It works! Thanks for your support. Anyway, I will try to update againt mod_nss package! :D Bye!
2016-11-18 15:21 GMT+01:00 Morgan Marodin <[email protected]>: > A little good news. > > Downgrading the *mod_nss* RPM package, and restoring the original > */etc/httpd/alias* folder, *ipa-server-upgrade* procedure has finished > well: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *# ipa-server-upgradeUpgrading IPA: [1/10]: stopping directory server > [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling > DS global lock [5/10]: starting directory server [6/10]: updating schema > [7/10]: upgrading server [8/10]: stopping directory server [9/10]: > restoring configuration [10/10]: starting directory serverDone.Update > completeUpgrading IPA servicesUpgrading the configuration of the IPA > services[Verifying that root certificate is published][Migrate CRL publish > directory]CRL tree already moved[Verifying that CA proxy configuration is > correct][Verifying that KDC configuration is using ipa-kdb backend][Fix DS > schema file syntax]Syntax already fixed[Removing RA cert from DS NSS > database]RA cert already removed[Enable sidgen and extdom plugins by > default][Updating HTTPD service IPA configuration][Updating mod_nss > protocol versions]Protocol versions already updated[Updating mod_nss cipher > suite][Fixing trust flags in /etc/httpd/alias]Trust flags already > processed[Exporting KRA agent PEM file]KRA is not enabled[Removing > self-signed CA][Removing Dogtag 9 CA][Checking for deprecated KDC > configuration files][Checking for deprecated backups of Samba configuration > files][Setting up Firefox extension][Add missing CA DNS records]IPA CA DNS > records already processed[Removing deprecated DNS configuration > options][Ensuring minimal number of connections][Enabling serial > autoincrement in DNS][Updating GSSAPI configuration in DNS][Updating > pid-file configuration in DNS][Checking global forwarding policy in > named.conf to avoid conflicts with automatic empty zones]Global forward > policy in named.conf will be changed to "only" to avoid conflicts with > automatic empty zones[Adding server_id to named.conf]Changes to named.conf > have been made, restart namedCustodia service is being > configuredConfiguring ipa-custodia [1/5]: Generating ipa-custodia config > file [2/5]: Making sure custodia container exists [3/5]: Generating > ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring > ipa-custodia to start on bootDone configuring ipa-custodia.[Upgrading CA > schema]CA schema update complete[Verifying that CA audit signing cert has 2 > year validity][Update certmonger certificate renewal configuration to > version 5]Configuring certmonger to stop tracking system certificates for > CACertmonger certificate renewal configuration updated to version 5[Enable > PKIX certificate path discovery and validation]PKIX already > enabled[Authorizing RA Agent to modify profiles][Authorizing RA Agent to > manage lightweight CAs][Ensuring Lightweight CAs container exists in Dogtag > database][Adding default OCSP URI configuration]pki-tomcat configuration > changed, restart pki-tomcat[Ensuring CA is using > LDAPProfileSubsystem][Migrating certificate profiles to LDAP][Ensuring > presence of included profiles][Add default CA ACL]Default CA ACL already > added[Set up lightweight CA key retrieval]Creating principalRetrieving > keytabCreating Custodia keysConfiguring key retrieverThe IPA services were > upgradedThe ipa-server-upgrade command was successful* > > And Apache has started, BUT there is a problem with the web certificate: > > > > > *# tail -f /var/log/httpd/error_log[Fri Nov 18 15:14:43.002268 2016] > [:info] [pid 18673] Connection to child 2 established (server > mlv-ipa01.ipa.mydomain.com:443 <http://mlv-ipa01.ipa.mydomain.com:443>, > client 192.168.0.252)[Fri Nov 18 15:14:43.207349 2016] [:info] [pid 18673] > SSL input filter read failed.