Morgan Marodin wrote: > It works! > Thanks for your support. > > Anyway, I will try to update againt mod_nss package! :D
Glad it's working for you. I'm curious what the backup database was for. Did you create that? rob > Bye! > > > 2016-11-18 15:21 GMT+01:00 Morgan Marodin <[email protected] > <mailto:[email protected]>>: > > A little good news. > > Downgrading the /mod_nss/ RPM package, and restoring the original > //etc/httpd/alias/ folder, /ipa-server-upgrade/ procedure has > finished well: > /# ipa-server-upgrade > Upgrading IPA: > [1/10]: stopping directory server > [2/10]: saving configuration > [3/10]: disabling listeners > [4/10]: enabling DS global lock > [5/10]: starting directory server > [6/10]: updating schema > [7/10]: upgrading server > [8/10]: stopping directory server > [9/10]: restoring configuration > [10/10]: starting directory server > Done. > Update complete > Upgrading IPA services > Upgrading the configuration of the IPA services > [Verifying that root certificate is published] > [Migrate CRL publish directory] > CRL tree already moved > [Verifying that CA proxy configuration is correct] > [Verifying that KDC configuration is using ipa-kdb backend] > [Fix DS schema file syntax] > Syntax already fixed > [Removing RA cert from DS NSS database] > RA cert already removed > [Enable sidgen and extdom plugins by default] > [Updating HTTPD service IPA configuration] > [Updating mod_nss protocol versions] > Protocol versions already updated > [Updating mod_nss cipher suite] > [Fixing trust flags in /etc/httpd/alias] > Trust flags already processed > [Exporting KRA agent PEM file] > KRA is not enabled > [Removing self-signed CA] > [Removing Dogtag 9 CA] > [Checking for deprecated KDC configuration files] > [Checking for deprecated backups of Samba configuration files] > [Setting up Firefox extension] > [Add missing CA DNS records] > IPA CA DNS records already processed > [Removing deprecated DNS configuration options] > [Ensuring minimal number of connections] > [Enabling serial autoincrement in DNS] > [Updating GSSAPI configuration in DNS] > [Updating pid-file configuration in DNS] > [Checking global forwarding policy in named.conf to avoid conflicts > with automatic empty zones] > Global forward policy in named.conf will be changed to "only" to > avoid conflicts with automatic empty zones > [Adding server_id to named.conf] > Changes to named.conf have been made, restart named > Custodia service is being configured > Configuring ipa-custodia > [1/5]: Generating ipa-custodia config file > [2/5]: Making sure custodia container exists > [3/5]: Generating ipa-custodia keys > [4/5]: starting ipa-custodia > [5/5]: configuring ipa-custodia to start on boot > Done configuring ipa-custodia. > [Upgrading CA schema] > CA schema update complete > [Verifying that CA audit signing cert has 2 year validity] > [Update certmonger certificate renewal configuration to version 5] > Configuring certmonger to stop tracking system certificates for CA > Certmonger certificate renewal configuration updated to version 5 > [Enable PKIX certificate path discovery and validation] > PKIX already enabled > [Authorizing RA Agent to modify profiles] > [Authorizing RA Agent to manage lightweight CAs] > [Ensuring Lightweight CAs container exists in Dogtag database] > [Adding default OCSP URI configuration] > pki-tomcat configuration changed, restart pki-tomcat > [Ensuring CA is using LDAPProfileSubsystem] > [Migrating certificate profiles to LDAP] > [Ensuring presence of included profiles] > [Add default CA ACL] > Default CA ACL already added > [Set up lightweight CA key retrieval] > Creating principal > Retrieving keytab > Creating Custodia keys > Configuring key retriever > The IPA services were upgraded > The ipa-server-upgrade command was successful/ > > And Apache has started, BUT there is a problem with the web certificate: > /# tail -f /var/log/httpd/error_log > [Fri Nov 18 15:14:43.002268 2016] [:info] [pid 18673] Connection to > child 2 established (server