[Freeipa-devel] [PATCH 0441] Configure httpd service from installer
Rob Crittenden
rcritten at redhat.com
Thu Mar 24 13:55:25 UTC 2016
Jan Cholasta wrote:
> On 18.3.2016 15:12, Martin Babinsky wrote:
>> On 03/17/2016 05:36 PM, Martin Basti wrote:
>>> https://fedorahosted.org/freeipa/ticket/5681
>>>
>>> Patch attached.
>>>
>>>
>> Hi Martin,
>>
>> Nitpick attack:
>>
>> Please fix the commit message: "File httpd.service was created by RPM,
>> what causes that httpd service may", should be "..., which causes"
>>
>> Otherwise the code looks good and works as expected.
>>
>> However, you still cannot start httpd.service after ipa-server
>> uninstallation because some leftovers in /ipa/httpd/alias cause mod_nss
>> to fail (see http error_log):
>>
>> """
>> [Fri Mar 18 12:43:29.320276 2016] [suexec:notice] [pid 2033] AH01232:
>> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>> [Fri Mar 18 12:43:29.320288 2016] [:warn] [pid 2033]
>> NSSSessionCacheTimeout is deprecated. Ignoring.
>> [Fri Mar 18 12:43:29.444287 2016] [:error] [pid 2033] Password for slot
>> internal is incorrect.
>> [Fri Mar 18 12:43:29.446090 2016] [:error] [pid 2033] NSS initialization
>> failed. Certificate database: /etc/httpd/alias.
>> [Fri Mar 18 12:43:29.446100 2016] [:error] [pid 2033] SSL Library Error:
>> -8177 The security password entered is incorrect
>>
>> """
>>
>> I guess that this is beyond this patch, since I think it is related to
>> https://fedorahosted.org/freeipa/ticket/4639 but I am not sure. CC'ing
>> Jan who owns the ticket.
>
> It seems so, on uninstall we restore mod_nss config, so httpd uses the
> default password (whatever that is), but the database still uses the
> password set by us on install.
>
The default password is blank, so no auth is required.
IIRC the reason we didn't move NSS databases around between installs is
the case where there is already a private key that needs to be maintained.
rob
More information about the Freeipa-devel
mailing list