[Fri Nov 18 15:14:43.207389 2016] [:error] > [pid 18673] SSL Library Error: -12285 Unable to find the certificate or key > necessary for authentication[Fri Nov 18 15:14:43.207460 2016] [:info] [pid > 18673] Connection to child 2 closed (server mlv-ipa01.ipa.mydomain.com:443 > <http://mlv-ipa01.ipa.mydomain.com:443>, client 192.168.0.252)* > > How do you suggest to go on with my issue? > > Thanks, Morgan > > 2016-11-18 12:11 GMT+01:00 Morgan Marodin <[email protected]>: > >> I've tried to add it to a new test folder, with a new certificate >> nickname, and then to replace it to *nss.conf*. >> >> But the problem persists: >> >> *# certutil -V -u V -d /etc/httpd/test -n ipa01certcertutil: certificate >> is valid* >> >> >> *# tail -f /var/log/httpd/error_log* >> >> >> >> >> >> >> >> *[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid 11552] AH01232: >> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Fri Nov 18 >> 12:09:39.514266 2016] [:warn] [pid 11552] NSSSessionCacheTimeout is >> deprecated. Ignoring.[Fri Nov 18 12:09:39.514299 2016] [:debug] [pid 11552] >> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com >> <http://mlv-ipa01.ipa.mydomain.com> -> ipa01cert[Fri Nov 18 12:09:39.824880 >> 2016] [:error] [pid 11552] The server key database has not been >> initialized.[Fri Nov 18 12:09:39.832443 2016] [:info] [pid 11552] >> Configuring server for SSL protocol...[Fri Nov 18 12:09:39.832676 2016] >> [:info] [pid 11552] Using nickname ipa01cert.[Fri Nov 18 12:09:39.832678 >> 2016] [:error] [pid 11552] Certificate not found: 'ipa01cert'* >> >> I've found this guide: >> >> >> >> >> >> >> *Combine the server cert and key into a single file# cp localhost.crt > >> Server-Cert.txt# cat localhost.key >> Server-Cert.txtConvert the server >> cert into a p12 file# openssl pkcs12 -export -in Server-Cert.txt -out >> Server-Cert.p12 -name "Server-Cert"Now Import the Public and Private keys >> into the database at the same time.#pk12util -i >> /tmp/cert-files/Server-Cert.p12 -d /etc/httpd/alias -n Server-Cert* >> >> Where is stored the key certificate file? >> >> Thanks, Morgan >> >> >> 2016-11-18 10:39 GMT+01:00 Florence Blanc-Renaud <[email protected]>: >> >>> On 11/18/2016 10:04 AM, Morgan Marodin wrote: >>> >>>> Hi Florence. >>>> >>>> I've tried to configure the wrong certificate in nss.conf (/ipaCert/), >>>> and with this Apache started. >>>> So I think the problem is in the /Server-Cert/ stored in >>>> //etc/httpd/alias/, even if all manul checks are ok. >>>> >>>> These are logs with the wrong certificate test: >>>> /# tail -f /var/log/httpd/error_log/ >>>> /[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid 7709] AH01232: >>>> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) >>>> [Fri Nov 18 09:34:32.584142 2016] [:warn] [pid 7709] >>>> NSSSessionCacheTimeout is deprecated. Ignoring. >>>> [Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709] >>>> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com >>>> <http://mlv-ipa01.ipa.mydomain.com> -> ipaCert >>>> >>>> [Fri Nov 18 09:34:32.844487 2016] [:info] [pid 7709] Configuring server >>>> for SSL protocol >>>> [Fri Nov 18 09:34:32.844635 2016] [:debug] [pid 7709] >>>> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 >>>> [Fri Nov 18 09:34:32.844657 2016] [:debug] [pid 7709] >>>> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 >>>> [Fri Nov 18 09:34:32.844668 2016] [:debug] [pid 7709] >>>> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 >>>> [Fri Nov 18 09:34:32.844677 2016] [:debug] [pid 7709] >>>> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) >>>> [Fri Nov 18 09:34:32.844684 2016] [:debug] [pid 7709] >>>> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) >>>> [Fri Nov 18 09:34:32.844738 2016] [:debug] [pid 7709] >>>> nss_engine_init.c(906): Disabling TLS Session Tickets >>>> [Fri Nov 18 09:34:32.844746 2016] [:debug] [pid 7709] >>>> nss_engine_init.c(916): Enabling DHE key exchange >>>> [Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709] >>>> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL >>>> ciphers >>>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_ >>>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh >>>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_25 >>>> 6,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ >>>> ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_ >>>> sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] >>>> [Fri Nov 18 09:34:32.844825 2016] [:debug] [pid 7709] >>>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5 >>>> ... >>>> [Fri Nov 18 09:34:32.845105 2016] [:debug] [pid 7709] >>>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256 >>>> [Fri Nov 18 09:34:32.845110 2016] [:info] [pid 7709] Using nickname >>>> ipaCert. >>>> [Fri Nov 18 09:34:32.847451 2016] [:error] [pid 7709] Misconfiguration >>>> of certificate's CN and virtual name. The certificate CN has IPA RA. We >>>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> >>>> as virtual name. >>>> [Fri Nov 18 09:34:33.028056 2016] [auth_digest:notice] [pid 7709] >>>> AH01757: generating secret for digest authentication ... >>>> [Fri Nov 18 09:34:33.030039 2016] [lbmethod_heartbeat:notice] [pid >>>> 7709] >>>> AH02282: No slotmem from mod_heartmonitor >>>> [Fri Nov 18 09:34:33.030122 2016] [:warn] [pid 7709] >>>> NSSSessionCacheTimeout is deprecated. Ignoring. >>>> [Fri Nov 18 09:34:33.030176 2016] [:debug] [pid 7709] >>>> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com >>>> <http://mlv-ipa01.ipa.mydomain.com> -> ipaCert >>>> >>>> [Fri Nov 18 09:34:33.051481 2016] [mpm_prefork:notice] [pid 7709] >>>> AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 >>>> mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured >>>> -- resuming normal operations >>>> [Fri Nov 18 09:34:33.051551 2016] [core:notice] [pid 7709] AH00094: >>>> Command line: '/usr/sbin/httpd -D FOREGROUND' >>>> [Fri Nov 18 09:34:33.096050 2016] [proxy:debug] [pid 7717] >>>> proxy_util.c(1838): AH00924: worker ajp://localhost shared already >>>> initialized >>>> [Fri Nov 18 09:34:33.096163 2016] [proxy:debug] [pid 7717] >>>> proxy_util.c(1880): AH00926: worker ajp://localhost local already >>>> initialized >>>> ... >>>> [Fri Nov 18 09:34:33.105626 2016] [proxy:debug] [pid 7719] >>>> proxy_util.c(1838): AH00924: worker >>>> unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ shared already >>>> initialized >>>> [Fri Nov 18 09:34:33.105632 2016] [proxy:debug] [pid 7719] >>>> proxy_util.c(1880): AH00926: worker >>>> unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ local already >>>> initialized >>>> [Fri Nov 18 09:34:33.342762 2016] [:info] [pid 7717] Configuring server >>>> for SSL protocol >>>> [Fri Nov 18 09:34:33.342867 2016] [:debug] [pid 7717] >>>> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 >>>> [Fri Nov 18 09:34:33.342880 2016] [:debug] [pid 7717] >>>> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 >>>> [Fri Nov 18 09:34:33.342885 2016] [:debug] [pid 7717] >>>> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 >>>> [Fri Nov 18 09:34:33.342890 2016] [:debug] [pid 7717] >>>> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) >>>> [Fri Nov 18 09:34:33.342894 2016] [:debug] [pid 7717] >>>> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) >>>> [Fri Nov 18 09:34:33.342900 2016] [:debug] [pid 7717] >>>> nss_engine_init.c(906): Disabling TLS Session Tickets >>>> [Fri Nov 18 09:34:33.342904 2016] [:debug] [pid 7717] >>>> nss_engine_init.c(916): Enabling DHE key exchange >>>> [Fri Nov 18 09:34:33.342917 2016] [:debug] [pid 7717] >>>> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL >>>> ciphers >>>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_ >>>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh >>>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_25 >>>> 6,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ >>>> ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_ >>>> sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] >>>> [Fri Nov 18 09:34:33.342970 2016] [:debug] [pid 7717] >>>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5 >>>> ... >>>> [Fri Nov 18 09:34:33.343233 2016] [:debug] [pid 7717] >>>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256 >>>> [Fri Nov 18 09:34:33.343237 2016] [:info] [pid 7717] Using nickname >>>> ipaCert. >>>> [Fri Nov 18 09:34:33.344533 2016] [:error] [pid 7717] Misconfiguration >>>> of certificate's CN and virtual name. The certificate CN has IPA RA. We >>>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> >>>> >>>> as virtual name. >>>> [Fri Nov 18 09:34:33.364061 2016] [:info] [pid 7718] Configuring server >>>> for SSL protocol >>>> [Fri Nov 18 09:34:33.364156 2016] [:debug] [pid 7718] >>>> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 >>>> [Fri Nov 18 09:34:33.364167 2016] [:debug] [pid 7718] >>>> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 >>>> [Fri Nov 18 09:34:33.364172 2016] [:debug] [pid 