<div dir="ltr"><div><div><div>It works!<br></div>Thanks for your support.<br><br></div>Anyway, I will try to update againt mod_nss package! :D<br></div>Bye!<br><div><div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-11-18 15:21 GMT+01:00 Morgan Marodin <span dir="ltr"><<a href="mailto:morgan@marodin.it" target="_blank">morgan@marodin.it</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>A little good news.<br><br></div>Downgrading the <i>mod_nss</i> RPM package, and restoring the original <i>/etc/httpd/alias</i> folder, <i>ipa-server-upgrade</i> procedure has finished well:<br><i># ipa-server-upgrade<br>Upgrading IPA:<br> [1/10]: stopping directory server<br> [2/10]: saving configuration<br> [3/10]: disabling listeners<br> [4/10]: enabling DS global lock<br> [5/10]: starting directory server<br> [6/10]: updating schema<br> [7/10]: upgrading server<br> [8/10]: stopping directory server<br> [9/10]: restoring configuration<br> [10/10]: starting directory server<span class=""><br>Done.<br>Update complete<br>Upgrading IPA services<br>Upgrading the configuration of the IPA services<br>[Verifying that root certificate is published]<br>[Migrate CRL publish directory]<br>CRL tree already moved<br>[Verifying that CA proxy configuration is correct]<br>[Verifying that KDC configuration is using ipa-kdb backend]<br>[Fix DS schema file syntax]<br>Syntax already fixed<br>[Removing RA cert from DS NSS database]<br>RA cert already removed<br>[Enable sidgen and extdom plugins by default]<br>[Updating HTTPD service IPA configuration]<br>[Updating mod_nss protocol versions]<br>Protocol versions already updated<br>[Updating mod_nss cipher suite]<br>[Fixing trust flags in /etc/httpd/alias]<br>Trust flags already processed<br>[Exporting KRA agent PEM file]<br>KRA is not enabled<br></span>[Removing self-signed CA]<br>[Removing Dogtag 9 CA]<br>[Checking for deprecated KDC configuration files]<br>[Checking for deprecated backups of Samba configuration files]<br>[Setting up Firefox extension]<br>[Add missing CA DNS records]<br>IPA CA DNS records already processed<br>[Removing deprecated DNS configuration options]<br>[Ensuring minimal number of connections]<br>[Enabling serial autoincrement in DNS]<br>[Updating GSSAPI configuration in DNS]<br>[Updating pid-file configuration in DNS]<br>[Checking global forwarding policy in named.conf to avoid conflicts with automatic empty zones]<br>Global forward policy in named.conf will be changed to "only" to avoid conflicts with automatic empty zones<br>[Adding server_id to named.conf]<br>Changes to named.conf have been made, restart named<br>Custodia service is being configured<br>Configuring ipa-custodia<br> [1/5]: Generating ipa-custodia config file<br> [2/5]: Making sure custodia container exists<br> [3/5]: Generating ipa-custodia keys<br> [4/5]: starting ipa-custodia<br> [5/5]: configuring ipa-custodia to start on boot<br>Done configuring ipa-custodia.<br>[Upgrading CA schema]<br>CA schema update complete<br>[Verifying that CA audit signing cert has 2 year validity]<br>[Update certmonger certificate renewal configuration to version 5]<br>Configuring certmonger to stop tracking system certificates for CA<br>Certmonger certificate renewal configuration updated to version 5<br>[Enable PKIX certificate path discovery and validation]<br>PKIX already enabled<br>[Authorizing RA Agent to modify profiles]<br>[Authorizing RA Agent to manage lightweight CAs]<br>[Ensuring Lightweight CAs container exists in Dogtag database]<br>[Adding default OCSP URI configuration]<br>pki-tomcat configuration changed, restart pki-tomcat<br>[Ensuring CA is using LDAPProfileSubsystem]<br>[Migrating certificate profiles to LDAP]<br>[Ensuring presence of included profiles]<br>[Add default CA ACL]<br>Default CA ACL already added<br>[Set up lightweight CA key retrieval]<br>Creating principal<br>Retrieving keytab<br>Creating Custodia keys<br>Configuring key retriever<br>The IPA services were upgraded<br>The ipa-server-upgrade command was successful</i><br><br>And Apache has started, BUT there is a problem with the web certificate:<br><i># tail -f /var/log/httpd/error_log<br>[Fri Nov 18 15:14:43.002268 2016] [:info] [pid 18673] Connection to child 2 established (server <a href="http://mlv-ipa01.ipa.mydomain.com:443" target="_blank">mlv-ipa01.ipa.mydomain.com:443</a><wbr>, client 192.168.0.252)<br>[Fri Nov 18 15:14:43.207349 2016] [:info] [pid 18673] SSL input filter read failed.