[Freeipa-users] My IPA installation doesn't work after upgrade
Morgan Marodin
morgan at marodin.it
Fri Nov 18 09:04:54 UTC 2016
Hi Florence.
I've tried to configure the wrong certificate in nss.conf (*ipaCert*), and
with this Apache started.
So I think the problem is in the *Server-Cert* stored in */etc/httpd/alias*,
even if all manul checks are ok.
These are logs with the wrong certificate test:
*# tail -f /var/log/httpd/error_log*
*[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid 7709] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Fri Nov 18
09:34:32.584142 2016] [:warn] [pid 7709] NSSSessionCacheTimeout is
deprecated. Ignoring.[Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709]
nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com> -> ipaCert[Fri Nov 18 09:34:32.844487
2016] [:info] [pid 7709] Configuring server for SSL protocol[Fri Nov 18
09:34:32.844635 2016] [:debug] [pid 7709] nss_engine_init.c(770):
NSSProtocol: Enabling TLSv1.0[Fri Nov 18 09:34:32.844657 2016] [:debug]
[pid 7709] nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1[Fri Nov
18 09:34:32.844668 2016] [:debug] [pid 7709] nss_engine_init.c(780):
NSSProtocol: Enabling TLSv1.2[Fri Nov 18 09:34:32.844677 2016] [:debug]
[pid 7709] nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)[Fri
Nov 18 09:34:32.844684 2016] [:debug] [pid 7709] nss_engine_init.c(866):
NSSProtocol: [TLS 1.2] (maximum)[Fri Nov 18 09:34:32.844738 2016] [:debug]
[pid 7709] nss_engine_init.c(906): Disabling TLS Session Tickets[Fri Nov 18
09:34:32.844746 2016] [:debug] [pid 7709] nss_engine_init.c(916): Enabling
DHE key exchange[Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709]
nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Fri
Nov 18 09:34:32.844825 2016] [:debug] [pid 7709] nss_engine_init.c(1140):
Disable cipher: rsa_null_md5...[Fri Nov 18 09:34:32.845105 2016] [:debug]
[pid 7709] nss_engine_init.c(1140): Enable cipher:
ecdhe_rsa_aes_128_gcm_sha_256[Fri Nov 18 09:34:32.845110 2016] [:info] [pid
7709] Using nickname ipaCert.[Fri Nov 18 09:34:32.847451 2016] [:error]
[pid 7709] Misconfiguration of certificate's CN and virtual name. The
certificate CN has IPA RA. We expected mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com> as virtual name.[Fri Nov 18
09:34:33.028056 2016] [auth_digest:notice] [pid 7709] AH01757: generating
secret for digest authentication ...[Fri Nov 18 09:34:33.030039 2016]
[lbmethod_heartbeat:notice] [pid 7709] AH02282: No slotmem from
mod_heartmonitor[Fri Nov 18 09:34:33.030122 2016] [:warn] [pid 7709]
NSSSessionCacheTimeout is deprecated. Ignoring.[Fri Nov 18 09:34:33.030176
2016] [:debug] [pid 7709] nss_engine_init.c(454): SNI:
mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> ->
ipaCert[Fri Nov 18 09:34:33.051481 2016] [mpm_prefork:notice] [pid 7709]
AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4
mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured --
resuming normal operations[Fri Nov 18 09:34:33.051551 2016] [core:notice]
[pid 7709] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'[Fri Nov
18 09:34:33.096050 2016] [proxy:debug] [pid 7717] proxy_util.c(1838):
AH00924: worker ajp://localhost shared already initialized[Fri Nov 18
09:34:33.096163 2016] [proxy:debug] [pid 7717] proxy_util.c(1880): AH00926:
worker ajp://localhost local already initialized...[Fri Nov 18
09:34:33.105626 2016] [proxy:debug] [pid 7719] proxy_util.c(1838): AH00924:
worker unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/
<http://localhost/keys/> shared already initialized[Fri Nov 18
09:34:33.105632 2016] [proxy:debug] [pid 7719] proxy_util.c(1880): AH00926:
worker unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/