mlv-ipa01.ipa.mydomain.com:443 > <http://mlv-ipa01.ipa.mydomain.com:443>, client 192.168.0.252) > [Fri Nov 18 15:14:43.207349 2016] [:info] [pid 18673] SSL input > filter read failed. > [Fri Nov 18 15:14:43.207389 2016] [:error] [pid 18673] SSL Library > Error: -12285 Unable to find the certificate or key necessary for > authentication > [Fri Nov 18 15:14:43.207460 2016] [:info] [pid 18673] Connection to > child 2 closed (server mlv-ipa01.ipa.mydomain.com:443 > <http://mlv-ipa01.ipa.mydomain.com:443>, client 192.168.0.252)/ > > How do you suggest to go on with my issue? > > Thanks, Morgan > > 2016-11-18 12:11 GMT+01:00 Morgan Marodin <[email protected] > <mailto:[email protected]>>: > > I've tried to add it to a new test folder, with a new > certificate nickname, and then to replace it to /nss.conf/. > > But the problem persists: > /# certutil -V -u V -d /etc/httpd/test -n ipa01cert > certutil: certificate is valid/ > > /# tail -f /var/log/httpd/error_log > / > /[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid 11552] > AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) > [Fri Nov 18 12:09:39.514266 2016] [:warn] [pid 11552] > NSSSessionCacheTimeout is deprecated. Ignoring. > [Fri Nov 18 12:09:39.514299 2016] [:debug] [pid 11552] > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> -> ipa01cert > [Fri Nov 18 12:09:39.824880 2016] [:error] [pid 11552] The > server key database has not been initialized. > [Fri Nov 18 12:09:39.832443 2016] [:info] [pid 11552] > Configuring server for SSL protocol > ... > [Fri Nov 18 12:09:39.832676 2016] [:info] [pid 11552] Using > nickname ipa01cert. > [Fri Nov 18 12:09:39.832678 2016] [:error] [pid 11552] > Certificate not found: 'ipa01cert'/ > > I've found this guide:/ > Combine the server cert and key into a single file > # cp localhost.crt > Server-Cert.txt > # cat localhost.key >> Server-Cert.txt > Convert the server cert into a p12 file > # openssl pkcs12 -export -in Server-Cert.txt -out > Server-Cert.p12 -name "Server-Cert" > Now Import the Public and Private keys into the database at the > same time. > #pk12util -i /tmp/cert-files/Server-Cert.p12 -d /etc/httpd/alias > -n Server-Cert/ > > Where is stored the key certificate file? > > Thanks, Morgan > > > 2016-11-18 10:39 GMT+01:00 Florence Blanc-Renaud <[email protected] > <mailto:[email protected]>>: > > On 11/18/2016 10:04 AM, Morgan Marodin wrote: > > Hi Florence. > > I've tried to configure the wrong certificate in > nss.conf (/ipaCert/), > and with this Apache started. > So I think the problem is in the /Server-Cert/ stored in > //etc/httpd/alias/, even if all manul checks are ok. > > These are logs with the wrong certificate test: > /# tail -f /var/log/httpd/error_log/ > /[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid > 7709] AH01232: > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) > [Fri Nov 18 09:34:32.584142 2016] [:warn] [pid 7709] > NSSSessionCacheTimeout is deprecated. Ignoring. > [Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709] > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> -> ipaCert > > [Fri Nov 18 09:34:32.844487 2016] [:info] [pid 7709] > Configuring server > for SSL protocol > [Fri Nov 18 09:34:32.844635 2016] [:debug] [pid 7709] > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 > [Fri Nov 18 09:34:32.844657 2016] [:debug] [pid 7709] > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 > [Fri Nov 18 09:34:32.844668 2016] [:debug] [pid 7709] > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 > [Fri Nov 18 09:34:32.844677 2016] [:debug] [pid 7709] > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) > [Fri Nov 18 09:34:32.844684 2016] [:debug] [pid 7709] > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) > [Fri Nov 18 09:34:32.844738 2016] [:debug] [pid 7709] > nss_engine_init.c(906): Disabling TLS Session Tickets > [Fri Nov 18 09:34:32.844746 2016] [:debug] [pid 7709] > nss_engine_init.c(916): Enabling DHE key exchange > [Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709] > nss_engine_init.c(1077): NSSCipherSuite: Configuring > permitted SSL > ciphers > > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] > [Fri Nov 18 09:34:32.844825 2016] [:debug] [pid 7709] > nss_engine_init.c(1140): Disable cipher: rsa_null_md5 > ... > [Fri Nov 18 09:34:32.845105 2016] [:debug] [pid 7709] > nss_engine_init.c(1140): Enable cipher: > ecdhe_rsa_aes_128_gcm_sha_256 > [Fri Nov 18 09:34:32.845110 2016] [:info] [pid 7709] > Using nickname ipaCert. > [Fri Nov 18 09:34:32.847451 2016] [:error] [pid 7709] > Misconfiguration > of certificate's CN and virtual name. The certificate CN > has IPA RA. We > expected mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > as virtual name. > [Fri Nov 18 09:34:33.028056 2016 <tel:028056%202016>] > [auth_digest:notice] [pid 7709] > AH01757: generating secret for digest authentication ... > [Fri Nov 18 09:34:33.030039 2016 <tel:030039%202016>] > [lbmethod_heartbeat:notice] [pid 7709] > AH02282: No slotmem from mod_heartmonitor > [Fri Nov 18 09:34:33.030122 2016 <tel:030122%202016>] > [:warn] [pid 7709] > NSSSessionCacheTimeout is deprecated. Ignoring. > [Fri Nov 18 09:34:33.030176 2016 <tel:030176%202016>] > [:debug] [pid 7709] > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> -> ipaCert > > [Fri Nov 18 09:34:33.051481 2016 <tel:051481%202016>] > [mpm_prefork:notice] [pid 7709] > AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0 > mod_auth_kerb/5.4 > mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 > Python/2.7.5 configured > -- resuming normal operations > [Fri Nov 18 09:34:33.051551 2016 <tel:051551%202016>] > [core:notice] [pid 7709] AH00094: > Command line: '/usr/sbin/httpd -D FOREGROUND' > [Fri Nov 18 09:34:33.096050 2016] [proxy:debug] [pid 7717] > proxy_util.c(1838): AH00924: worker ajp://localhost > shared already > initialized > [Fri Nov 18 09:34:33.096163 2016 <tel:096163%202016>] > [proxy:debug] [pid 7717] > proxy_util.c(1880): AH00926: worker ajp://localhost > local already > initialized > ... > [Fri Nov 18 09:34:33.105626 2016] [proxy:debug] [pid 7719] > proxy_util.c(1838): AH00924: worker > unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ > shared already > initialized > [Fri Nov 18 09:34:33.105632 2016] [proxy:debug] [pid 7719] > proxy_util.c(1880): AH00926: worker > unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ > local already > initialized > [Fri Nov 18 09:34:33.342762 2016 <tel:342762%202016>] > [:info] [pid 7717] Configuring server > for SSL protocol > [Fri Nov 18 09:34:33.342867 2016 <tel:342867%202016>] > [:debug] [pid 7717] > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 > [Fri Nov 18 09:34:33.342880 2016 <tel:342880%202016>] > [:debug] [pid 7717] > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 > [Fri Nov 18 09:34:33.342885 2016 <tel:342885%202016>] > [:debug] [pid 7717] > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 > [Fri Nov 18 09:34:33.342890 2016 <tel:342890%202016>] > [:debug] [pid 7717] > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) > [Fri Nov 18 09:34:33.342894 2016 <tel:342894%202016>] > [:debug] [pid 7717] > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) > [Fri Nov 18 09:34:33.342900 2016 <tel:342900%202016>] > [:debug] [pid 7717] > nss_engine_init.c(906): Disabling TLS Session Tickets > [Fri Nov 18 09:34:33.342904 2016 <tel:342904%202016>] > [:debug] [pid 7717] > nss_engine_init.c(916): Enabling DHE key exchange > [Fri Nov 18 09:34:33.342917 2016 <tel:342917%202016>] > [:debug] [pid 7717] > nss_engine_init.c(1077): NSSCipherSuite: Configuring > permitted SSL > ciphers > > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] > [Fri Nov 18 09:34:33.342970 2016 <tel:342970%202016>] > [:debug] [pid 7717] > nss_engine_init.c(1140): Disable cipher: rsa_null_md5 > ... > [Fri Nov 18 09:34:33.343233 2016 <tel:343233%202016>] > [:debug] [pid 7717] > nss_engine_init.c(1140): Enable cipher: > ecdhe_rsa_aes_128_gcm_sha_256 > [Fri Nov 18 09:34:33.343237 2016 <tel:343237%202016>] > [:info] [pid 7717] Using