7718] >>>> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 >>>> [Fri Nov 18 09:34:33.364176 2016] [:debug] [pid 7718] >>>> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) >>>> [Fri Nov 18 09:34:33.364180 2016] [:debug] [pid 7718] >>>> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) >>>> [Fri Nov 18 09:34:33.364187 2016] [:debug] [pid 7718] >>>> nss_engine_init.c(906): Disabling TLS Session Tickets >>>> [Fri Nov 18 09:34:33.364191 2016] [:debug] [pid 7718] >>>> nss_engine_init.c(916): Enabling DHE key exchange >>>> [Fri Nov 18 09:34:33.364202 2016] [:debug] [pid 7718] >>>> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL >>>> ciphers >>>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_ >>>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh >>>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_25 >>>> 6,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ >>>> ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_ >>>> sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] >>>> [Fri Nov 18 09:34:33.364240 2016] [:debug] [pid 7718] >>>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5 >>>> ... >>>> [Fri Nov 18 09:34:33.364611 2016] [:debug] [pid 7718] >>>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256 >>>> [Fri Nov 18 09:34:33.364625 2016] [:info] [pid 7718] Using nickname >>>> ipaCert. >>>> [Fri Nov 18 09:34:33.365549 2016] [:error] [pid 7718] Misconfiguration >>>> of certificate's CN and virtual name. The certificate CN has IPA RA. We >>>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> >>>> >>>> as virtual name. >>>> [Fri Nov 18 09:34:33.369972 2016] [:info] [pid 7720] Configuring server >>>> for SSL protocol >>>> [Fri Nov 18 09:34:33.370200 2016] [:debug] [pid 7720] >>>> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 >>>> [Fri Nov 18 09:34:33.370224 2016] [:debug] [pid 7720] >>>> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 >>>> [Fri Nov 18 09:34:33.370239 2016] [:debug] [pid 7720] >>>> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 >>>> [Fri Nov 18 09:34:33.370255 2016] [:debug] [pid 7720] >>>> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) >>>> [Fri Nov 18 09:34:33.370269 2016] [:debug] [pid 7720] >>>> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) >>>> [Fri Nov 18 09:34:33.370286 2016] [:debug] [pid 7720] >>>> nss_engine_init.c(906): Disabling TLS Session Tickets >>>> [Fri Nov 18 09:34:33.370301 2016] [:debug] [pid 7720] >>>> nss_engine_init.c(916): Enabling DHE key exchange >>>> [Fri Nov 18 09:34:33.370322 2016] [:debug] [pid 7720] >>>> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL >>>> ciphers >>>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_ >>>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh >>>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_25 >>>> 6,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ >>>> ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_ >>>> sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] >>>> [Fri Nov 18 09:34:33.370383 2016] [:debug] [pid 7720] >>>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5 >>>> ... >>>> [Fri Nov 18 09:34:33.371418 2016] [:debug] [pid 7720] >>>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256 >>>> [Fri Nov 18 09:34:33.371437 2016] [:info] [pid 7720] Using nickname >>>> ipaCert. >>>> [Fri Nov 18 09:34:33.371486 2016] [:info] [pid 7716] Configuring server >>>> for SSL protocol >>>> [Fri Nov 18 09:34:33.372383 2016] [:debug] [pid 7716] >>>> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 >>>> [Fri Nov 18 09:34:33.372439 2016] [:debug] [pid 7716] >>>> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 >>>> [Fri Nov 18 09:34:33.372459 2016] [:debug] [pid 7716] >>>> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 >>>> [Fri Nov 18 09:34:33.372484 2016] [:debug] [pid 7716] >>>> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) >>>> [Fri Nov 18 09:34:33.372513 2016] [:debug] [pid 7716] >>>> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) >>>> [Fri Nov 18 09:34:33.372534 2016] [:debug] [pid 7716] >>>> nss_engine_init.c(906): Disabling TLS Session Tickets >>>> [Fri Nov 18 09:34:33.372553 2016] [:debug] [pid 7716] >>>> nss_engine_init.c(916): Enabling DHE key exchange >>>> [Fri Nov 18 09:34:33.372580 