Morgan Marodin wrote: > What do you mean with backup database? > > Updating again the mod_nss RPM, Apache doesn't start ... so, this is the > problem.
You said "and restoring the original /etc/httpd/alias/ folder". Original from what, where did that come from? So merely updating mod_nss breaks things? Strange. What is the working version? rpm -q mod_nss rob > > 2016-11-18 15:43 GMT+01:00 Rob Crittenden <[email protected] > <mailto:[email protected]>>: > > Morgan Marodin wrote: > > It works! > > Thanks for your support. > > > > Anyway, I will try to update againt mod_nss package! :D > > Glad it's working for you. I'm curious what the backup database was for. > Did you create that? > > rob > > > Bye! > > > > > > 2016-11-18 15:21 GMT+01:00 Morgan Marodin <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>: > > > > A little good news. > > > > Downgrading the /mod_nss/ RPM package, and restoring the original > > //etc/httpd/alias/ folder, /ipa-server-upgrade/ procedure has > > finished well: > > /# ipa-server-upgrade > > Upgrading IPA: > > [1/10]: stopping directory server > > [2/10]: saving configuration > > [3/10]: disabling listeners > > [4/10]: enabling DS global lock > > [5/10]: starting directory server > > [6/10]: updating schema > > [7/10]: upgrading server > > [8/10]: stopping directory server > > [9/10]: restoring configuration > > [10/10]: starting directory server > > Done. > > Update complete > > Upgrading IPA services > > Upgrading the configuration of the IPA services > > [Verifying that root certificate is published] > > [Migrate CRL publish directory] > > CRL tree already moved > > [Verifying that CA proxy configuration is correct] > > [Verifying that KDC configuration is using ipa-kdb backend] > > [Fix DS schema file syntax] > > Syntax already fixed > > [Removing RA cert from DS NSS database] > > RA cert already removed > > [Enable sidgen and extdom plugins by default] > > [Updating HTTPD service IPA configuration] > > [Updating mod_nss protocol versions] > > Protocol versions already updated > > [Updating mod_nss cipher suite] > > [Fixing trust flags in /etc/httpd/alias] > > Trust flags already processed > > [Exporting KRA agent PEM file] > > KRA is not enabled > > [Removing self-signed CA] > > [Removing Dogtag 9 CA] > > [Checking for deprecated KDC configuration files] > > [Checking for deprecated backups of Samba configuration files] > > [Setting up Firefox extension] > > [Add missing CA DNS records] > > IPA CA DNS records already processed > > [Removing deprecated DNS configuration options] > > [Ensuring minimal number of connections] > > [Enabling serial autoincrement in DNS] > > [Updating GSSAPI configuration in DNS] > > [Updating pid-file configuration in DNS] > > [Checking global forwarding policy in named.conf to avoid > conflicts > > with automatic empty zones] > > Global forward policy in named.conf will be changed to "only" to > > avoid conflicts with automatic empty zones > > [Adding server_id to named.conf] > > Changes to named.conf have been made, restart named > > Custodia service is being configured > > Configuring ipa-custodia > > [1/5]: Generating ipa-custodia config file > > [2/5]: Making sure custodia container exists > > [3/5]: Generating ipa-custodia keys > > [4/5]: starting ipa-custodia > > [5/5]: configuring ipa-custodia to start on boot > > Done configuring ipa-custodia. > > [Upgrading CA schema] > > CA schema update complete > > [Verifying that CA audit signing cert has 2 year validity] > > [Update certmonger certificate renewal configuration to version 5] > > Configuring certmonger to stop tracking system certificates for CA > > Certmonger certificate renewal configuration updated to version 5 > > [Enable PKIX certificate path discovery and validation] > > PKIX already enabled > > [Authorizing RA Agent to modify profiles] > > [Authorizing RA Agent to manage lightweight CAs] > > [Ensuring Lightweight CAs container exists in Dogtag database] > > [Adding default OCSP URI configuration] > > pki-tomcat configuration changed, restart pki-tomcat > > [Ensuring CA is using LDAPProfileSubsystem] > > [Migrating certificate profiles to LDAP] > > [Ensuring presence of included profiles] > > [Add default CA ACL] > > Default CA ACL already added > > [Set up lightweight CA key retrieval] > > Creating principal > > Retrieving keytab > > Creating Custodia keys > > Configuring key retriever > > The IPA services were upgraded > > The ipa-server-upgrade command was successful/ > > > > And Apache has started, BUT there is a problem with the web > certificate: > > /# tail -f /var/log/httpd/error_log > > [Fri Nov 18 15:14:43.002268 2016] [:info] [pid 18673] Connection to > > child 2 established (server mlv-ipa01.ipa.mydomain.com:443 > <http://mlv-ipa01.ipa.mydomain.com:443> > > <http://mlv-ipa01.ipa.mydomain.com:443 > <http://mlv-ipa01.ipa.mydomain.com:443>>, client 192.168.0.252) > > [Fri Nov 18 15:14:43.207349 2016] [:info] [pid 18673] SSL input > > filter read failed. > > [Fri Nov 18 15:14:43.207389 2016] [:error] [pid 18673] SSL Library > > Error: -12285 Unable to find the certificate or key necessary for > > authentication > > [Fri Nov 18 15:14:43.207460 2016] [:info] [pid 18673] Connection to > > child 2 closed (server mlv-ipa01.ipa.mydomain.com:443 > <http://mlv-ipa01.ipa.mydomain.com:443> > > <http://mlv-ipa01.ipa.mydomain.com:443 > <http://mlv-ipa01.ipa.mydomain.com:443>>, client 192.168.0.252)/ > > > > How do you suggest to go on with my issue? > > > > Thanks, Morgan > > > > 2016-11-18 12:11 GMT+01:00 Morgan Marodin <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>: > > > > I've tried to add it to a new test folder, with a new > > certificate nickname, and then to replace it to /nss.conf/. > > > > But the problem persists: > > /# certutil -V -u V -d /etc/httpd/test -n ipa01cert > > certutil: certificate is valid/ > > > > /# tail -f /var/log/httpd/error_log > > / > > /[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid 11552] > > AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) > > [Fri Nov 18 12:09:39.514266 2016] [:warn] [pid 11552] > > NSSSessionCacheTimeout is deprecated. Ignoring. > > [Fri Nov 18 12:09:39.514299 2016] [:debug] [pid 11552] > > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> -> ipa01cert > > [Fri Nov 18 12:09:39.824880 2016] [:error] [pid 11552] The > > server key database has not been initialized. > > [Fri Nov 18 12:09:39.832443 2016] [:info] [pid 11552] > > Configuring server for SSL protocol > > ... > > [Fri Nov 18 12:09:39.832676 2016] [:info] [pid 11552] Using > > nickname ipa01cert. > > [Fri Nov 18 12:09:39.832678 2016] [:error] [pid 11552] > > Certificate not found: 'ipa01cert'/ > > > > I've found this guide:/ > > Combine the server cert and key into a single file > > # cp localhost.crt > Server-Cert.txt > > # cat localhost.key >> Server-Cert.txt > > Convert the server cert into a p12 file > > # openssl pkcs12 -export -in Server-Cert.txt -out > > Server-Cert.p12 -name "Server-Cert" > > Now Import the Public and Private keys into the database at the > > same time. > > #pk12util -i /tmp/cert-files/Server-Cert.p12 -d /etc/httpd/alias > > -n Server-Cert/ > > > > Where is stored the key certificate file? > > > > Thanks, Morgan > > > > > > 2016-11-18 10:39 GMT+01:00 Florence Blanc-Renaud > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>: > > > > On 11/18/2016 10:04 AM, Morgan Marodin wrote: > > > > Hi Florence. > > > > I've tried to configure the wrong certificate in > > nss.conf (/ipaCert/), > > and with this Apache started. > > So I think the problem is in the /Server-Cert/ stored in > > //etc/httpd/alias/, even if all manul checks are ok. > > > > These are logs with the wrong certificate test: > > /# tail -f /var/log/httpd/error_log/ > > /[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid > > 7709] AH01232: > > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) > > [Fri Nov 18 09:34:32.584142 2016] [:warn] [pid 7709] > > NSSSessionCacheTimeout is deprecated. Ignoring. > > [Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709] > > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>>> -> ipaCert > > > > [Fri Nov 18 09:34:32.844487 2016] [:info] [pid 7709] > > Configuring server > > for SSL protocol > > [Fri Nov 18 09:34:32.844635 2016] [:debug] [pid 7709] > > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 > > [Fri Nov 18 09:34:32.844657 2016] [:debug] [pid 7709] > > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 > > [Fri Nov 18 09:34:32.844668 2016] [:debug] [pid 7709] > > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 > > [Fri Nov 18 09:34:32.844677 2016] [:debug] [pid 7709] > > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] > (minimum) > > [Fri Nov 18 09:34:32.844684 2016] [:debug] [pid 7709] > > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] > (maximum) > > [Fri Nov 18 09:34:32.844738 2016] [:debug] [pid 7709] > > nss_engine_init.c(906): Disabling TLS Session Tickets > > [Fri Nov 18 09:34:32.844746 2016] [:debug] [pid 7709] > > nss_engine_init.c(916): Enabling DHE key exchange > > [Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709] > > nss_engine_init.c(1077): NSSCipherSuite: Configuring > > permitted SSL > > ciphers > > > > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] > > [Fri Nov 18 09:34:32.844825 2016] [:debug] [pid 7709] > > nss_engine_init.c(1140): Disable cipher: rsa_null_md5 > > ... > > [Fri Nov 18 09:34:32.845105 2016] [:debug] [pid 7709] > > nss_engine_init.c(1140): Enable cipher: > > ecdhe_rsa_aes_128_gcm_sha_256 > > [Fri Nov 18 09:34:32.845110 2016] [:info] [pid 7709] > > Using nickname ipaCert. > > [Fri Nov 18 09:34:32.847451 2016] [:error] [pid 7709] > > Misconfiguration > > of certificate's CN and virtual name. The > certificate CN > > has IPA RA. We > > expected mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>>> > > as virtual name. > > [Fri Nov 18 09:34:33.028056 2016 > <tel:028056%202016> <tel:028056%202016>] > > [auth_digest:notice] [pid 7709] > > AH01757: generating secret for digest authentication ... > > [Fri Nov 18 09:34:33.030039 2016 > <tel:030039%202016> <tel:030039%202016>] > > [lbmethod_heartbeat:notice] [pid 7709] > > AH02282: No slotmem from mod_heartmonitor > > [Fri Nov 18 09:34:33.030122 2016 > <tel:030122%202016> <tel:030122%202016>] > > [:warn] [pid 7709] > > NSSSessionCacheTimeout is deprecated. Ignoring. > > [Fri Nov 18 09:34:33.030176 2016 > <tel:030176%202016> <tel:030176%202016>] > > [:debug] [pid 7709] > > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>>> -> ipaCert > > > > [Fri Nov 18 09:34:33.051481 2016 > <tel:051481%202016> <tel:051481%202016>] > > [mpm_prefork:notice] [pid 7709] > > AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0 > > mod_auth_kerb/5.4 > > mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 > > Python/2.7.5 configured > > -- resuming normal operations > > [Fri Nov 18 09:34:33.051551 2016 > <tel:051551%202016> <tel:051551%202016>] > > [core:notice] [pid 7709] AH00094: > > Command line: '/usr/sbin/httpd -D FOREGROUND' > > [Fri Nov 18 09:34:33.096050 2016] [proxy:debug] [pid > 7717] > > proxy_util.c(1838): AH00924: worker ajp://localhost > > shared already > > initialized > > [Fri Nov 18 09:34:33.096163 2016 > <tel:096163%202016> <tel:096163%202016>] > > [proxy:debug] [pid 7717] > > proxy_util.c(1880): AH00926: worker ajp://localhost > > local already > > initialized > > ... > > [Fri Nov 18 09:34:33.105626 2016] [proxy:debug] [pid > 7719] > > proxy_util.c(1838): AH00924: worker > > unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ > > shared already > > initialized > > [Fri Nov 18 09:34:33.105632 2016] [proxy:debug] [pid > 7719] > > proxy_util.c(1880): AH00926: worker > > unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ > > local already > > initialized > > [Fri Nov 18 09:34:33.342762 2016 > <tel:342762%202016> <tel:342762%202016>] > > [:info] [pid 7717] Configuring server > > for SSL protocol > > [Fri Nov 18 09:34:33.342867 2016 > <tel:342867%202016> <tel:342867%202016>] > > [:debug] [pid 7717] > > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 > > [Fri Nov 18 09:34:33.342880 2016 > <tel:342880%202016> <tel:342880%202016>] > > [:debug] [pid 7717] > > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 > > [Fri Nov 18 09:34:33.342885 2016 > <tel:342885%202016> <tel:342885%202016>] > > [:debug] [pid 7717] > > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 > > [Fri Nov 18 09:34:33.342890 2016 > <tel:342890%202016> <tel:342890%202016>] > > [:debug] [pid 7717] > > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] > (minimum) > > [Fri Nov 18 09:34:33.342894 2016 <tel:342894%202016>] > > [:debug] [pid 7717] > > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] > (maximum) > > [Fri Nov 18 09:34:33.342900 2016 <tel:342900%202016>] > > [:debug] [pid 7717] > > nss_engine_init.c(906): Disabling TLS Session Tickets > > [Fri Nov 18 09:34:33.342904 2016 <tel:342904%202016>] > > [:debug] [pid 7717] > > nss_engine_init.c(916): Enabling DHE key exchange > > [Fri Nov 18 09:34:33.342917 2016 <tel:342917%202016>] > > [:debug] [pid 7717] > > nss_engine_init.c(1077): NSSCipherSuite: Configuring > > permitted SSL > > ciphers > > > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] > > [Fri Nov 18 09:34:33.342970 2016 <tel:342970%202016>] > > [:debug] [pid 7717] > > nss_engine_init.c(1140): Disable cipher: rsa_null_md5 > > ... > > [Fri Nov 18 09:34:33.343233 2016 <tel:343233%202016>] > > [:debug] [pid 7717] > > nss_engine_init.c(1140): Enable cipher: > > ecdhe_rsa_aes_128_gcm_sha_256 > > [Fri Nov 18 09:34:33.343237 2016 <tel:343237%202016>] > > [:info] [pid 