nickname ipaCert. > [Fri Nov 18 09:34:33.344533 2016 <tel:344533%202016>] > [:error] [pid 7717] Misconfiguration > of certificate's CN and virtual name. The certificate CN > has IPA RA. We > expected mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > > as virtual name. > [Fri Nov 18 09:34:33.364061 2016 <tel:364061%202016>] > [:info] [pid 7718] Configuring server > for SSL protocol > [Fri Nov 18 09:34:33.364156 2016 <tel:364156%202016>] > [:debug] [pid 7718] > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 > [Fri Nov 18 09:34:33.364167 2016 <tel:364167%202016>] > [:debug] [pid 7718] > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 > [Fri Nov 18 09:34:33.364172 2016 <tel:364172%202016>] > [:debug] [pid 7718] > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 > [Fri Nov 18 09:34:33.364176 2016 <tel:364176%202016>] > [:debug] [pid 7718] > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) > [Fri Nov 18 09:34:33.364180 2016 <tel:364180%202016>] > [:debug] [pid 7718] > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) > [Fri Nov 18 09:34:33.364187 2016 <tel:364187%202016>] > [:debug] [pid 7718] > nss_engine_init.c(906): Disabling TLS Session Tickets > [Fri Nov 18 09:34:33.364191 2016 <tel:364191%202016>] > [:debug] [pid 7718] > nss_engine_init.c(916): Enabling DHE key exchange > [Fri Nov 18 09:34:33.364202 2016 <tel:364202%202016>] > [:debug] [pid 7718] > nss_engine_init.c(1077): NSSCipherSuite: Configuring > permitted SSL > ciphers > > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] > [Fri Nov 18 09:34:33.364240 2016 <tel:364240%202016>] > [:debug] [pid 7718] > nss_engine_init.c(1140): Disable cipher: rsa_null_md5 > ... > [Fri Nov 18 09:34:33.364611 2016 <tel:364611%202016>] > [:debug] [pid 7718] > nss_engine_init.c(1140): Enable cipher: > ecdhe_rsa_aes_128_gcm_sha_256 > [Fri Nov 18 09:34:33.364625 2016 <tel:364625%202016>] > [:info] [pid 7718] Using nickname ipaCert. > [Fri Nov 18 09:34:33.365549 2016 <tel:365549%202016>] > [:error] [pid 7718] Misconfiguration > of certificate's CN and virtual name. The certificate CN > has IPA RA. We > expected mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > > as virtual name. > [Fri Nov 18 09:34:33.369972 2016 <tel:369972%202016>] > [:info] [pid 7720] Configuring server > for SSL protocol > [Fri Nov 18 09:34:33.370200 2016 <tel:370200%202016>] > [:debug] [pid 7720] > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 > [Fri Nov 18 09:34:33.370224 2016 <tel:370224%202016>] > [:debug] [pid 7720] > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 > [Fri Nov 18 09:34:33.370239 2016 <tel:370239%202016>] > [:debug] [pid 7720] > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 > [Fri Nov 18 09:34:33.370255 2016 <tel:370255%202016>] > [:debug] [pid 7720] > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) > [Fri Nov 18 09:34:33.370269 2016 <tel:370269%202016>] > [:debug] [pid 7720] > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) > [Fri Nov 18 09:34:33.370286 2016 <tel:370286%202016>] > [:debug] [pid 7720] > nss_engine_init.c(906): Disabling TLS Session Tickets > [Fri Nov 18 09:34:33.370301 2016 <tel:370301%202016>] > [:debug] [pid 7720] > nss_engine_init.c(916): Enabling DHE key exchange > [Fri Nov 18 09:34:33.370322 2016 <tel:370322%202016>] > [:debug] [pid 7720] > nss_engine_init.c(1077): NSSCipherSuite: Configuring > permitted SSL > ciphers > > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] > [Fri Nov 18 09:34:33.370383 2016 <tel:370383%202016>] > [:debug] [pid 7720] > nss_engine_init.c(1140): Disable cipher: rsa_null_md5 > ... > [Fri Nov 18 09:34:33.371418 2016 <tel:371418%202016>] > [:debug] [pid 7720] > nss_engine_init.c(1140): Enable cipher: > ecdhe_rsa_aes_128_gcm_sha_256 > [Fri Nov 18 09:34:33.371437 2016 <tel:371437%202016>] > [:info] [pid 7720] Using nickname ipaCert. > [Fri Nov 18 09:34:33.371486 2016 <tel:371486%202016>] > [:info] [pid 7716] Configuring server > for SSL protocol > [Fri Nov 18 09:34:33.372383 2016 <tel:372383%202016>] > [:debug] [pid 