<http://localhost/keys/> local already initialized[Fri Nov 18
09:34:33.342762 2016] [:info] [pid 7717] Configuring server for SSL
protocol[Fri Nov 18 09:34:33.342867 2016] [:debug] [pid 7717]
nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0[Fri Nov 18
09:34:33.342880 2016] [:debug] [pid 7717] nss_engine_init.c(775):
NSSProtocol: Enabling TLSv1.1[Fri Nov 18 09:34:33.342885 2016] [:debug]
[pid 7717] nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2[Fri Nov
18 09:34:33.342890 2016] [:debug] [pid 7717] nss_engine_init.c(839):
NSSProtocol: [TLS 1.0] (minimum)[Fri Nov 18 09:34:33.342894 2016] [:debug]
[pid 7717] nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)[Fri
Nov 18 09:34:33.342900 2016] [:debug] [pid 7717] nss_engine_init.c(906):
Disabling TLS Session Tickets[Fri Nov 18 09:34:33.342904 2016] [:debug]
[pid 7717] nss_engine_init.c(916): Enabling DHE key exchange[Fri Nov 18
09:34:33.342917 2016] [:debug] [pid 7717] nss_engine_init.c(1077):
NSSCipherSuite: Configuring permitted SSL ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Fri
Nov 18 09:34:33.342970 2016] [:debug] [pid 7717] nss_engine_init.c(1140):
Disable cipher: rsa_null_md5...[Fri Nov 18 09:34:33.343233 2016] [:debug]
[pid 7717] nss_engine_init.c(1140): Enable cipher:
ecdhe_rsa_aes_128_gcm_sha_256[Fri Nov 18 09:34:33.343237 2016] [:info] [pid
7717] Using nickname ipaCert.[Fri Nov 18 09:34:33.344533 2016] [:error]
[pid 7717] Misconfiguration of certificate's CN and virtual name. The
certificate CN has IPA RA. We expected mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com> as virtual name.[Fri Nov 18
09:34:33.364061 2016] [:info] [pid 7718] Configuring server for SSL
protocol[Fri Nov 18 09:34:33.364156 2016] [:debug] [pid 7718]
nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0[Fri Nov 18
09:34:33.364167 2016] [:debug] [pid 7718] nss_engine_init.c(775):
NSSProtocol: Enabling TLSv1.1[Fri Nov 18 09:34:33.364172 2016] [:debug]
[pid 7718] nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2[Fri Nov
18 09:34:33.364176 2016] [:debug] [pid 7718] nss_engine_init.c(839):
NSSProtocol: [TLS 1.0] (minimum)[Fri Nov 18 09:34:33.364180 2016] [:debug]
[pid 7718] nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)[Fri
Nov 18 09:34:33.364187 2016] [:debug] [pid 7718] nss_engine_init.c(906):
Disabling TLS Session Tickets[Fri Nov 18 09:34:33.364191 2016] [:debug]
[pid 7718] nss_engine_init.c(916): Enabling DHE key exchange[Fri Nov 18
09:34:33.364202 2016] [:debug] [pid 7718] nss_engine_init.c(1077):
NSSCipherSuite: Configuring permitted SSL ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Fri
Nov 18 09:34:33.364240 2016] [:debug] [pid 7718] nss_engine_init.c(1140):
Disable cipher: rsa_null_md5...[Fri Nov 18 09:34:33.364611 2016] [:debug]
[pid 7718] nss_engine_init.c(1140): Enable cipher:
ecdhe_rsa_aes_128_gcm_sha_256[Fri Nov 18 09:34:33.364625 2016] [:info] [pid
7718] Using nickname ipaCert.[Fri Nov 18 09:34:33.365549 2016] [:error]
[pid 7718] Misconfiguration of certificate's CN and virtual name. The
certificate CN has IPA RA. We expected mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com> as virtual name.[Fri Nov 18
09:34:33.369972 2016] [:info] [pid 7720] Configuring server for SSL
protocol[Fri Nov 18 09:34:33.370200 2016] [:debug] [pid 7720]
nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0[Fri Nov 18
09:34:33.370224 2016] [:debug] [pid 7720] nss_engine_init.c(775):
NSSProtocol: Enabling TLSv1.1[Fri Nov 18 09:34:33.370239 2016] [:debug]
[pid 7720] nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2[Fri Nov
18 09:34:33.370255 2016] [:debug] [pid 7720] nss_engine_init.c(839):
NSSProtocol: [TLS 1.0] (minimum)[Fri Nov 18 09:34:33.370269 2016] [:debug]