2016] [:debug] [pid 7716] >>>> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL >>>> ciphers >>>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_ >>>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh >>>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_25 >>>> 6,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ >>>> ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_ >>>> sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] >>>> [Fri Nov 18 09:34:33.372627 2016] [:debug] [pid 7716] >>>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5 >>>> ... >>>> [Fri Nov 18 09:34:33.373712 2016] [:debug] [pid 7716] >>>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256 >>>> [Fri Nov 18 09:34:33.373734 2016] [:info] [pid 7716] Using nickname >>>> ipaCert. >>>> [Fri Nov 18 09:34:33.374652 2016] [:error] [pid 7716] Misconfiguration >>>> of certificate's CN and virtual name. The certificate CN has IPA RA. We >>>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> >>>> as virtual name. >>>> [Fri Nov 18 09:34:33.372295 2016] [:error] [pid 7720] Misconfiguration >>>> of certificate's CN and virtual name. The certificate CN has IPA RA. We >>>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> >>>> >>>> as virtual name. >>>> [Fri Nov 18 09:34:33.412689 2016] [:info] [pid 7719] Configuring server >>>> for SSL protocol >>>> [Fri Nov 18 09:34:33.412791 2016] [:debug] [pid 7719] >>>> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 >>>> [Fri Nov 18 09:34:33.412803 2016] [:debug] [pid 7719] >>>> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 >>>> [Fri Nov 18 09:34:33.412807 2016] [:debug] [pid 7719] >>>> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 >>>> [Fri Nov 18 09:34:33.412812 2016] [:debug] [pid 7719] >>>> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) >>>> [Fri Nov 18 09:34:33.412817 2016] [:debug] [pid 7719] >>>> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) >>>> [Fri Nov 18 09:34:33.412824 2016] [:debug] [pid 7719] >>>> nss_engine_init.c(906): Disabling TLS Session Tickets >>>> [Fri Nov 18 09:34:33.412828 2016] [:debug] [pid 7719] >>>> nss_engine_init.c(916): Enabling DHE key exchange >>>> [Fri Nov 18 09:34:33.412840 2016] [:debug] [pid 7719] >>>> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL >>>> ciphers >>>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_ >>>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh >>>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_25 >>>> 6,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ >>>> ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_ >>>> sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] >>>> [Fri Nov 18 09:34:33.412891 2016] [:debug] [pid 7719] >>>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5 >>>> ... >>>> [Fri Nov 18 09:34:33.413159 2016] [:debug] [pid 7719] >>>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256 >>>> [Fri Nov 18 09:34:33.413164 2016] [:info] [pid 7719] Using nickname >>>> ipaCert. >>>> [Fri Nov 18 09:34:33.414462 2016] [:error] [pid 7719] Misconfiguration >>>> of certificate's CN and virtual name. The certificate CN has IPA RA. We >>>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> >>>> as virtual name. >>>> [Fri Nov 18 09:34:35.558286 2016] [:error] [pid 7715] ipa: WARNING: >>>> session memcached servers not running >>>> [Fri Nov 18 09:34:35.559653 2016] [:error] [pid 7714] ipa: WARNING: >>>> session memcached servers not running >>>> [Fri Nov 18 09:34:37.511457 2016] [:error] [pid 7714] ipa: INFO: *** >>>> PROCESS START *** >>>> [Fri Nov 18 09:34:37.517899 2016] [:error] [pid 7715] ipa: INFO: *** >>>> PROCESS START *** >>>> [Fri Nov 18 09:34:51.498536 2016] [:info] [pid 7717] Connection to child >>>> 1 established (server mlv-ipa01.ipa.mydomain.com >>>> <http://mlv-ipa01.ipa.mydomain.com>, client 192.168.0.239) >>>> [Fri Nov 18 09:34:51.510292 2016] [:info] [pid 7717] SSL input filter >>>> read failed. >>>> [Fri Nov 18 09:34:51.510311 2016] [:error] [pid 7717] SSL Library Error: >>>> -12285 Unable to find the certificate or key necessary for >>>> authentication >>>> [Fri Nov 18 09:34:51.510356 2016] [:info] [pid 7717] Connection to child >>>> 1 closed (server mlv-ipa01.ipa.mydomain.com:443 >>>> <http://mlv-ipa01.ipa.mydomain.com:443>, client 192.168.0.239) >>>> [Fri