<br>[Fri Nov 18 15:14:43.207389 2016] [:error] [pid 18673] SSL Library Error: -12285 Unable to find the certificate or key necessary for authentication<br>[Fri Nov 18 15:14:43.207460 2016] [:info] [pid 18673] Connection to child 2 closed (server <a href="http://mlv-ipa01.ipa.mydomain.com:443" target="_blank">mlv-ipa01.ipa.mydomain.com:443</a><wbr>, client 192.168.0.252)</i><br><br></div><div>How do you suggest to go on with my issue?<br><br></div><div>Thanks, Morgan<br></div><div><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">2016-11-18 12:11 GMT+01:00 Morgan Marodin <span dir="ltr"><<a href="mailto:morgan@marodin.it" target="_blank">morgan@marodin.it</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div>I've tried to add it to a new test folder, with a new certificate nickname, and then to replace it to <i>nss.conf</i>.<br></div><br>But the problem persists:<br><i># certutil -V -u V -d /etc/httpd/test -n ipa01cert<br>certutil: certificate is valid</i><br><br></div><div><i># tail -f /var/log/httpd/error_log<br></i></div><div><i>[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid 11552] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)<br>[Fri Nov 18 12:09:39.514266 2016] [:warn] [pid 11552] NSSSessionCacheTimeout is deprecated. Ignoring.<br>[Fri Nov 18 12:09:39.514299 2016] [:debug] [pid 11552] nss_engine_init.c(454): SNI: <a href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">mlv-ipa01.ipa.mydomain.com</a> -> ipa01cert<br>[Fri Nov 18 12:09:39.824880 2016] [:error] [pid 11552] The server key database has not been initialized.<br>[Fri Nov 18 12:09:39.832443 2016] [:info] [pid 11552] Configuring server for SSL protocol<br>...<br>[Fri Nov 18 12:09:39.832676 2016] [:info] [pid 11552] Using nickname ipa01cert.<br>[Fri Nov 18 12:09:39.832678 2016] [:error] [pid 11552] Certificate not found: 'ipa01cert'</i><br><br></div>I've found this guide:<i><br>Combine the server cert and key into a single file<br># cp localhost.crt > Server-Cert.txt<br># cat localhost.key >> Server-Cert.txt<br>Convert the server cert into a p12 file<br># openssl pkcs12 -export -in Server-Cert.txt -out Server-Cert.p12 -name "Server-Cert"<br>Now Import the Public and Private keys into the database at the same time.<br>#pk12util -i /tmp/cert-files/Server-Cert.p1<wbr>2 -d /etc/httpd/alias -n Server-Cert</i><br><br></div>Where is stored the key certificate file?<br><br></div>Thanks, Morgan<div><div class="m_-995450577174437565h5"><br><div><div><div><div><div><div><div class="gmail_extra"><br><div class="gmail_quote">2016-11-18 10:39 GMT+01:00 Florence Blanc-Renaud <span dir="ltr"><<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>></span>:<br><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><span class="m_-995450577174437565m_-6759779768427163517gmail-">On 11/18/2016 10:04 AM, Morgan Marodin wrote:<br>
</span><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">
Hi Florence.<br>
<br>
I've tried to configure the wrong certificate in nss.conf (/ipaCert/),<span class="m_-995450577174437565m_-6759779768427163517gmail-"><br>
and with this Apache started.<br></span>
So I think the problem is in the /Server-Cert/ stored in<br>
//etc/httpd/alias/, even if all manul checks are ok.<span class="m_-995450577174437565m_-6759779768427163517gmail-"><br>
<br>
These are logs with the wrong certificate test:<br></span>
/# tail -f /var/log/httpd/error_log/<br>
/[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid 7709] AH01232:<span class="m_-995450577174437565m_-6759779768427163517gmail-"><br>
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)<br>
[Fri Nov 18 09:34:32.584142 2016] [:warn] [pid 7709]<br>
NSSSessionCacheTimeout is deprecated. Ignoring.<br>
[Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709]<br>
nss_engine_init.c(454): SNI: <a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br></span>
<<a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">http://mlv-ipa01.ipa.mydomain<wbr>.com</a>> -> ipaCert<div><div class="m_-995450577174437565m_-6759779768427163517gmail-h5"><br>
[Fri Nov 18 09:34:32.844487 2016] [:info] [pid 7709] Configuring server<br>
for SSL protocol<br>
[Fri Nov 18 09:34:32.844635 2016] [:debug] [pid 7709]<br>
nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0<br>
[Fri Nov 18 09:34:32.844657 2016] [:debug] [pid 7709]<br>
nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1<br>
[Fri Nov 18 09:34:32.844668 2016] [:debug] [pid 7709]<br>
nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2<br>
[Fri Nov 18 09:34:32.844677 2016] [:debug] [pid 7709]<br>
nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)<br>
[Fri Nov 18 09:34:32.844684 2016] [:debug] [pid 7709]<br>
nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)<br>
[Fri Nov 18 09:34:32.844738 2016] [:debug] [pid 7709]<br>
nss_engine_init.c(906): Disabling TLS Session Tickets<br>
[Fri Nov 18 09:34:32.844746 2016] [:debug] [pid 7709]<br>
nss_engine_init.c(916): Enabling DHE key exchange<br>
[Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709]<br>
nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL<br>
ciphers<br>
[+aes_128_sha_256,+aes_256_sha<wbr>_256,+ecdhe_ecdsa_aes_128_gcm_<wbr>sha_256,+ecdhe_ecdsa_aes_128_s<wbr>ha,+ecdhe_ecdsa_aes_256_gcm_sh<wbr>a_384,+ecdhe_ecdsa_aes_256_sha<wbr>,+ecdhe_rsa_aes_128_gcm_sha_25<wbr>6,+ecdhe_rsa_aes_128_sha,+ecdh<wbr>e_rsa_aes_256_gcm_sha_384,+<wbr>ecdhe_rsa_aes_256_sha,+rsa_aes<wbr>_128_gcm_sha_256,+rsa_aes_128_<wbr>sha,+rsa_aes_256_gcm_sha_384,+<wbr>rsa_aes_256_sha]<br>
[Fri Nov 18 09:34:32.844825 2016] [:debug] [pid 7709]<br>
nss_engine_init.c(1140): Disable cipher: rsa_null_md5<br>
...<br>
[Fri Nov 18 09:34:32.845105 2016] [:debug] [pid 7709]<br>
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256<br>
[Fri Nov 18 09:34:32.845110 2016] [:info] [pid 7709] Using nickname ipaCert.<br>
[Fri Nov 18 09:34:32.847451 2016] [:error] [pid 7709] Misconfiguration<br>
of certificate's CN and virtual name. The certificate CN has IPA RA. We<br></div></div>
expected <a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">mlv-ipa01.ipa.mydomain.com</a> <<a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">http://mlv-ipa01.ipa.mydomain<wbr>.com</a>><span class="m_-995450577174437565m_-6759779768427163517gmail-"><br>
as virtual name.<br>
[Fri Nov 18 09:34:33.<a value="+390280562016" href="tel:028056%202016" target="_blank">028056 2016</a>] [auth_digest:notice] [pid 7709]<br>
AH01757: generating secret for digest authentication ...<br>
[Fri Nov 18 09:34:33.<a value="+390300392016" href="tel:030039%202016" target="_blank">030039 2016</a>] [lbmethod_heartbeat:notice] [pid 7709]<br>
AH02282: No slotmem from mod_heartmonitor<br>
[Fri Nov 18 09:34:33.<a value="+390301222016" href="tel:030122%202016" target="_blank">030122 2016</a>] [:warn] [pid 7709]<br>
NSSSessionCacheTimeout is deprecated. Ignoring.<br>
[Fri Nov 18 09:34:33.<a value="+390301762016" href="tel:030176%202016" target="_blank">030176 2016</a>] [:debug] [pid 7709]<br>
nss_engine_init.c(454): SNI: <a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br></span>
<<a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">http://mlv-ipa01.ipa.mydomain<wbr>.com</a>> -> ipaCert<div><div class="m_-995450577174437565m_-6759779768427163517gmail-h5"><br>
[Fri Nov 18 09:34:33.<a value="+390514812016" href="tel:051481%202016" target="_blank">051481 2016</a>] [mpm_prefork:notice] [pid 7709]<br>
AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4<br>
mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured<br>
-- resuming normal operations<br>
[Fri Nov 18 09:34:33.<a value="+390515512016" href="tel:051551%202016" target="_blank">051551 2016</a>] [core:notice] [pid 7709] AH00094:<br>
Command line: '/usr/sbin/httpd -D FOREGROUND'<br>
[Fri Nov 18 09:34:33.096050 2016] [proxy:debug] [pid 7717]<br>
proxy_util.c(1838): AH00924: worker ajp://localhost shared already<br>
initialized<br>
[Fri Nov 18 09:34:33.<a value="+390961632016" href="tel:096163%202016" target="_blank">096163 2016</a>] [proxy:debug] [pid 7717]<br>
proxy_util.c(1880): AH00926: worker ajp://localhost local already<br>
initialized<br>
...<br>
[Fri Nov 18 09:34:33.105626 2016] [proxy:debug] [pid 7719]<br>
proxy_util.c(1838): AH00924: worker<br>
unix:/run/httpd/ipa-custodia.s<wbr>ock|<a rel="noreferrer" href="http://localhost/keys/" target="_blank">http://localhost/keys/</a> shared already<br>
initialized<br>
[Fri Nov 18 09:34:33.105632 2016] [proxy:debug] [pid 7719]<br>
proxy_util.c(1880): AH00926: worker<br>