7717] Using nickname ipaCert. > > [Fri Nov 18 09:34:33.344533 2016 <tel:344533%202016>] > > [:error] [pid 7717] Misconfiguration > > of certificate's CN and virtual name. The certificate CN > > has IPA RA. We > > expected mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>>> > > > > as virtual name. > > [Fri Nov 18 09:34:33.364061 2016 <tel:364061%202016>] > > [:info] [pid 7718] Configuring server > > for SSL protocol > > [Fri Nov 18 09:34:33.364156 2016 <tel:364156%202016>] > > [:debug] [pid 7718] > > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 > > [Fri Nov 18 09:34:33.364167 2016 <tel:364167%202016>] > > [:debug] [pid 7718] > > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 > > [Fri Nov 18 09:34:33.364172 2016 <tel:364172%202016>] > > [:debug] [pid 7718] > > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 > > [Fri Nov 18 09:34:33.364176 2016 <tel:364176%202016>] > > [:debug] [pid 7718] > > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] > (minimum) > > [Fri Nov 18 09:34:33.364180 2016 <tel:364180%202016>] > > [:debug] [pid 7718] > > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] > (maximum) > > [Fri Nov 18 09:34:33.364187 2016 <tel:364187%202016>] > > [:debug] [pid 7718] > > nss_engine_init.c(906): Disabling TLS Session Tickets > > [Fri Nov 18 09:34:33.364191 2016 <tel:364191%202016>] > > [:debug] [pid 7718] > > nss_engine_init.c(916): Enabling DHE key exchange > > [Fri Nov 18 09:34:33.364202 2016 <tel:364202%202016>] > > [:debug] [pid 7718] > > nss_engine_init.c(1077): NSSCipherSuite: Configuring > > permitted SSL > > ciphers > > > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] > > [Fri Nov 18 09:34:33.364240 2016 <tel:364240%202016>] > > [:debug] [pid 7718] > > nss_engine_init.c(1140): Disable cipher: rsa_null_md5 > > ... > > [Fri Nov 18 09:34:33.364611 2016 <tel:364611%202016>] > > [:debug] [pid 7718] > > nss_engine_init.c(1140): Enable cipher: > > ecdhe_rsa_aes_128_gcm_sha_256 > > [Fri Nov 18 09:34:33.364625 2016 <tel:364625%202016>] > > [:info] [pid 7718] Using nickname ipaCert. > > [Fri Nov 18 09:34:33.365549 2016 <tel:365549%202016>] > > [:error] [pid 7718] Misconfiguration > > of certificate's CN and virtual name. The certificate CN > > has IPA RA. We > > expected mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>>> > > > > as virtual name. > > [Fri Nov 18 09:34:33.369972 2016 <tel:369972%202016>] > > [:info] [pid 7720] Configuring server > > for SSL protocol > > [Fri Nov 18 09:34:33.370200 2016 <tel:370200%202016>] > > [:debug] [pid 7720] > > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 > > [Fri Nov 18 09:34:33.370224 2016 <tel:370224%202016>] > > [:debug] [pid 7720] > > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 > > [Fri Nov 18 09:34:33.370239 2016 <tel:370239%202016>] > > [:debug] [pid 7720] > > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 > > [Fri Nov 18 09:34:33.370255 2016 <tel:370255%202016>] > > [:debug] [pid 7720] > > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] > (minimum) > > [Fri Nov 18 09:34:33.370269 2016 <tel:370269%202016>] > > [:debug] [pid 7720] > > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] > (maximum) > > [Fri Nov 18 09:34:33.370286 2016 <tel:370286%202016>] > > [:debug] [pid 7720] > > nss_engine_init.c(906): Disabling TLS Session Tickets > > [Fri Nov 18 09:34:33.370301 2016 <tel:370301%202016>] > > [:debug] [pid 7720] > > nss_engine_init.c(916): Enabling DHE key exchange > > [Fri Nov 18 09:34:33.370322 2016 <tel:370322%202016>] > > [:debug] [pid 7720] > > nss_engine_init.c(1077): NSSCipherSuite: Configuring > > permitted SSL > > ciphers > > > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] > > [Fri Nov 18 09:34:33.370383 2016 <tel:370383%202016>] > > [:debug] [pid 7720] > > nss_engine_init.c(1140): Disable cipher: rsa_null_md5 > > ... > > [Fri Nov 18 09:34:33.371418 2016 <tel:371418%202016>] > > [:debug] [pid 7720] > > nss_engine_init.c(1140): Enable cipher: > > ecdhe_rsa_aes_128_gcm_sha_256 > > [Fri Nov 18 09:34:33.371437 2016 <tel:371437%202016>] > > [:info] [pid 7720] Using nickname ipaCert. > > [Fri Nov 18 09:34:33.371486 2016 <tel:371486%202016>] > > [:info] [pid 7716] Configuring server > > for SSL protocol > > [Fri Nov 18 09:34:33.372383 2016 <tel:372383%202016>] > > [:debug] [pid 7716] > > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 > > [Fri Nov 18 09:34:33.372439 2016 <tel:372439%202016>] > > [:debug] [pid 7716] > > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 > > [Fri Nov 18 09:34:33.372459 2016 <tel:372459%202016>] > > [:debug] [pid 7716] > > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 > > [Fri Nov 18 09:34:33.372484 2016 <tel:372484%202016>] > > [:debug] [pid 7716] > > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] > (minimum) > > [Fri Nov 18 09:34:33.372513 2016 <tel:372513%202016>] > > [:debug] [pid 7716] > > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] > (maximum) > > [Fri Nov 18 09:34:33.372534 2016 <tel:372534%202016>] > > [:debug] [pid 7716] > > nss_engine_init.c(906): Disabling TLS Session Tickets > > [Fri Nov 18 09:34:33.372553 2016 <tel:372553%202016>] > > [:debug] [pid 7716] > > nss_engine_init.c(916): Enabling DHE key exchange > > [Fri Nov 18 09:34:33.372580 2016 <tel:372580%202016>] > > [:debug] [pid 7716] > > nss_engine_init.c(1077): NSSCipherSuite: Configuring > > permitted SSL > > ciphers > > > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] > > [Fri Nov 18 09:34:33.372627 2016 <tel:372627%202016>] > > [:debug] [pid 7716] > > nss_engine_init.c(1140): Disable cipher: rsa_null_md5 > > ... > > [Fri Nov 18 09:34:33.373712 2016 <tel:373712%202016>] > > [:debug] [pid 7716] > > nss_engine_init.c(1140): Enable cipher: > > ecdhe_rsa_aes_128_gcm_sha_256 > > [Fri Nov 18 09:34:33.373734 2016 <tel:373734%202016>] > > [:info] [pid 7716] Using nickname ipaCert. > > [Fri Nov 18 09:34:33.374652 2016 <tel:374652%202016>] > > [:error] [pid 7716] Misconfiguration > > of certificate's CN and virtual name. The certificate CN > > has IPA RA. We > > expected mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>>> > > as virtual name. > > [Fri Nov 18 09:34:33.372295 2016 <tel:372295%202016>] > > [:error] [pid 7720] Misconfiguration > > of certificate's CN and virtual name. The certificate CN > > has IPA RA. We > > expected mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>>> > > > > as virtual name. > > [Fri Nov 18 09:34:33.412689 2016] [:info] [pid 7719] > > Configuring server > > for SSL protocol > > [Fri Nov 18 09:34:33.412791 2016] [:debug] [pid 7719] > > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 > > [Fri Nov 18 09:34:33.412803 2016] [:debug] [pid 7719] > > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 > > [Fri Nov 18 09:34:33.412807 2016] [:debug] [pid 7719] > > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 > > [Fri Nov 18 09:34:33.412812 2016] [:debug] [pid 7719] > > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] > (minimum) > > [Fri Nov 18 09:34:33.412817 2016] [:debug] [pid 7719] > > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] > (maximum) > > [Fri Nov 18 09:34:33.412824 2016] [:debug] [pid 7719] > > nss_engine_init.c(906): Disabling TLS Session Tickets > > [Fri Nov 18 09:34:33.412828 2016] [:debug] [pid 7719] > > nss_engine_init.c(916): Enabling DHE key exchange > > [Fri Nov 18 09:34:33.412840 2016] [:debug] [pid 7719] > > nss_engine_init.c(1077): NSSCipherSuite: Configuring > > permitted SSL > > ciphers > > > > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] > > [Fri Nov 18 09:34:33.412891 2016] [:debug] [pid 7719] > > nss_engine_init.c(1140): Disable cipher: rsa_null_md5 > > ... > > [Fri Nov 18 09:34:33.413159 2016] [:debug] [pid 7719] > > nss_engine_init.c(1140): Enable cipher: > > ecdhe_rsa_aes_128_gcm_sha_256 > > [Fri Nov 18 09:34:33.413164 2016] [:info] [pid 7719] > > Using nickname ipaCert. > > [Fri Nov 18 09:34:33.414462 2016] [:error] [pid 7719] > > Misconfiguration > > of certificate's CN and virtual name. The > certificate CN > > has IPA RA. We > > expected mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>>> > > as virtual name. > > [Fri Nov 18 09:34:35.558286 2016 <tel:558286%202016>] > > [:error] [pid 7715] ipa: WARNING: > > session memcached servers not running > > [Fri Nov 18 09:34:35.559653 2016 <tel:559653%202016>] > > [:error] [pid 7714] ipa: WARNING: > > session memcached servers not running > > [Fri Nov 18 09:34:37.511457 2016] [:error] [pid 7714] > > ipa: INFO: *** > > PROCESS START *** > > [Fri Nov 18 09:34:37.517899 2016] [:error] [pid 7715] > > ipa: INFO: *** > > PROCESS START *** > > [Fri Nov 18 09:34:51.498536 2016] [:info] [pid 7717] > > Connection to child > > 1 established (server mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>>>, client 192.168.0.239) > > [Fri Nov 18 09:34:51.510292 2016] [:info] [pid 7717] SSL > > input filter > > read failed. > > [Fri Nov 18 09:34:51.510311 2016] [:error] [pid 7717] > > SSL Library Error: > > -12285 Unable to find the certificate or key necessary > > for authentication > > [Fri Nov 18 09:34:51.510356 2016] [:info] [pid 