: saving configuration
> [2/8]: disabling listeners
> [3/8]: enabling DS global lock
> [4/8]: starting directory server
> [5/8]: updating schema
> [6/8]: upgrading server
> [7/8]: stopping directory server
> [8/8]: restoring configuration
> Done.
> Update complete
> Upgrading IPA services
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> CRL tree already moved
> [Verifying that CA proxy configuration is correct]
> [Verifying that KDC configuration is using ipa-kdb
backend]
> [Fix DS schema file syntax]
> Syntax already fixed
> [Removing RA cert from DS NSS database]
> RA cert already removed
> [Enable sidgen and extdom plugins by default]
> [Updating HTTPD service IPA configuration]
> [Updating mod_nss protocol versions]
> Protocol versions already updated
> [Updating mod_nss cipher suite]
> [Fixing trust flags in /etc/httpd/alias]
> Trust flags already processed
> [Exporting KRA agent PEM file]
> KRA is not enabled
> IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log
and run
> command ipa-server-upgrade manually.
> Unexpected error - see /var/log/ipaupgrade.log for
details:
> CalledProcessError: Command '/bin/systemctl start
httpd.service'
> returned non-zero exit status 1
> The ipa-server-upgrade command failed. See
> /var/log/ipaupgrade.log for
> more information/
>
> These are error logs of Apache:
> /[Thu Nov 17 11:48:45.498510 2016] [suexec:notice]
[pid 5664]
> AH01232:
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664]
> Certificate not
> found: 'Server-Cert'/
>
> The problem seems to be the /Server-Cert /that
could not
be found.
> But if I try to execute the certutil command
manually I
can see it:/
> [root@mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/
> Certificate Nickname
Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
> Signing-Cert
u,u,u
> ipaCert
u,u,u
> Server-Cert
Pu,u,u
> IPA.MYDOMAIN.COM <http://IPA.MYDOMAIN.COM>
<http://IPA.MYDOMAIN.COM>
<http://IPA.MYDOMAIN.COM>
> <http://IPA.MYDOMAIN.COM> IPA
> CA CT,C,C/
>
> Could you help me?
> What could I try to do to restart my service?
>
> Hi,
>
> I would first make sure that httpd is using
/etc/httpd/alias
as NSS
> DB (check the directive NSSCertificateDatabase in
> /etc/httpd/conf.d/nss.conf).
> Then it may be a file permission issue: the NSS DB should
belong to
> root:apache (the relevant files are cert8.db, key3.db and
secmod.db).
> You should also find a pwdfile.txt in the same directory,
containing
> the NSS DB password. Check that the password is valid
using
> certutil -K -d /etc/httpd/alias/ -f
/etc/httpd/alias/pwdfile.txt
> (if the command succeeds then the password in pwdfile
is OK).
>
> You can also enable mod-nss debug in
/etc/httpd/conf/nss.conf by
> setting "LogLevel debug", and check the output in
> /var/log/httpd/error_log.
>
> HTH,
> Flo.
>
> Thanks, Morgan
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing
list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>
<https://www.redhat.com/mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>>
> <https://www.redhat.com/mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>
<https://www.redhat.com/mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>>>
> Go to http://freeipa.org for more info on the project
>
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