[pid 7720] nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)[Fri
Nov 18 09:34:33.370286 2016] [:debug] [pid 7720] nss_engine_init.c(906):
Disabling TLS Session Tickets[Fri Nov 18 09:34:33.370301 2016] [:debug]
[pid 7720] nss_engine_init.c(916): Enabling DHE key exchange[Fri Nov 18
09:34:33.370322 2016] [:debug] [pid 7720] nss_engine_init.c(1077):
NSSCipherSuite: Configuring permitted SSL ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Fri
Nov 18 09:34:33.370383 2016] [:debug] [pid 7720] nss_engine_init.c(1140):
Disable cipher: rsa_null_md5...[Fri Nov 18 09:34:33.371418 2016] [:debug]
[pid 7720] nss_engine_init.c(1140): Enable cipher:
ecdhe_rsa_aes_128_gcm_sha_256[Fri Nov 18 09:34:33.371437 2016] [:info] [pid
7720] Using nickname ipaCert.[Fri Nov 18 09:34:33.371486 2016] [:info] [pid
7716] Configuring server for SSL protocol[Fri Nov 18 09:34:33.372383 2016]
[:debug] [pid 7716] nss_engine_init.c(770): NSSProtocol: Enabling
TLSv1.0[Fri Nov 18 09:34:33.372439 2016] [:debug] [pid 7716]
nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1[Fri Nov 18
09:34:33.372459 2016] [:debug] [pid 7716] nss_engine_init.c(780):
NSSProtocol: Enabling TLSv1.2[Fri Nov 18 09:34:33.372484 2016] [:debug]
[pid 7716] nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)[Fri
Nov 18 09:34:33.372513 2016] [:debug] [pid 7716] nss_engine_init.c(866):
NSSProtocol: [TLS 1.2] (maximum)[Fri Nov 18 09:34:33.372534 2016] [:debug]
[pid 7716] nss_engine_init.c(906): Disabling TLS Session Tickets[Fri Nov 18
09:34:33.372553 2016] [:debug] [pid 7716] nss_engine_init.c(916): Enabling
DHE key exchange[Fri Nov 18 09:34:33.372580 2016] [:debug] [pid 7716]
nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Fri
Nov 18 09:34:33.372627 2016] [:debug] [pid 7716] nss_engine_init.c(1140):
Disable cipher: rsa_null_md5...[Fri Nov 18 09:34:33.373712 2016] [:debug]
[pid 7716] nss_engine_init.c(1140): Enable cipher:
ecdhe_rsa_aes_128_gcm_sha_256[Fri Nov 18 09:34:33.373734 2016] [:info] [pid
7716] Using nickname ipaCert.[Fri Nov 18 09:34:33.374652 2016] [:error]
[pid 7716] Misconfiguration of certificate's CN and virtual name. The
certificate CN has IPA RA. We expected mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com> as virtual name.[Fri Nov 18
09:34:33.372295 2016] [:error] [pid 7720] Misconfiguration of certificate's
CN and virtual name. The certificate CN has IPA RA. We expected
mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com> as virtual
name.[Fri Nov 18 09:34:33.412689 2016] [:info] [pid 7719] Configuring
server for SSL protocol[Fri Nov 18 09:34:33.412791 2016] [:debug] [pid
7719] nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0[Fri Nov 18
09:34:33.412803 2016] [:debug] [pid 7719] nss_engine_init.c(775):
NSSProtocol: Enabling TLSv1.1[Fri Nov 18 09:34:33.412807 2016] [:debug]
[pid 7719] nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2[Fri Nov
18 09:34:33.412812 2016] [:debug] [pid 7719] nss_engine_init.c(839):
NSSProtocol: [TLS 1.0] (minimum)[Fri Nov 18 09:34:33.412817 2016] [:debug]
[pid 7719] nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)[Fri
Nov 18 09:34:33.412824 2016] [:debug] [pid 7719] nss_engine_init.c(906):
Disabling TLS Session Tickets[Fri Nov 18 09:34:33.412828 2016] [:debug]
[pid 7719] nss_engine_init.c(916): Enabling DHE key exchange[Fri Nov 18
09:34:33.412840 2016] [:debug] [pid 7719] nss_engine_init.c(1077):
NSSCipherSuite: Configuring permitted SSL ciphers
[+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha][Fri
Nov 18 09:34:33.412891 2016] [:debug] [pid 7719] nss_engine_init.c(1140):
Disable cipher: rsa_null_md5...[Fri Nov 18 09:34:33.413159 2016] [:debug]
[pid 7719] nss_engine_init.c(1140): Enable cipher:
ecdhe_rsa_aes_128_gcm_sha_256[Fri Nov 18 09:34:33.413164 2016] [:info] [pid
7719] Using nickname ipaCert.[Fri Nov 18 09:34:33.414462 2016] [:error]
[pid 7719] Misconfiguration of certificate's CN and virtual name. The
certificate CN has IPA RA. We expected mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com> as virtual name.[Fri Nov 18
09:34:35.558286 2016] [:error] [pid 7715] ipa: WARNING: session memcached
servers not running[Fri Nov 18 09:34:35.559653 2016] [:error] [pid 7714]
ipa: WARNING: session memcached servers not running[Fri Nov 18
09:34:37.511457 2016] [:error] [pid 7714] ipa: INFO: *** PROCESS START
***[Fri Nov 18 09:34:37.517899 2016] [:error] [pid 7715] ipa: INFO: ***
PROCESS START ***[Fri Nov 18 09:34:51.498536 2016] [:info] [pid 7717]
Connection to child 1 established (server mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com>, client 192.168.0.239)[Fri Nov 18
09:34:51.510292 2016] [:info] [pid 7717] SSL input filter read failed.[Fri
Nov 18 09:34:51.510311 2016] [:error] [pid 7717] SSL Library Error: -12285
Unable to find the certificate or key necessary for authentication[Fri Nov
18 09:34:51.510356 2016] [:info] [pid 7717] Connection to child 1 closed
(server mlv-ipa01.ipa.mydomain.com:443
<http://mlv-ipa01.ipa.mydomain.com:443>, client 192.168.0.239)[Fri Nov 18
09:35:18.790760 2016] [mpm_prefork:notice] [pid 7709] AH00170: caught
SIGWINCH, shutting down gracefully*
Is possible to delete *Server-Cert* from */etc/httpd/alias* and reimport it
from the original certificates of *mlv-ipa01.ipa.mydomain.com
<http://mlv-ipa01.ipa.mydomain.com>*?
Where are stored the original certificates?
Please let me know, thanks.
Bye, Morgan
2016-11-17 17:09 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
> On 11/17/2016 04:51 PM, Morgan Marodin wrote:
>
>> Hi Rob.
>>
>> I've just tried to remove the group write to the *.db files, but it's
>> not the problem.
>> /[root at mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
>> NSSNickname Server-Cert/
>>
>> I've tried to run manually /dirsrv.target/ and /krb5kdc.service/, and it
>> works, services went up.
>> The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
>> /winbind.service/, /kadmin.service/, /memcached.service/ and
>> /pki-tomcatd.target/.
>>
>> But if I try to start /httpd.service/:
>> /[root at mlv-ipa01 ~]# tail -f /var/log/messages
>> Nov 17 16:46:06 mlv-ipa01 systemd[1]: Starting The Apache HTTP Server...
>> Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy: ipa : INFO KDC
>> proxy enabled
>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: main process
>> exited, code=exited, status=1/FAILURE
>> Nov 17 16:46:07 mlv-ipa01 kill: kill: cannot find process ""
>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: control process
>> exited, code=exited status=1
>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to start The Apache HTTP
>> Server.
>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit httpd.service entered failed
>> state.
>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service failed./
>>
>> Any other ideas?
>>
> Hi,
>
> - Does the NSS Db contain the private key for Server-Cert? If yes, the
> command
> $ certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
> should display a line like this one:
> < 0> rsa 01a6cbd773f3d785ffa44233148dcb8ade266ea5 NSS Certificate
> DB:Server-Cert
>
> - Is your system running with SElinux enforcing? If yes, you can check if
> there were SElinux permission denials using
> $ ausearch -m avc --start recent
>
> - If the certificate was expired, I believe you would see a different
> message, but it doesn't hurt to check its validity
> $ certutil -L -d /etc/httpd/alias/ -n Server-Cert | egrep "Not Before|Not
> After"
>
>
> Flo.