7716] > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 > [Fri Nov 18 09:34:33.372439 2016 <tel:372439%202016>] > [:debug] [pid 7716] > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 > [Fri Nov 18 09:34:33.372459 2016 <tel:372459%202016>] > [:debug] [pid 7716] > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 > [Fri Nov 18 09:34:33.372484 2016 <tel:372484%202016>] > [:debug] [pid 7716] > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) > [Fri Nov 18 09:34:33.372513 2016 <tel:372513%202016>] > [:debug] [pid 7716] > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) > [Fri Nov 18 09:34:33.372534 2016 <tel:372534%202016>] > [:debug] [pid 7716] > nss_engine_init.c(906): Disabling TLS Session Tickets > [Fri Nov 18 09:34:33.372553 2016 <tel:372553%202016>] > [:debug] [pid 7716] > nss_engine_init.c(916): Enabling DHE key exchange > [Fri Nov 18 09:34:33.372580 2016 <tel:372580%202016>] > [:debug] [pid 7716] > nss_engine_init.c(1077): NSSCipherSuite: Configuring > permitted SSL > ciphers > > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] > [Fri Nov 18 09:34:33.372627 2016 <tel:372627%202016>] > [:debug] [pid 7716] > nss_engine_init.c(1140): Disable cipher: rsa_null_md5 > ... > [Fri Nov 18 09:34:33.373712 2016 <tel:373712%202016>] > [:debug] [pid 7716] > nss_engine_init.c(1140): Enable cipher: > ecdhe_rsa_aes_128_gcm_sha_256 > [Fri Nov 18 09:34:33.373734 2016 <tel:373734%202016>] > [:info] [pid 7716] Using nickname ipaCert. > [Fri Nov 18 09:34:33.374652 2016 <tel:374652%202016>] > [:error] [pid 7716] Misconfiguration > of certificate's CN and virtual name. The certificate CN > has IPA RA. We > expected mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > as virtual name. > [Fri Nov 18 09:34:33.372295 2016 <tel:372295%202016>] > [:error] [pid 7720] Misconfiguration > of certificate's CN and virtual name. The certificate CN > has IPA RA. We > expected mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > > as virtual name. > [Fri Nov 18 09:34:33.412689 2016] [:info] [pid 7719] > Configuring server > for SSL protocol > [Fri Nov 18 09:34:33.412791 2016] [:debug] [pid 7719] > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 > [Fri Nov 18 09:34:33.412803 2016] [:debug] [pid 7719] > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 > [Fri Nov 18 09:34:33.412807 2016] [:debug] [pid 7719] > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 > [Fri Nov 18 09:34:33.412812 2016] [:debug] [pid 7719] > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) > [Fri Nov 18 09:34:33.412817 2016] [:debug] [pid 7719] > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) > [Fri Nov 18 09:34:33.412824 2016] [:debug] [pid 7719] > nss_engine_init.c(906): Disabling TLS Session Tickets > [Fri Nov 18 09:34:33.412828 2016] [:debug] [pid 7719] > nss_engine_init.c(916): Enabling DHE key exchange > [Fri Nov 18 09:34:33.412840 2016] [:debug] [pid 7719] > nss_engine_init.c(1077): NSSCipherSuite: Configuring > permitted SSL > ciphers > > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] > [Fri Nov 18 09:34:33.412891 2016] [:debug] [pid 7719] > nss_engine_init.c(1140): Disable cipher: rsa_null_md5 > ... > [Fri Nov 18 09:34:33.413159 2016] [:debug] [pid 7719] > nss_engine_init.c(1140): Enable cipher: > ecdhe_rsa_aes_128_gcm_sha_256 > [Fri Nov 18 09:34:33.413164 2016] [:info] [pid 7719] > Using nickname ipaCert. > [Fri Nov 18 09:34:33.414462 2016] [:error] [pid 7719] > Misconfiguration > of certificate's CN and virtual name. The certificate CN > has IPA RA. We > expected mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > as virtual name. > [Fri Nov 18 09:34:35.558286 2016 <tel:558286%202016>] > [:error] [pid 7715] ipa: WARNING: > session memcached servers not running > [Fri Nov 18 09:34:35.559653 2016 <tel:559653%202016>] > [:error] [pid 7714] ipa: WARNING: > session memcached servers not running > [Fri Nov 18 09:34:37.511457 2016] [:error] [pid 7714] > ipa: INFO: *** > PROCESS START *** > [Fri Nov 18 09:34:37.517899 2016] [:error] [pid 