unix:/run/httpd/ipa-custodia.s<wbr>ock|<a rel="noreferrer" href="http://localhost/keys/" target="_blank">http://localhost/keys/</a> local already<br>
initialized<br>
[Fri Nov 18 09:34:33.<a value="+393427622016" href="tel:342762%202016" target="_blank">342762 2016</a>] [:info] [pid 7717] Configuring server<br>
for SSL protocol<br>
[Fri Nov 18 09:34:33.<a value="+393428672016" href="tel:342867%202016" target="_blank">342867 2016</a>] [:debug] [pid 7717]<br>
nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0<br>
[Fri Nov 18 09:34:33.<a value="+393428802016" href="tel:342880%202016" target="_blank">342880 2016</a>] [:debug] [pid 7717]<br>
nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1<br>
[Fri Nov 18 09:34:33.<a value="+393428852016" href="tel:342885%202016" target="_blank">342885 2016</a>] [:debug] [pid 7717]<br>
nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2<br>
[Fri Nov 18 09:34:33.<a value="+393428902016" href="tel:342890%202016" target="_blank">342890 2016</a>] [:debug] [pid 7717]<br>
nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)<br>
[Fri Nov 18 09:34:33.<a value="+393428942016" href="tel:342894%202016" target="_blank">342894 2016</a>] [:debug] [pid 7717]<br>
nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)<br>
[Fri Nov 18 09:34:33.<a value="+393429002016" href="tel:342900%202016" target="_blank">342900 2016</a>] [:debug] [pid 7717]<br>
nss_engine_init.c(906): Disabling TLS Session Tickets<br>
[Fri Nov 18 09:34:33.<a value="+393429042016" href="tel:342904%202016" target="_blank">342904 2016</a>] [:debug] [pid 7717]<br>
nss_engine_init.c(916): Enabling DHE key exchange<br>
[Fri Nov 18 09:34:33.<a value="+393429172016" href="tel:342917%202016" target="_blank">342917 2016</a>] [:debug] [pid 7717]<br>
nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL<br>
ciphers<br>
[+aes_128_sha_256,+aes_256_sha<wbr>_256,+ecdhe_ecdsa_aes_128_gcm_<wbr>sha_256,+ecdhe_ecdsa_aes_128_s<wbr>ha,+ecdhe_ecdsa_aes_256_gcm_sh<wbr>a_384,+ecdhe_ecdsa_aes_256_sha<wbr>,+ecdhe_rsa_aes_128_gcm_sha_25<wbr>6,+ecdhe_rsa_aes_128_sha,+ecdh<wbr>e_rsa_aes_256_gcm_sha_384,+<wbr>ecdhe_rsa_aes_256_sha,+rsa_aes<wbr>_128_gcm_sha_256,+rsa_aes_128_<wbr>sha,+rsa_aes_256_gcm_sha_384,+<wbr>rsa_aes_256_sha]<br>
[Fri Nov 18 09:34:33.<a value="+393429702016" href="tel:342970%202016" target="_blank">342970 2016</a>] [:debug] [pid 7717]<br>
nss_engine_init.c(1140): Disable cipher: rsa_null_md5<br>
...<br>
[Fri Nov 18 09:34:33.<a value="+393432332016" href="tel:343233%202016" target="_blank">343233 2016</a>] [:debug] [pid 7717]<br>
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256<br>
[Fri Nov 18 09:34:33.<a value="+393432372016" href="tel:343237%202016" target="_blank">343237 2016</a>] [:info] [pid 7717] Using nickname ipaCert.<br>
[Fri Nov 18 09:34:33.<a value="+393445332016" href="tel:344533%202016" target="_blank">344533 2016</a>] [:error] [pid 7717] Misconfiguration<br>
of certificate's CN and virtual name. The certificate CN has IPA RA. We<br></div></div>
expected <a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">mlv-ipa01.ipa.mydomain.com</a> <<a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">http://mlv-ipa01.ipa.mydomain<wbr>.com</a>><div><div class="m_-995450577174437565m_-6759779768427163517gmail-h5"><br>
as virtual name.<br>
[Fri Nov 18 09:34:33.<a value="+393640612016" href="tel:364061%202016" target="_blank">364061 2016</a>] [:info] [pid 7718] Configuring server<br>
for SSL protocol<br>
[Fri Nov 18 09:34:33.<a value="+393641562016" href="tel:364156%202016" target="_blank">364156 2016</a>] [:debug] [pid 7718]<br>
nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0<br>
[Fri Nov 18 09:34:33.<a value="+393641672016" href="tel:364167%202016" target="_blank">364167 2016</a>] [:debug] [pid 7718]<br>
nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1<br>
[Fri Nov 18 09:34:33.<a value="+393641722016" href="tel:364172%202016" target="_blank">364172 2016</a>] [:debug] [pid 7718]<br>
nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2<br>
[Fri Nov 18 09:34:33.<a value="+393641762016" href="tel:364176%202016" target="_blank">364176 2016</a>] [:debug] [pid 7718]<br>
nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)<br>
[Fri Nov 18 09:34:33.<a value="+393641802016" href="tel:364180%202016" target="_blank">364180 2016</a>] [:debug] [pid 7718]<br>
nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)<br>