>
>>
>> Please let me know, thanks.
>> Morgan
>>
>> 2016-11-17 16:11 GMT+01:00 Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>>:
>>
>>
>> Morgan Marodin wrote:
>> > Hi Florence.
>> >
>> > Thanks for your support.
>> >
>> > Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all
>> > permissions and certificates are good:
>> > /[root at mlv-ipa01 ~]# ls -l /etc/httpd/alias/
>> > total 184
>> > -r--r--r-- 1 root root 1345 Sep 7 2015 cacert.asc
>> > -rw-rw---- 1 root apache 65536 Nov 17 11:06 cert8.db
>> > -rw-r-----. 1 root apache 65536 Sep 4 2015 cert8.db.orig
>> > -rw-------. 1 root root 4833 Sep 4 2015 install.log
>> > -rw-rw---- 1 root apache 16384 Nov 17 11:06 key3.db
>> > -rw-r-----. 1 root apache 16384 Sep 4 2015 key3.db.orig
>> > lrwxrwxrwx 1 root root 24 Nov 17 10:24 libnssckbi.so ->
>> > /usr/lib64/libnssckbi.so
>> > -rw-rw---- 1 root apache 20 Sep 7 2015 pwdfile.txt
>> > -rw-rw---- 1 root apache 16384 Sep 7 2015 secmod.db
>> > -rw-r-----. 1 root apache 16384 Sep 4 2015 secmod.db.orig/
>>
>> Eventually you'll want to remove group write on the *.db files.
>>
>> > And password validations seems ok, too:
>> > /[root at mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f
>> > /etc/httpd/alias/pwdfile.txt
>> good
>>
>> > Enabling mod-nss debug I can see these logs:
>> > /[root at mlv-ipa01 ~]# tail -f /var/log/httpd/error_log
>> > [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid 10660]
>> AH01232:
>> > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>> > [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660]
>> > NSSSessionCacheTimeout is deprecated. Ignoring.
>> > [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660]
>> > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com <
>> http://mlv-ipa01.ipa.mydomain.com>
>> > <http://mlv-ipa01.ipa.mydomain.com
>>
>> <http://mlv-ipa01.ipa.mydomain.com>> -> Server-Cert
>> > [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660] Configuring
>> server
>> > for SSL protocol
>> > [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660]
>> > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
>> > [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660]
>> > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
>> > [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660]
>> > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
>> > [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660]
>> > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
>> > [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660]
>> > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
>> > [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660]
>> > nss_engine_init.c(906): Disabling TLS Session Tickets
>> > [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660]
>> > nss_engine_init.c(916): Enabling DHE key exchange
>> > [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660]
>> > nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL
>> > ciphers
>> > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_
>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_
>> sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_
>> sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_
>> sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+
>> rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>> > [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660]
>> > [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660] Using nickname
>> > Server-Cert.
>> [snip]
>> > [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660] Certificate
>> not
>> > found: 'Server-Cert'
>>
>> Can you shows what this returns:
>>
>> # grep NSSNickname /etc/httpd/conf.d/nss.conf
>>
>> > Do you think there is a kerberos problem?
>>
>> It definitely is not.
>>
>> You can bring the system up in a minimal way by manually starting the
>> dirsrv at EXAMPLE.COM <mailto:dirsrv at EXAMPLE.COM> service and then
>> krb5kdc. This will at least let your
>> users authenticate. The management framework (GUI) runs through Apache
>> so that will be down until we can get Apache started again.
>>
>> rob
>>
>> >
>> > Please let me know, thanks.
>> > Bye, Morgan
>> >
>> > 2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com
>> <mailto:flo at redhat.com>
>> > <mailto:flo at redhat.com <mailto:flo at redhat.com>>>:
>>
>> >
>> > On 11/17/2016 12:09 PM, Morgan Marodin wrote:
>> >
>> > Hello.