7715] > ipa: INFO: *** > PROCESS START *** > [Fri Nov 18 09:34:51.498536 2016] [:info] [pid 7717] > Connection to child > 1 established (server mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>>, client 192.168.0.239) > [Fri Nov 18 09:34:51.510292 2016] [:info] [pid 7717] SSL > input filter > read failed. > [Fri Nov 18 09:34:51.510311 2016] [:error] [pid 7717] > SSL Library Error: > -12285 Unable to find the certificate or key necessary > for authentication > [Fri Nov 18 09:34:51.510356 2016] [:info] [pid 7717] > Connection to child > 1 closed (server mlv-ipa01.ipa.mydomain.com:443 > <http://mlv-ipa01.ipa.mydomain.com:443> > <http://mlv-ipa01.ipa.mydomain.com:443 > <http://mlv-ipa01.ipa.mydomain.com:443>>, client > 192.168.0.239) > [Fri Nov 18 09:35:18.790760 2016] [mpm_prefork:notice] > [pid 7709] > AH00170: caught SIGWINCH, shutting down gracefully/ > > Is possible to delete /Server-Cert/ from > //etc/httpd/alias/ and reimport > it from the original certificates of > /mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>>/? > Where are stored the original certificates? > > Hi Morgan, > > with ldapsearch you should be able to find the certificate: > ldapsearch -h ipaserver.ipadomain -p 389 -D "cn=directory > manager" -w password -LLL -b > > krbprincipalname=HTTP/ipaserver.ipadomain@IPADOMAIN,cn=services,cn=accounts,dc=IPADOMAIN > > The cert will be stored in the field "usercertificate". > > HTH, > Flo. > > Please let me know, thanks. > Bye, Morgan > > 2016-11-17 17:09 GMT+01:00 Florence Blanc-Renaud > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>: > > > On 11/17/2016 04:51 PM, Morgan Marodin wrote: > > Hi Rob. > > I've just tried to remove the group write to the > *.db files, but > it's > not the problem. > /[root@mlv-ipa01 ~]# grep NSSNickname > /etc/httpd/conf.d/nss.conf > NSSNickname Server-Cert/ > > I've tried to run manually /dirsrv.target/ and > /krb5kdc.service/, and it > works, services went up. > The same for /ntpd/, /named-pkcs11.service/, > /smb.service/, > /winbind.service/, /kadmin.service/, > /memcached.service/ and > /pki-tomcatd.target/. > > But if I try to start /httpd.service/: > /[root@mlv-ipa01 ~]# tail -f /var/log/messages > Nov 17 16:46:06 mlv-ipa01 systemd[1]: Starting > The Apache HTTP > Server... > Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy: > ipa : > INFO KDC > proxy enabled > Nov 17 16:46:07 mlv-ipa01 systemd[1]: > httpd.service: main process > exited, code=exited, status=1/FAILURE > Nov 17 16:46:07 mlv-ipa01 kill: kill: cannot > find process "" > Nov 17 16:46:07 mlv-ipa01 systemd[1]: > httpd.service: control process > exited, code=exited status=1 > Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to > start The Apache > HTTP > Server. > Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit > httpd.service entered > failed > state. > Nov 17 16:46:07 mlv-ipa01 systemd[1]: > httpd.service failed./ > > Any other ideas? > > Hi, > > - Does the NSS Db contain the private key for > Server-Cert? If yes, > the command > $ certutil -K -d /etc/httpd/alias/ -f > /etc/httpd/alias/pwdfile.txt > should display a line like this one: > < 0> rsa > 01a6cbd773f3d785ffa44233148dcb8ade266ea5 NSS > Certificate DB:Server-Cert > > - Is your system running with SElinux enforcing? If > yes, you can > check if there were SElinux permission denials using > $ ausearch -m avc --start recent > > - If the certificate was expired, I believe you > would see a > different message, but it doesn't hurt to check its > validity > $ certutil -L -d /etc/httpd/alias/ -n Server-Cert | > egrep "Not > Before|Not After" > > > Flo. > > > Please let me know, thanks. > Morgan > > 2016-11-17 16:11 GMT+01:00 Rob Crittenden > <[email protected] <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>>>: > > > > Morgan Marodin wrote: > > Hi Florence. > > > > Thanks for your support. > > > > Yes, httpd is using /etc/httpd/alias as > NSS DB. And seems > that all > > permissions and certificates are good: > > /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/ > > total 184 > > -r--r--r-- 1 root root 1345 Sep 7 > 2015 cacert.asc > > -rw-rw---- 1 root apache 65536 Nov 17 > 11:06 cert8.db > > -rw-r-----. 