Nov 18 09:35:18.790760 2016] [mpm_prefork:notice] [pid 7709] >>>> AH00170: caught SIGWINCH, shutting down gracefully/ >>>> >>>> Is possible to delete /Server-Cert/ from //etc/httpd/alias/ and reimport >>>> it from the original certificates of /mlv-ipa01.ipa.mydomain.com >>>> <http://mlv-ipa01.ipa.mydomain.com>/? >>>> Where are stored the original certificates? >>>> >>>> Hi Morgan, >>> >>> with ldapsearch you should be able to find the certificate: >>> ldapsearch -h ipaserver.ipadomain -p 389 -D "cn=directory manager" -w >>> password -LLL -b krbprincipalname=HTTP/ipaserver.ipadomain@IPADOMAIN >>> ,cn=services,cn=accounts,dc=IPADOMAIN >>> >>> The cert will be stored in the field "usercertificate". >>> >>> HTH, >>> Flo. >>> >>> Please let me know, thanks. >>>> Bye, Morgan >>>> >>>> 2016-11-17 17:09 GMT+01:00 Florence Blanc-Renaud <[email protected] >>>> <mailto:[email protected]>>: >>>> >>>> >>>> On 11/17/2016 04:51 PM, Morgan Marodin wrote: >>>> >>>> Hi Rob. >>>> >>>> I've just tried to remove the group write to the *.db files, but >>>> it's >>>> not the problem. >>>> /[root@mlv-ipa01 ~]# grep NSSNickname >>>> /etc/httpd/conf.d/nss.conf >>>> NSSNickname Server-Cert/ >>>> >>>> I've tried to run manually /dirsrv.target/ and >>>> /krb5kdc.service/, and it >>>> works, services went up. >>>> The same for /ntpd/, /named-pkcs11.service/, /smb.service/, >>>> /winbind.service/, /kadmin.service/, /memcached.service/ and >>>> /pki-tomcatd.target/. >>>> >>>> But if I try to start /httpd.service/: >>>> /[root@mlv-ipa01 ~]# tail -f /var/log/messages >>>> Nov 17 16:46:06 mlv-ipa01 systemd[1]: Starting The Apache HTTP >>>> Server... >>>> Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy: ipa : >>>> INFO KDC >>>> proxy enabled >>>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: main >>>> process >>>> exited, code=exited, status=1/FAILURE >>>> Nov 17 16:46:07 mlv-ipa01 kill: kill: cannot find process "" >>>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: control >>>> process >>>> exited, code=exited status=1 >>>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to start The Apache >>>> HTTP >>>> Server. >>>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit httpd.service entered >>>> failed >>>> state. >>>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service failed./ >>>> >>>> Any other ideas? >>>> >>>> Hi, >>>> >>>> - Does the NSS Db contain the private key for Server-Cert? If yes, >>>> the command >>>> $ certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt >>>> should display a line like this one: >>>> < 0> rsa 01a6cbd773f3d785ffa44233148dcb8ade266ea5 NSS >>>> Certificate DB:Server-Cert >>>> >>>> - Is your system running with SElinux enforcing? If yes, you can >>>> check if there were SElinux permission denials using >>>> $ ausearch -m avc --start recent >>>> >>>> - If the certificate was expired, I believe you would see a >>>> different message, but it doesn't hurt to check its validity >>>> $ certutil -L -d /etc/httpd/alias/ -n Server-Cert | egrep "Not >>>> Before|Not After" >>>> >>>> >>>> Flo. >>>> >>>> >>>> Please let me know, thanks. >>>> Morgan >>>> >>>> 2016-11-17 16:11 GMT+01:00 Rob Crittenden <[email protected] >>>> <mailto:[email protected]> >>>> <mailto:[email protected] <mailto:[email protected]>>>: >>>> >>>> >>>> >>>> Morgan Marodin wrote: >>>> > Hi Florence. >>>> > >>>> > Thanks for your support. >>>> > >>>> > Yes, httpd is using /etc/httpd/alias as NSS DB. And seems >>>> that all >>>> > permissions and certificates are good: >>>> > /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/ >>>> > total 184 >>>> > -r--r--r-- 1 root root 1345 Sep 7 2015 cacert.asc >>>> > -rw-rw---- 1 root apache 65536 Nov 17 11:06 cert8.db >>>> > -rw-r-----. 1 root apache 65536 Sep 4 2015 cert8.db.orig >>>> > -rw-------. 1 root root 4833 Sep 4 2015 install.log >>>> > -rw-rw---- 1 root apache 16384 Nov 17 11:06 key3.db >>>> > -rw-r-----. 1 root apache 16384 Sep 4 2015 key3.db.orig >>>> > lrwxrwxrwx 1 root root 24 Nov 17 10:24 >>>> libnssckbi.so -> >>>> > /usr/lib64/libnssckbi.so >>>> > -rw-rw---- 1 root apache 20 Sep 7 2015 pwdfile.txt >>>> > -rw-rw---- 1 root apache 16384 Sep 7 2015 secmod.db >>>> > -rw-r-----. 