7717] > > Connection to child > > 1 closed (server mlv-ipa01.ipa.mydomain.com:443 > <http://mlv-ipa01.ipa.mydomain.com:443> > > <http://mlv-ipa01.ipa.mydomain.com:443 > <http://mlv-ipa01.ipa.mydomain.com:443>> > > <http://mlv-ipa01.ipa.mydomain.com:443 > <http://mlv-ipa01.ipa.mydomain.com:443> > > <http://mlv-ipa01.ipa.mydomain.com:443 > <http://mlv-ipa01.ipa.mydomain.com:443>>>, client > > 192.168.0.239) > > [Fri Nov 18 09:35:18.790760 2016] [mpm_prefork:notice] > > [pid 7709] > > AH00170: caught SIGWINCH, shutting down gracefully/ > > > > Is possible to delete /Server-Cert/ from > > //etc/httpd/alias/ and reimport > > it from the original certificates of > > /mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>>>/? > > Where are stored the original certificates? > > > > Hi Morgan, > > > > with ldapsearch you should be able to find the certificate: > > ldapsearch -h ipaserver.ipadomain -p 389 -D "cn=directory > > manager" -w password -LLL -b > > > krbprincipalname=HTTP/ipaserver.ipadomain@IPADOMAIN,cn=services,cn=accounts,dc=IPADOMAIN > > > > The cert will be stored in the field "usercertificate". > > > > HTH, > > Flo. > > > > Please let me know, thanks. > > Bye, Morgan > > > > 2016-11-17 17:09 GMT+01:00 Florence Blanc-Renaud > > <[email protected] <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>: > > > > > > On 11/17/2016 04:51 PM, Morgan Marodin wrote: > > > > Hi Rob. > > > > I've just tried to remove the group write > to the > > *.db files, but > > it's > > not the problem. > > /[root@mlv-ipa01 ~]# grep NSSNickname > > /etc/httpd/conf.d/nss.conf > > NSSNickname Server-Cert/ > > > > I've tried to run manually /dirsrv.target/ and > > /krb5kdc.service/, and it > > works, services went up. > > The same for /ntpd/, /named-pkcs11.service/, > > /smb.service/, > > /winbind.service/, /kadmin.service/, > > /memcached.service/ and > > /pki-tomcatd.target/. > > > > But if I try to start /httpd.service/: > > /[root@mlv-ipa01 ~]# tail -f /var/log/messages > > Nov 17 16:46:06 mlv-ipa01 systemd[1]: Starting > > The Apache HTTP > > Server... > > Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy: > > ipa : > > INFO KDC > > proxy enabled > > Nov 17 16:46:07 mlv-ipa01 systemd[1]: > > httpd.service: main process > > exited, code=exited, status=1/FAILURE > > Nov 17 16:46:07 mlv-ipa01 kill: kill: cannot > > find process "" > > Nov 17 16:46:07 mlv-ipa01 systemd[1]: > > httpd.service: control process > > exited, code=exited status=1 > > Nov 17 16:46:07 mlv-ipa01 systemd[1]: > Failed to > > start The Apache > > HTTP > > Server. > > Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit > > httpd.service entered > > failed > > state. > > Nov 17 16:46:07 mlv-ipa01 systemd[1]: > > httpd.service failed./ > > > > Any other ideas? > > > > Hi, > > > > - Does the NSS Db contain the private key for > > Server-Cert? If yes, > > the command > > $ certutil -K -d /etc/httpd/alias/ -f > > /etc/httpd/alias/pwdfile.txt > > should display a line like this one: > > < 0> rsa > > 01a6cbd773f3d785ffa44233148dcb8ade266ea5 NSS > > Certificate DB:Server-Cert > > > > - Is your system running with SElinux > enforcing? If > > yes, you can > > check if there were SElinux permission denials > using > > $ ausearch -m avc --start recent > > > > - If the certificate was expired, I believe you > > would see a > > different message, but it doesn't hurt to > check its > > validity > > $ certutil -L -d /etc/httpd/alias/ -n > Server-Cert | > > egrep "Not > > Before|Not After" > > > > > > Flo. > > > > > > Please let me know, thanks. > > Morgan > > > > 2016-11-17 16:11 GMT+01:00 Rob Crittenden > > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>> > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>>>>: > > > > > > > > Morgan Marodin wrote: > > > Hi Florence. > > > > > > Thanks for your support. > > > > > > Yes, httpd is using /etc/httpd/alias as > > NSS DB. And seems > > that all > > > permissions and certificates are good: > > > /[root@mlv-ipa01 ~]# ls -l > /etc/httpd/alias/ > > > total 184 > > > -r--r--r-- 1 root root 1345 Sep 7 > > 2015 cacert.asc > > > -rw-rw---- 1 root apache 65536 Nov 17 > > 11:06 cert8.db > > > -rw-r-----. 1 root apache 65536 Sep 4 > > 2015 cert8.db.orig > > > -rw-------. 1 root root 4833 Sep 4 > > 2015 install.log > > > -rw-rw---- 1 root apache 16384 Nov 17 > > 11:06 key3.db > > > -rw-r-----. 1 root apache 16384 Sep 4 > > 2015 key3.db.orig > > > lrwxrwxrwx 1 root root 24 Nov 17 > > 10:24 libnssckbi.so -> > > > /usr/lib64/libnssckbi.so > > > -rw-rw---- 1 root apache 20 Sep 7 > > 2015 pwdfile.txt > > > -rw-rw---- 1 root apache 16384 Sep 7 > > 2015 secmod.db > > > -rw-r-----. 