1 root apache 65536 Sep 4 > 2015 cert8.db.orig > > -rw-------. 1 root root 4833 Sep 4 > 2015 install.log > > -rw-rw---- 1 root apache 16384 Nov 17 > 11:06 key3.db > > -rw-r-----. 1 root apache 16384 Sep 4 > 2015 key3.db.orig > > lrwxrwxrwx 1 root root 24 Nov 17 > 10:24 libnssckbi.so -> > > /usr/lib64/libnssckbi.so > > -rw-rw---- 1 root apache 20 Sep 7 > 2015 pwdfile.txt > > -rw-rw---- 1 root apache 16384 Sep 7 > 2015 secmod.db > > -rw-r-----. 1 root apache 16384 Sep 4 > 2015 secmod.db.orig/ > > Eventually you'll want to remove group write > on the *.db files. > > > And password validations seems ok, too: > > /[root@mlv-ipa01 ~]# certutil -K -d > /etc/httpd/alias/ -f > > /etc/httpd/alias/pwdfile.txt > good > > > Enabling mod-nss debug I can see these logs: > > /[root@mlv-ipa01 ~]# tail -f > /var/log/httpd/error_log > > [Thu Nov 17 15:05:10.807603 2016] > [suexec:notice] [pid > 10660] AH01232: > > suEXEC mechanism enabled (wrapper: > /usr/sbin/suexec) > > [Thu Nov 17 15:05:10.807958 2016] [:warn] > [pid 10660] > > NSSSessionCacheTimeout is deprecated. > Ignoring. > > [Thu Nov 17 15:05:10.807991 2016] [:debug] > [pid 10660] > > nss_engine_init.c(454): SNI: > mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>>> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>>>> -> Server-Cert > > [Thu Nov 17 15:05:11.002664 2016] [:info] > [pid 10660] > Configuring server > > for SSL protocol > > [Thu Nov 17 15:05:11.002817 2016] [:debug] > [pid 10660] > > nss_engine_init.c(770): NSSProtocol: > Enabling TLSv1.0 > > [Thu Nov 17 15:05:11.002838 2016] [:debug] > [pid 10660] > > nss_engine_init.c(775): NSSProtocol: > Enabling TLSv1.1 > > [Thu Nov 17 15:05:11.002847 2016] [:debug] > [pid 10660] > > nss_engine_init.c(780): NSSProtocol: > Enabling TLSv1.2 > > [Thu Nov 17 15:05:11.002856 2016] [:debug] > [pid 10660] > > nss_engine_init.c(839): NSSProtocol: [TLS > 1.0] (minimum) > > [Thu Nov 17 15:05:11.002876 2016] [:debug] > [pid 10660] > > nss_engine_init.c(866): NSSProtocol: [TLS > 1.2] (maximum) > > [Thu Nov 17 15:05:11.003099 2016] [:debug] > [pid 10660] > > nss_engine_init.c(906): Disabling TLS > Session Tickets > > [Thu Nov 17 15:05:11.003198 2016] [:debug] > [pid 10660] > > nss_engine_init.c(916): Enabling DHE key > exchange > > [Thu Nov 17 15:05:11.003313 2016] [:debug] > [pid 10660] > > nss_engine_init.c(1077): NSSCipherSuite: > Configuring > permitted SSL > > ciphers > > > > > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] > > [Thu Nov 17 15:05:11.003469 2016] [:debug] > [pid 10660] > > [Thu Nov 17 15:05:11.006759 2016] [:info] > [pid 10660] > Using nickname > > Server-Cert. > [snip] > > [Thu Nov 17 15:05:11.006771 2016] [:error] > [pid 10660] > Certificate not > > found: 'Server-Cert' > > Can you shows what this returns: > > # grep NSSNickname /etc/httpd/conf.d/nss.conf > > > Do you think there is a kerberos problem? > > It definitely is not. > > You can bring the system up in a minimal way > by manually > starting the > [email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> > <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>> service > > and then > krb5kdc. This will at least let your > users authenticate. The management framework > (GUI) runs > through Apache > so that will be down until we can get Apache > started again. > > rob > > > > > Please let me know, thanks. > > Bye, Morgan > > > > 2016-11-17 14:39 GMT+01:00 Florence > Blanc-Renaud > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>>: > > > > > On 11/17/2016 12:09 PM, Morgan Marodin > wrote: > > > > Hello. > > > > This morning I've tried to upgrade > my IPA server, > but the > upgrade > > failed, and now the service > doesn't start! :( > > > > If I try lo launch the upgrade > manually this is > the output: > > /[root@mlv-ipa01 download]# > ipa-server-upgrade > > > > Upgrading IPA: > > [1/8]: saving