[Fri Nov 18 09:34:33.<a value="+393641872016" href="tel:364187%202016" target="_blank">364187 2016</a>] [:debug] [pid 7718]<br>
nss_engine_init.c(906): Disabling TLS Session Tickets<br>
[Fri Nov 18 09:34:33.<a value="+393641912016" href="tel:364191%202016" target="_blank">364191 2016</a>] [:debug] [pid 7718]<br>
nss_engine_init.c(916): Enabling DHE key exchange<br>
[Fri Nov 18 09:34:33.<a value="+393642022016" href="tel:364202%202016" target="_blank">364202 2016</a>] [:debug] [pid 7718]<br>
nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL<br>
ciphers<br>
[+aes_128_sha_256,+aes_256_sha<wbr>_256,+ecdhe_ecdsa_aes_128_gcm_<wbr>sha_256,+ecdhe_ecdsa_aes_128_s<wbr>ha,+ecdhe_ecdsa_aes_256_gcm_sh<wbr>a_384,+ecdhe_ecdsa_aes_256_sha<wbr>,+ecdhe_rsa_aes_128_gcm_sha_25<wbr>6,+ecdhe_rsa_aes_128_sha,+ecdh<wbr>e_rsa_aes_256_gcm_sha_384,+<wbr>ecdhe_rsa_aes_256_sha,+rsa_aes<wbr>_128_gcm_sha_256,+rsa_aes_128_<wbr>sha,+rsa_aes_256_gcm_sha_384,+<wbr>rsa_aes_256_sha]<br>
[Fri Nov 18 09:34:33.<a value="+393642402016" href="tel:364240%202016" target="_blank">364240 2016</a>] [:debug] [pid 7718]<br>
nss_engine_init.c(1140): Disable cipher: rsa_null_md5<br>
...<br>
[Fri Nov 18 09:34:33.<a value="+393646112016" href="tel:364611%202016" target="_blank">364611 2016</a>] [:debug] [pid 7718]<br>
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256<br>
[Fri Nov 18 09:34:33.<a value="+393646252016" href="tel:364625%202016" target="_blank">364625 2016</a>] [:info] [pid 7718] Using nickname ipaCert.<br>
[Fri Nov 18 09:34:33.<a value="+393655492016" href="tel:365549%202016" target="_blank">365549 2016</a>] [:error] [pid 7718] Misconfiguration<br>
of certificate's CN and virtual name. The certificate CN has IPA RA. We<br></div></div>
expected <a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">mlv-ipa01.ipa.mydomain.com</a> <<a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">http://mlv-ipa01.ipa.mydomain<wbr>.com</a>><div><div class="m_-995450577174437565m_-6759779768427163517gmail-h5"><br>
as virtual name.<br>
[Fri Nov 18 09:34:33.<a value="+393699722016" href="tel:369972%202016" target="_blank">369972 2016</a>] [:info] [pid 7720] Configuring server<br>
for SSL protocol<br>
[Fri Nov 18 09:34:33.<a value="+393702002016" href="tel:370200%202016" target="_blank">370200 2016</a>] [:debug] [pid 7720]<br>
nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0<br>
[Fri Nov 18 09:34:33.<a value="+393702242016" href="tel:370224%202016" target="_blank">370224 2016</a>] [:debug] [pid 7720]<br>
nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1<br>
[Fri Nov 18 09:34:33.<a value="+393702392016" href="tel:370239%202016" target="_blank">370239 2016</a>] [:debug] [pid 7720]<br>
nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2<br>
[Fri Nov 18 09:34:33.<a value="+393702552016" href="tel:370255%202016" target="_blank">370255 2016</a>] [:debug] [pid 7720]<br>
nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)<br>
[Fri Nov 18 09:34:33.<a value="+393702692016" href="tel:370269%202016" target="_blank">370269 2016</a>] [:debug] [pid 7720]<br>
nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)<br>
[Fri Nov 18 09:34:33.<a value="+393702862016" href="tel:370286%202016" target="_blank">370286 2016</a>] [:debug] [pid 7720]<br>
nss_engine_init.c(906): Disabling TLS Session Tickets<br>
[Fri Nov 18 09:34:33.<a value="+393703012016" href="tel:370301%202016" target="_blank">370301 2016</a>] [:debug] [pid 7720]<br>
nss_engine_init.c(916): Enabling DHE key exchange<br>
[Fri Nov 18 09:34:33.<a value="+393703222016" href="tel:370322%202016" target="_blank">370322 2016</a>] [:debug] [pid 7720]<br>
nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL<br>
ciphers<br>
[+aes_128_sha_256,+aes_256_sha<wbr>_256,+ecdhe_ecdsa_aes_128_gcm_<wbr>sha_256,+ecdhe_ecdsa_aes_128_s<wbr>ha,+ecdhe_ecdsa_aes_256_gcm_sh<wbr>a_384,+ecdhe_ecdsa_aes_256_sha<wbr>,+ecdhe_rsa_aes_128_gcm_sha_25<wbr>6,+ecdhe_rsa_aes_128_sha,+ecdh<wbr>e_rsa_aes_256_gcm_sha_384,+<wbr>ecdhe_rsa_aes_256_sha,+rsa_aes<wbr>_128_gcm_sha_256,+rsa_aes_128_<wbr>sha,+rsa_aes_256_gcm_sha_384,+<wbr>rsa_aes_256_sha]<br>
[Fri Nov 18 09:34:33.<a value="+393703832016" href="tel:370383%202016" target="_blank">370383 2016</a>] [:debug] [pid 7720]<br>
nss_engine_init.c(1140): Disable cipher: rsa_null_md5<br>
...<br>