1 root apache 16384 Sep 4 > > 2015 secmod.db.orig/ > > > > Eventually you'll want to remove group > write > > on the *.db files. > > > > > And password validations seems ok, too: > > > /[root@mlv-ipa01 ~]# certutil -K -d > > /etc/httpd/alias/ -f > > > /etc/httpd/alias/pwdfile.txt > > good > > > > > Enabling mod-nss debug I can see > these logs: > > > /[root@mlv-ipa01 ~]# tail -f > > /var/log/httpd/error_log > > > [Thu Nov 17 15:05:10.807603 2016] > > [suexec:notice] [pid > > 10660] AH01232: > > > suEXEC mechanism enabled (wrapper: > > /usr/sbin/suexec) > > > [Thu Nov 17 15:05:10.807958 2016] > [:warn] > > [pid 10660] > > > NSSSessionCacheTimeout is deprecated. > > Ignoring. > > > [Thu Nov 17 15:05:10.807991 2016] > [:debug] > > [pid 10660] > > > nss_engine_init.c(454): SNI: > > mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>>> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>>>> > > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>>> > > > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com> > > <http://mlv-ipa01.ipa.mydomain.com > <http://mlv-ipa01.ipa.mydomain.com>>>>> -> Server-Cert > > > [Thu Nov 17 15:05:11.002664 2016] > [:info] > > [pid 10660] > > Configuring server > > > for SSL protocol > > > [Thu Nov 17 15:05:11.002817 2016] > [:debug] > > [pid 10660] > > > nss_engine_init.c(770): NSSProtocol: > > Enabling TLSv1.0 > > > [Thu Nov 17 15:05:11.002838 2016] > [:debug] > > [pid 10660] > > > nss_engine_init.c(775): NSSProtocol: > > Enabling TLSv1.1 > > > [Thu Nov 17 15:05:11.002847 2016] > [:debug] > > [pid 10660] > > > nss_engine_init.c(780): NSSProtocol: > > Enabling TLSv1.2 > > > [Thu Nov 17 15:05:11.002856 2016] > [:debug] > > [pid 10660] > > > nss_engine_init.c(839): > NSSProtocol: [TLS > > 1.0] (minimum) > > > [Thu Nov 17 15:05:11.002876 2016] > [:debug] > > [pid 10660] > > > nss_engine_init.c(866): > NSSProtocol: [TLS > > 1.2] (maximum) > > > [Thu Nov 17 15:05:11.003099 2016] > [:debug] > > [pid 10660] > > > nss_engine_init.c(906): Disabling TLS > > Session Tickets > > > [Thu Nov 17 15:05:11.003198 2016] > [:debug] > > [pid 10660] > > > nss_engine_init.c(916): Enabling DHE key > > exchange > > > [Thu Nov 17 15:05:11.003313 2016] > [:debug] > > [pid 10660] > > > nss_engine_init.c(1077): NSSCipherSuite: > > Configuring > > permitted SSL > > > ciphers > > > > > > > > > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] > > > [Thu Nov 17 15:05:11.003469 2016] > [:debug] > > [pid 10660] > > > [Thu Nov 17 15:05:11.006759 2016] > [:info] > > [pid 10660] > > Using nickname > > > Server-Cert. > > [snip] > > > [Thu Nov 17 15:05:11.006771 2016] > [:error] > > [pid 10660] > > Certificate not > > > found: 'Server-Cert' > > > > Can you shows what this returns: > > > > # grep NSSNickname > /etc/httpd/conf.d/nss.conf > > > > > Do you think there is a kerberos > problem? > > > > It definitely is not. > > > > You can bring the system up in a > minimal way > > by manually > > starting the > > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>> > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>>> service > > > > and then > > krb5kdc. This will at least let your > > users authenticate. The management > framework > > (GUI) runs > > through Apache > > so that will be down until we can get > Apache > > started again. > > > > rob > > > > > > > > Please let me know, thanks. > > > Bye, Morgan > > > > > > 2016-11-17 14:39 GMT+01:00 Florence > > Blanc-Renaud > > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>>> > > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> > > <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>>>: > > > > > > > > On 11/17/2016 12:09 PM, Morgan > Marodin > > wrote: > > > > > > Hello. > > > > > > This morning I've tried to > upgrade > > my IPA server, > > but the > > upgrade > > > failed, and now the service > > doesn't start! :( > > > > > > If I try lo launch the upgrade > > manually this is > > the output: > > > /[root@mlv-ipa01 download]# > > ipa-server-upgrade > > > > > > Upgrading IPA: > > > [1/8]: saving configuration > > > [2/8]: disabling listeners > > > [3/8]: enabling DS global lock > > > [4/8]: starting directory > server > > > [5/8]: updating schema > > > [6/8]: upgrading server > > > [7/8]: stopping directory > server > > > [8/8]: restoring configuration > > > Done. > > > Update complete > > > Upgrading IPA services > > > Upgrading the configuration > of the > > IPA services > > > [Verifying that root