configuration > > [2/8]: disabling listeners > > [3/8]: enabling DS global lock > > [4/8]: starting directory server > > [5/8]: updating schema > > [6/8]: upgrading server > > [7/8]: stopping directory server > > [8/8]: restoring configuration > > Done. > > Update complete > > Upgrading IPA services > > Upgrading the configuration of the > IPA services > > [Verifying that root certificate > is published] > > [Migrate CRL publish directory] > > CRL tree already moved > > [Verifying that CA proxy > configuration is correct] > > [Verifying that KDC configuration > is using ipa-kdb > backend] > > [Fix DS schema file syntax] > > Syntax already fixed > > [Removing RA cert from DS NSS > database] > > RA cert already removed > > [Enable sidgen and extdom plugins > by default] > > [Updating HTTPD service IPA > configuration] > > [Updating mod_nss protocol versions] > > Protocol versions already updated > > [Updating mod_nss cipher suite] > > [Fixing trust flags in > /etc/httpd/alias] > > Trust flags already processed > > [Exporting KRA agent PEM file] > > KRA is not enabled > > IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log > and run > > command ipa-server-upgrade manually. > > Unexpected error - see > /var/log/ipaupgrade.log for > details: > > CalledProcessError: Command > '/bin/systemctl start > httpd.service' > > returned non-zero exit status 1 > > The ipa-server-upgrade command > failed. See > > /var/log/ipaupgrade.log for > > more information/ > > > > These are error logs of Apache: > > /[Thu Nov 17 11:48:45.498510 2016] > [suexec:notice] > [pid 5664] > > AH01232: > > suEXEC mechanism enabled (wrapper: > /usr/sbin/suexec) > > [Thu Nov 17 11:48:45.499220 2016] > [:warn] [pid 5664] > > NSSSessionCacheTimeout is > deprecated. Ignoring. > > [Thu Nov 17 11:48:45.830910 2016] > [:error] [pid 5664] > > Certificate not > > found: 'Server-Cert'/ > > > > The problem seems to be the > /Server-Cert /that > could not > be found. > > But if I try to execute the > certutil command > manually I > can see it:/ > > [root@mlv-ipa01 log]# certutil -L > -d /etc/httpd/alias/ > > Certificate Nickname > Trust > > Attributes > > > > SSL,S/MIME,JAR/XPI > > Signing-Cert > u,u,u > > ipaCert > u,u,u > > Server-Cert > Pu,u,u > > IPA.MYDOMAIN.COM > <http://IPA.MYDOMAIN.COM> <http://IPA.MYDOMAIN.COM> > <http://IPA.MYDOMAIN.COM> > <http://IPA.MYDOMAIN.COM> > > <http://IPA.MYDOMAIN.COM> IPA > > CA > CT,C,C/ > > > > Could you help me? > > What could I try to do to restart > my service? > > > > Hi, > > > > I would first make sure that httpd is > using > /etc/httpd/alias > as NSS > > DB (check the directive > NSSCertificateDatabase in > > /etc/httpd/conf.d/nss.conf). > > Then it may be a file permission > issue: the NSS DB should > belong to > > root:apache (the relevant files are > cert8.db, key3.db and > secmod.db). > > You should also find a pwdfile.txt in > the same directory, > containing > > the NSS DB password. Check that the > password is valid > using > > certutil -K -d /etc/httpd/alias/ -f > /etc/httpd/alias/pwdfile.txt > > (if the command succeeds then the > password in pwdfile > is OK). > > > > You can also enable mod-nss debug in > /etc/httpd/conf/nss.conf by > > setting "LogLevel debug", and check > the output in > > /var/log/httpd/error_log. > > > > HTH, > > Flo. > > > > Thanks, Morgan > > > > > > > > -- > > Manage your subscription for the > Freeipa-users mailing > list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users> > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users>> > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users> > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users>>> > > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users> > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users>> > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users> > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users>>>> > > Go to http://freeipa.org for more info > on the project > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