[Fri Nov 18 09:34:33.<a value="+393714182016" href="tel:371418%202016" target="_blank">371418 2016</a>] [:debug] [pid 7720]<br>
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256<br>
[Fri Nov 18 09:34:33.<a value="+393714372016" href="tel:371437%202016" target="_blank">371437 2016</a>] [:info] [pid 7720] Using nickname ipaCert.<br>
[Fri Nov 18 09:34:33.<a value="+393714862016" href="tel:371486%202016" target="_blank">371486 2016</a>] [:info] [pid 7716] Configuring server<br>
for SSL protocol<br>
[Fri Nov 18 09:34:33.<a value="+393723832016" href="tel:372383%202016" target="_blank">372383 2016</a>] [:debug] [pid 7716]<br>
nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0<br>
[Fri Nov 18 09:34:33.<a value="+393724392016" href="tel:372439%202016" target="_blank">372439 2016</a>] [:debug] [pid 7716]<br>
nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1<br>
[Fri Nov 18 09:34:33.<a value="+393724592016" href="tel:372459%202016" target="_blank">372459 2016</a>] [:debug] [pid 7716]<br>
nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2<br>
[Fri Nov 18 09:34:33.<a value="+393724842016" href="tel:372484%202016" target="_blank">372484 2016</a>] [:debug] [pid 7716]<br>
nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)<br>
[Fri Nov 18 09:34:33.<a value="+393725132016" href="tel:372513%202016" target="_blank">372513 2016</a>] [:debug] [pid 7716]<br>
nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)<br>
[Fri Nov 18 09:34:33.<a value="+393725342016" href="tel:372534%202016" target="_blank">372534 2016</a>] [:debug] [pid 7716]<br>
nss_engine_init.c(906): Disabling TLS Session Tickets<br>
[Fri Nov 18 09:34:33.<a value="+393725532016" href="tel:372553%202016" target="_blank">372553 2016</a>] [:debug] [pid 7716]<br>
nss_engine_init.c(916): Enabling DHE key exchange<br>
[Fri Nov 18 09:34:33.<a value="+393725802016" href="tel:372580%202016" target="_blank">372580 2016</a>] [:debug] [pid 7716]<br>
nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL<br>
ciphers<br>
[+aes_128_sha_256,+aes_256_sha<wbr>_256,+ecdhe_ecdsa_aes_128_gcm_<wbr>sha_256,+ecdhe_ecdsa_aes_128_s<wbr>ha,+ecdhe_ecdsa_aes_256_gcm_sh<wbr>a_384,+ecdhe_ecdsa_aes_256_sha<wbr>,+ecdhe_rsa_aes_128_gcm_sha_25<wbr>6,+ecdhe_rsa_aes_128_sha,+ecdh<wbr>e_rsa_aes_256_gcm_sha_384,+<wbr>ecdhe_rsa_aes_256_sha,+rsa_aes<wbr>_128_gcm_sha_256,+rsa_aes_128_<wbr>sha,+rsa_aes_256_gcm_sha_384,+<wbr>rsa_aes_256_sha]<br>
[Fri Nov 18 09:34:33.<a value="+393726272016" href="tel:372627%202016" target="_blank">372627 2016</a>] [:debug] [pid 7716]<br>
nss_engine_init.c(1140): Disable cipher: rsa_null_md5<br>
...<br>
[Fri Nov 18 09:34:33.<a value="+393737122016" href="tel:373712%202016" target="_blank">373712 2016</a>] [:debug] [pid 7716]<br>
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256<br>
[Fri Nov 18 09:34:33.<a value="+393737342016" href="tel:373734%202016" target="_blank">373734 2016</a>] [:info] [pid 7716] Using nickname ipaCert.<br>
[Fri Nov 18 09:34:33.<a value="+393746522016" href="tel:374652%202016" target="_blank">374652 2016</a>] [:error] [pid 7716] Misconfiguration<br>
of certificate's CN and virtual name. The certificate CN has IPA RA. We<br></div></div>
expected <a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">mlv-ipa01.ipa.mydomain.com</a> <<a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">http://mlv-ipa01.ipa.mydomain<wbr>.com</a>><span class="m_-995450577174437565m_-6759779768427163517gmail-"><br>
as virtual name.<br>
[Fri Nov 18 09:34:33.<a value="+393722952016" href="tel:372295%202016" target="_blank">372295 2016</a>] [:error] [pid 7720] Misconfiguration<br>
of certificate's CN and virtual name. The certificate CN has IPA RA. We<br></span>
expected <a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">mlv-ipa01.ipa.mydomain.com</a> <<a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">http://mlv-ipa01.ipa.mydomain<wbr>.com</a>><div><div class="m_-995450577174437565m_-6759779768427163517gmail-h5"><br>
as virtual name.<br>
[Fri Nov 18 09:34:33.412689 2016] [:info] [pid 7719] Configuring server<br>
for SSL protocol<br>
[Fri Nov 18 09:34:33.412791 2016] [:debug] [pid 7719]<br>
nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0<br>
[Fri Nov 18 09:34:33.412803 2016] [:debug] [pid 7719]<br>
nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1<br>
[Fri Nov 18 09:34:33.412807 2016] [:debug] [pid 7719]<br>
nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2<br>
[Fri Nov 18 09:34:33.412812 2016] [:debug] [pid 7719]<br>
nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)<br>
[Fri Nov 18 09:34:33.412817 2016] [:debug] [pid 7719]<br>
nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)<br>
[Fri Nov 18 09:34:33.412824 2016] [:debug] [pid 7719]<br>
nss_engine_init.c(906): Disabling TLS Session Tickets<br>
[Fri Nov 18 09:34:33.412828 2016] [:debug] [pid 7719]<br>
nss_engine_init.c(916): Enabling DHE key exchange<br>
[Fri Nov 18 09:34:33.412840 2016] [:debug] [pid 7719]<br>
nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL<br>
ciphers<br>
[+aes_128_sha_256,+aes_256_sha<wbr>_256,+ecdhe_ecdsa_aes_128_gcm_<wbr>sha_256,+ecdhe_ecdsa_aes_128_s<wbr>ha,+ecdhe_ecdsa_aes_256_gcm_sh<wbr>a_384,+ecdhe_ecdsa_aes_256_sha<wbr>,+ecdhe_rsa_aes_128_gcm_sha_25<wbr>6,+ecdhe_rsa_aes_128_sha,+ecdh<wbr>e_rsa_aes_256_gcm_sha_384,+<wbr>ecdhe_rsa_aes_256_sha,+rsa_aes<wbr>_128_gcm_sha_256,+rsa_aes_128_<wbr>sha,+rsa_aes_256_gcm_sha_384,+<wbr>rsa_aes_256_sha]<br>
[Fri Nov 18 09:34:33.412891 2016] [:debug] [pid 7719]<br>
nss_engine_init.c(1140): Disable cipher: rsa_null_md5<br>
...<br>
[Fri Nov 18 09:34:33.413159 2016] [:debug] [pid 7719]<br>
nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256<br>
[Fri Nov 18 09:34:33.413164 2016] [:info] [pid 7719] Using nickname ipaCert.<br>
[Fri Nov 18 09:34:33.414462 2016] [:error] [pid 7719] Misconfiguration<br>
of certificate's CN and virtual name. The certificate CN has IPA RA. We<br></div></div>
expected <a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">mlv-ipa01.ipa.mydomain.com</a> <<a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">http://mlv-ipa01.ipa.mydomain<wbr>.com</a>><span class="m_-995450577174437565m_-6759779768427163517gmail-"><br>
as virtual name.<br>
[Fri Nov 18 09:34:35.<a value="+395582862016" href="tel:558286%202016" target="_blank">558286 2016</a>] [:error] [pid 7715] ipa: WARNING:<br>
session memcached servers not running<br>
[Fri Nov 18 09:34:35.<a value="+395596532016" href="tel:559653%202016" target="_blank">559653 2016</a>] [:error] [pid 7714] ipa: WARNING:<br>
session memcached servers not running<br>
[Fri Nov 18 09:34:37.511457 2016] [:error] [pid 7714] ipa: INFO: ***<br>
PROCESS START ***<br>
[Fri Nov 18 09:34:37.517899 2016] [:error] [pid 7715] ipa: INFO: ***<br>
PROCESS START ***<br>
[Fri Nov 18 09:34:51.498536 2016] [:info] [pid 7717] Connection to child<br>
1 established (server <a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br></span>
<<a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">http://mlv-ipa01.ipa.mydomain<wbr>.com</a>>, client 192.168.0.239)<span class="m_-995450577174437565m_-6759779768427163517gmail-"><br>
[Fri Nov 18 09:34:51.510292 2016] [:info] [pid 7717] SSL input filter<br>
read failed.<br>
[Fri Nov 18 09:34:51.510311 2016] [:error] [pid 7717] SSL Library Error:<br>
-12285 Unable to find the certificate or key necessary for authentication<br>
[Fri Nov 18 09:34:51.510356 2016] [:info] [pid 7717] Connection to child<br>
1 closed (server <a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com:443" target="_blank">mlv-ipa01.ipa.mydomain.com:443</a><br></span>
<<a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com:443" target="_blank">http://mlv-ipa01.ipa.mydomain<wbr>.com:443</a>>, client 192.168.0.239)<span class="m_-995450577174437565m_-6759779768427163517gmail-"><br>
[Fri Nov 18 09:35:18.790760 2016] [mpm_prefork:notice] [pid 7709]<br></span>
AH00170: caught SIGWINCH, shutting down gracefully/<br>
<br>
Is possible to delete /Server-Cert/ from //etc/httpd/alias/ and reimport<br>
it from the original certificates of /<a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br>
<<a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">http://mlv-ipa01.ipa.mydomain<wbr>.com</a>>/?<span class="m_-995450577174437565m_-6759779768427163517gmail-"><br>
Where are stored the original certificates?<br>
<br>
</span></blockquote>
Hi Morgan,<br>
<br>
with ldapsearch you should be able to find the certificate:<br>
ldapsearch -h ipaserver.ipadomain -p 389 -D "cn=directory manager" -w password -LLL -b krbprincipalname=HTTP/ipaserve<wbr>r.ipadomain@IPADOMAIN,cn=servi<wbr>ces,cn=accounts,dc=IPADOMAIN<br>
<br>
The cert will be stored in the field "usercertificate".<br>
<br>