1 root apache 16384 Sep 4 2015 >>>> secmod.db.orig/ >>>> >>>> Eventually you'll want to remove group write on the *.db >>>> files. >>>> >>>> > And password validations seems ok, too: >>>> > /[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f >>>> > /etc/httpd/alias/pwdfile.txt >>>> good >>>> >>>> > Enabling mod-nss debug I can see these logs: >>>> > /[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log >>>> > [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid >>>> 10660] AH01232: >>>> > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) >>>> > [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660] >>>> > NSSSessionCacheTimeout is deprecated. Ignoring. >>>> > [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660] >>>> > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com >>>> <http://mlv-ipa01.ipa.mydomain.com> >>>> <http://mlv-ipa01.ipa.mydomain.com >>>> <http://mlv-ipa01.ipa.mydomain.com>> >>>> > <http://mlv-ipa01.ipa.mydomain.com >>>> <http://mlv-ipa01.ipa.mydomain.com> >>>> >>>> <http://mlv-ipa01.ipa.mydomain.com >>>> <http://mlv-ipa01.ipa.mydomain.com>>> -> Server-Cert >>>> > [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660] >>>> Configuring server >>>> > for SSL protocol >>>> > [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660] >>>> > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 >>>> > [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660] >>>> > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 >>>> > [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660] >>>> > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 >>>> > [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660] >>>> > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) >>>> > [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660] >>>> > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) >>>> > [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660] >>>> > nss_engine_init.c(906): Disabling TLS Session Tickets >>>> > [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660] >>>> > nss_engine_init.c(916): Enabling DHE key exchange >>>> > [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660] >>>> > nss_engine_init.c(1077): NSSCipherSuite: Configuring >>>> permitted SSL >>>> > ciphers >>>> > >>>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_ >>>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh >>>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_25 >>>> 6,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ >>>> ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_ >>>> sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] >>>> > [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660] >>>> > [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660] >>>> Using nickname >>>> > Server-Cert. >>>> [snip] >>>> > [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660] >>>> Certificate not >>>> > found: 'Server-Cert' >>>> >>>> Can you shows what this returns: >>>> >>>> # grep NSSNickname /etc/httpd/conf.d/nss.conf >>>> >>>> > Do you think there is a kerberos problem? >>>> >>>> It definitely is not. >>>> >>>> You can bring the system up in a minimal way by manually >>>> starting the >>>> [email protected] <mailto:[email protected]> >>>> <mailto:[email protected] <mailto:[email protected]>> service >>>> >>>> and then >>>> krb5kdc. This will at least let your >>>> users authenticate. The management framework (GUI) runs >>>> through Apache >>>> so that will be down until we can get Apache started again. >>>> >>>> rob >>>> >>>> > >>>> > Please let me know, thanks. >>>> > Bye, Morgan >>>> > >>>> > 2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud >>>> <[email protected] <mailto:[email protected]> <mailto:[email protected] >>>> <mailto:[email protected]>> >>>> > <mailto:[email protected] <mailto:[email protected]> >>>> <mailto:[email protected] <mailto:[email protected]>>>>: >>>> >>>> > >>>> > On 11/17/2016 12:09 PM, Morgan Marodin wrote: >>>> > >>>> > Hello. >>>> > >>>> > This morning I've tried to upgrade my IPA server, >>>> but the >>>> upgrade >>>> > failed, and now the service doesn't start! :( >>>> > >>>> > If I try lo launch the upgrade manually this is >>>> the output: >>>> > /[root@mlv-ipa01 download]# ipa-server-upgrade >>>> > >>>> > Upgrading IPA: >>>> > [1/8]: saving configuration >>>> > [2/8]: disabling listeners >>>> > [3/8]: enabling DS global lock >>>> > [4/8]: starting directory server >>>> > [5/8]: updating schema >>>> > [6/8]: upgrading server >>>> > [7/8]: stopping directory server >>>> > [8/8]: restoring configuration >>>> > Done. >>>> > Update complete >>>> > Upgrading IPA services >>>> > Upgrading the configuration of the IPA services >>>> > [Verifying that root certificate is published] >>>> > [Migrate CRL publish directory] >>>> > CRL tree already moved >>>> > [Verifying that CA proxy configuration is correct] >>>> > [Verifying that KDC configuration is using ipa-kdb >>>> backend] >>>> > [Fix DS schema file syntax] >>>> > Syntax already fixed >>>> > [Removing RA cert from DS NSS database] >>>> > RA cert already removed >>>> > [Enable sidgen and extdom plugins by default] >>>> > [Updating HTTPD service IPA configuration] >>>> > [Updating mod_nss protocol versions] >>>> > Protocol versions already updated >>>> > [Updating mod_nss cipher suite] >>>> > [Fixing trust flags in /etc/httpd/alias] >>>> > Trust flags already processed >>>> > [Exporting KRA agent PEM file] >>>> > KRA is not enabled >>>> > IPA server upgrade failed: Inspect >>>> /var/log/ipaupgrade.log >>>> and run >>>> > command ipa-server-upgrade manually. >>>> > Unexpected error - see /var/log/ipaupgrade.log for >>>> details: >>>> > CalledProcessError: Command '/bin/systemctl start >>>> httpd.service' >>>> > returned non-zero exit status 1 >>>> > The ipa-server-upgrade command failed. See >>>> > /var/log/ipaupgrade.log for >>>> > more information/ >>>> > >>>> > These are error logs of Apache: >>>> > /[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] >>>> [pid 5664] >>>> > AH01232: >>>> > suEXEC mechanism enabled (wrapper: >>>> /usr/sbin/suexec) >>>> > [Thu Nov 17 11:48:45.499220 2016] [:warn] [pid >>>> 5664] >>>> > NSSSessionCacheTimeout is deprecated. Ignoring. >>>> > [Thu Nov 17 11:48:45.830910 2016] [:error] [pid >>>> 5664] >>>> > Certificate not >>>> > found: 'Server-Cert'/ >>>> > >>>> > The problem seems to be the /Server-Cert /that >>>> could not >>>> be found. >>>> > But if I try to execute the certutil command >>>> manually I >>>> can see it:/ >>>> > [root@mlv-ipa01 log]# certutil -L -d >>>> /etc/httpd/alias/ >>>> > Certificate Nickname >>>> Trust >>>> > Attributes >>>> > >>>> > SSL,S/MIME,JAR/XPI >>>> > Signing-Cert >>>> u,u,u >>>> > ipaCert >>>> u,u,u >>>> > Server-Cert >>>> Pu,u,u >>>> > IPA.MYDOMAIN.COM <http://IPA.MYDOMAIN.COM> >>>> <http://IPA.MYDOMAIN.COM> >>>> <http://IPA.MYDOMAIN.COM> >>>> > <http://IPA.MYDOMAIN.COM> IPA >>>> > CA CT,C,C/ >>>> > >>>> > Could you help me? >>>> > What could I try to do to restart my service? >>>> > >>>> > Hi, >>>> > >>>> > I would first make sure that httpd is using >>>> /etc/httpd/alias >>>> as NSS >>>> > DB (check the directive NSSCertificateDatabase in >>>> > /etc/httpd/conf.d/nss.conf). >>>> > Then it may be a file permission issue: the NSS DB >>>> should >>>> belong to >>>> > root:apache (the relevant files are cert8.db, key3.db >>>> and >>>> secmod.db). >>>> > You should also find a pwdfile.txt in the same >>>> directory, >>>> containing >>>> > the NSS DB password. Check that the password is valid >>>> using >>>> > certutil -K -d /etc/httpd/alias/ -f >>>> /etc/httpd/alias/pwdfile.txt >>>> > (if the command succeeds then the password in pwdfile >>>> is OK). >>>> > >>>> > You can also enable mod-nss debug in >>>> /etc/httpd/conf/nss.conf by >>>> > setting "LogLevel debug", and check the output in >>>> > /var/log/httpd/error_log. >>>> > >>>> > HTH, >>>> > Flo. >>>> > >>>> > Thanks, Morgan >>>> > >>>> > >>>> > >>>> > -- >>>> > Manage your subscription for the Freeipa-users mailing >>>> list: >>>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>>> <https://www.redhat.com/mailman/listinfo/freeipa-users> >>>> <https://www.redhat.com/mailman/listinfo/freeipa-users >>>> <https://www.redhat.com/mailman/listinfo/freeipa-users>> >>>> > <https://www.redhat.com/mailm >>>> an/listinfo/freeipa-users >>>> <https://www.redhat.com/mailman/listinfo/freeipa-users> >>>> <https://www.redhat.com/mailman/listinfo/freeipa-users >>>> <https://www.redhat.com/mailman/listinfo/freeipa-users>>> >>>> > Go to http://freeipa.org for more info on the project >>>> > >>>> > >>>> >>>>
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