>> >
>> > This morning I've tried to upgrade my IPA server, but the
>> upgrade
>> > failed, and now the service doesn't start! :(
>> >
>> > If I try lo launch the upgrade manually this is the output:
>> > /[root at mlv-ipa01 download]# ipa-server-upgrade
>> >
>> > Upgrading IPA:
>> > [1/8]: saving configuration
>> > [2/8]: disabling listeners
>> > [3/8]: enabling DS global lock
>> > [4/8]: starting directory server
>> > [5/8]: updating schema
>> > [6/8]: upgrading server
>> > [7/8]: stopping directory server
>> > [8/8]: restoring configuration
>> > Done.
>> > Update complete
>> > Upgrading IPA services
>> > Upgrading the configuration of the IPA services
>> > [Verifying that root certificate is published]
>> > [Migrate CRL publish directory]
>> > CRL tree already moved
>> > [Verifying that CA proxy configuration is correct]
>> > [Verifying that KDC configuration is using ipa-kdb backend]
>> > [Fix DS schema file syntax]
>> > Syntax already fixed
>> > [Removing RA cert from DS NSS database]
>> > RA cert already removed
>> > [Enable sidgen and extdom plugins by default]
>> > [Updating HTTPD service IPA configuration]
>> > [Updating mod_nss protocol versions]
>> > Protocol versions already updated
>> > [Updating mod_nss cipher suite]
>> > [Fixing trust flags in /etc/httpd/alias]
>> > Trust flags already processed
>> > [Exporting KRA agent PEM file]
>> > KRA is not enabled
>> > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log
>> and run
>> > command ipa-server-upgrade manually.
>> > Unexpected error - see /var/log/ipaupgrade.log for details:
>> > CalledProcessError: Command '/bin/systemctl start
>> httpd.service'
>> > returned non-zero exit status 1
>> > The ipa-server-upgrade command failed. See
>> > /var/log/ipaupgrade.log for
>> > more information/
>> >
>> > These are error logs of Apache:
>> > /[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] [pid
>> 5664]
>> > AH01232:
>> > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>> > [Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664]
>> > NSSSessionCacheTimeout is deprecated. Ignoring.
>> > [Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664]
>> > Certificate not
>> > found: 'Server-Cert'/
>> >
>> > The problem seems to be the /Server-Cert /that could not
>> be found.
>> > But if I try to execute the certutil command manually I
>> can see it:/
>> > [root at mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/
>> > Certificate Nickname
>> Trust
>> > Attributes
>> >
>> > SSL,S/MIME,JAR/XPI
>> > Signing-Cert
>> u,u,u
>> > ipaCert
>> u,u,u
>> > Server-Cert
>> Pu,u,u
>> > IPA.MYDOMAIN.COM <http://IPA.MYDOMAIN.COM>
>> <http://IPA.MYDOMAIN.COM>
>> > <http://IPA.MYDOMAIN.COM> IPA
>> > CA CT,C,C/
>> >
>> > Could you help me?
>> > What could I try to do to restart my service?
>> >
>> > Hi,
>> >
>> > I would first make sure that httpd is using /etc/httpd/alias
>> as NSS
>> > DB (check the directive NSSCertificateDatabase in
>> > /etc/httpd/conf.d/nss.conf).
>> > Then it may be a file permission issue: the NSS DB should
>> belong to
>> > root:apache (the relevant files are cert8.db, key3.db and
>> secmod.db).
>> > You should also find a pwdfile.txt in the same directory,
>> containing
>> > the NSS DB password. Check that the password is valid using
>> > certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
>> > (if the command succeeds then the password in pwdfile is OK).
>> >
>> > You can also enable mod-nss debug in /etc/httpd/conf/nss.conf by
>> > setting "LogLevel debug", and check the output in
>> > /var/log/httpd/error_log.
>> >
>> > HTH,
>> > Flo.
>> >
>> > Thanks, Morgan
>> >
>> >
>> >
>> > --
>> > Manage your subscription for the Freeipa-users mailing list:
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> <https://www.redhat.com/mailman/listinfo/freeipa-users>
>> > <https://www.redhat.com/mailman/listinfo/freeipa-users
>> <https://www.redhat.com/mailman/listinfo/freeipa-users>>
>> > Go to http://freeipa.org for more info on the project
>> >
>> >
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161118/7a4c9cf0/attachment.htm>
More information about the Freeipa-users
mailing list