certificate > > is published] > > > [Migrate CRL publish directory] > > > CRL tree already moved > > > [Verifying that CA proxy > > configuration is correct] > > > [Verifying that KDC > configuration > > is using ipa-kdb > > backend] > > > [Fix DS schema file syntax] > > > Syntax already fixed > > > [Removing RA cert from DS NSS > > database] > > > RA cert already removed > > > [Enable sidgen and extdom > plugins > > by default] > > > [Updating HTTPD service IPA > > configuration] > > > [Updating mod_nss protocol > versions] > > > Protocol versions already > updated > > > [Updating mod_nss cipher suite] > > > [Fixing trust flags in > > /etc/httpd/alias] > > > Trust flags already processed > > > [Exporting KRA agent PEM file] > > > KRA is not enabled > > > IPA server upgrade failed: > Inspect > > /var/log/ipaupgrade.log > > and run > > > command ipa-server-upgrade > manually. > > > Unexpected error - see > > /var/log/ipaupgrade.log for > > details: > > > CalledProcessError: Command > > '/bin/systemctl start > > httpd.service' > > > returned non-zero exit status 1 > > > The ipa-server-upgrade command > > failed. See > > > /var/log/ipaupgrade.log for > > > more information/ > > > > > > These are error logs of Apache: > > > /[Thu Nov 17 11:48:45.498510 > 2016] > > [suexec:notice] > > [pid 5664] > > > AH01232: > > > suEXEC mechanism enabled > (wrapper: > > /usr/sbin/suexec) > > > [Thu Nov 17 11:48:45.499220 > 2016] > > [:warn] [pid 5664] > > > NSSSessionCacheTimeout is > > deprecated. Ignoring. > > > [Thu Nov 17 11:48:45.830910 > 2016] > > [:error] [pid 5664] > > > Certificate not > > > found: 'Server-Cert'/ > > > > > > The problem seems to be the > > /Server-Cert /that > > could not > > be found. > > > But if I try to execute the > > certutil command > > manually I > > can see it:/ > > > [root@mlv-ipa01 log]# > certutil -L > > -d /etc/httpd/alias/ > > > Certificate Nickname > > Trust > > > Attributes > > > > > > SSL,S/MIME,JAR/XPI > > > Signing-Cert > > u,u,u > > > ipaCert > > u,u,u > > > Server-Cert > > Pu,u,u > > > IPA.MYDOMAIN.COM > <http://IPA.MYDOMAIN.COM> > > <http://IPA.MYDOMAIN.COM> <http://IPA.MYDOMAIN.COM> > > <http://IPA.MYDOMAIN.COM> > > <http://IPA.MYDOMAIN.COM> > > > <http://IPA.MYDOMAIN.COM> IPA > > > CA > > CT,C,C/ > > > > > > Could you help me? > > > What could I try to do to > restart > > my service? > > > > > > Hi, > > > > > > I would first make sure that > httpd is > > using > > /etc/httpd/alias > > as NSS > > > DB (check the directive > > NSSCertificateDatabase in > > > /etc/httpd/conf.d/nss.conf). > > > Then it may be a file permission > > issue: the NSS DB should > > belong to > > > root:apache (the relevant files are > > cert8.db, key3.db and > > secmod.db). > > > You should also find a > pwdfile.txt in > > the same directory, > > containing > > > the NSS DB password. Check that the > > password is valid > > using > > > certutil -K -d /etc/httpd/alias/ -f > > /etc/httpd/alias/pwdfile.txt > > > (if the command succeeds then the > > password in pwdfile > > is OK). > > > > > > You can also enable mod-nss debug in > > /etc/httpd/conf/nss.conf by > > > setting "LogLevel debug", and check > > the output in > > > /var/log/httpd/error_log. > > > > > > HTH, > > > Flo. > > > > > > Thanks, Morgan > > > > > > > > > > > > -- > > > Manage your subscription for the > > Freeipa-users mailing > > list: > > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users> > > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users>> > > > > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users> > > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users>>> > > > > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users> > > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users>> > > > > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users> > > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users>>>> > > > > > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users> > > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users>> > > > > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users> > > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users>>> > > > > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users> > > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users>> > > > > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users> > > > <https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users>>>>> > > > Go to http://freeipa.org for > more info > > on the project > > > > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