HTH,<br>
Flo.<br>
<br>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><span class="m_-995450577174437565m_-6759779768427163517gmail-">
Please let me know, thanks.<br></span><span class="m_-995450577174437565m_-6759779768427163517gmail-">
Bye, Morgan<br>
<br>
2016-11-17 17:09 GMT+01:00 Florence Blanc-Renaud <<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a><br></span>
<mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>>>:<div><div class="m_-995450577174437565m_-6759779768427163517gmail-h5"><br>
<br>
On 11/17/2016 04:51 PM, Morgan Marodin wrote:<br>
<br>
Hi Rob.<br>
<br>
I've just tried to remove the group write to the *.db files, but<br>
it's<br>
not the problem.<br>
/[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf<br>
NSSNickname Server-Cert/<br>
<br>
I've tried to run manually /dirsrv.target/ and<br>
/krb5kdc.service/, and it<br>
works, services went up.<br>
The same for /ntpd/, /named-pkcs11.service/, /smb.service/,<br>
/winbind.service/, /kadmin.service/, /memcached.service/ and<br>
/pki-tomcatd.target/.<br>
<br>
But if I try to start /httpd.service/:<br>
/[root@mlv-ipa01 ~]# tail -f /var/log/messages<br>
Nov 17 16:46:06 mlv-ipa01 systemd[1]: Starting The Apache HTTP<br>
Server...<br>
Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy: ipa :<br>
INFO KDC<br>
proxy enabled<br>
Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: main process<br>
exited, code=exited, status=1/FAILURE<br>
Nov 17 16:46:07 mlv-ipa01 kill: kill: cannot find process ""<br>
Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: control process<br>
exited, code=exited status=1<br>
Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to start The Apache<br>
HTTP<br>
Server.<br>
Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit httpd.service entered<br>
failed<br>
state.<br>
Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service failed./<br>
<br>
Any other ideas?<br>
<br>
Hi,<br>
<br>
- Does the NSS Db contain the private key for Server-Cert? If yes,<br>
the command<br>
$ certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt<br>
should display a line like this one:<br>
< 0> rsa 01a6cbd773f3d785ffa44233148dcb<wbr>8ade266ea5 NSS<br>
Certificate DB:Server-Cert<br>
<br>
- Is your system running with SElinux enforcing? If yes, you can<br>
check if there were SElinux permission denials using<br>
$ ausearch -m avc --start recent<br>
<br>
- If the certificate was expired, I believe you would see a<br>
different message, but it doesn't hurt to check its validity<br>
$ certutil -L -d /etc/httpd/alias/ -n Server-Cert | egrep "Not<br>
Before|Not After"<br>
<br>
<br>
Flo.<br>
<br>
<br>
Please let me know, thanks.<br>
Morgan<br>
<br>
2016-11-17 16:11 GMT+01:00 Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>><br></div></div>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>><wbr>:<div><div class="m_-995450577174437565m_-6759779768427163517gmail-h5"><br>
<br>
<br>
Morgan Marodin wrote:<br>
> Hi Florence.<br>
><br>
> Thanks for your support.<br>
><br>
> Yes, httpd is using /etc/httpd/alias as NSS DB. And seems<br>
that all<br>
> permissions and certificates are good:<br>
> /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/<br>
> total 184<br>
> -r--r--r-- 1 root root 1345 Sep 7 2015 cacert.asc<br>
> -rw-rw---- 1 root apache 65536 Nov 17 11:06 cert8.db<br>
> -rw-r-----. 1 root apache 65536 Sep 4 2015 cert8.db.orig<br>
> -rw-------. 1 root root 4833 Sep 4 2015 install.log<br>
> -rw-rw---- 1 root apache 16384 Nov 17 11:06 key3.db<br>
> -rw-r-----. 1 root apache 16384 Sep 4 2015 key3.db.orig<br>
> lrwxrwxrwx 1 root root 24 Nov 17 10:24 libnssckbi.so -><br>
> /usr/lib64/libnssckbi.so<br>
> -rw-rw---- 1 root apache 20 Sep 7 2015 pwdfile.txt<br>
> -rw-rw---- 1 root apache 16384 Sep 7 2015 secmod.db<br>
> -rw-r-----. 1 root apache 16384 Sep 4 2015 secmod.db.orig/<br>
<br>
Eventually you'll want to remove group write on the *.db files.<br>
<br>
> And password validations seems ok, too:<br>
> /[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f<br>
> /etc/httpd/alias/pwdfile.txt<br>
good<br>
<br>
> Enabling mod-nss debug I can see these logs:<br>
> /[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log<br>
> [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid<br>
10660] AH01232:<br>
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)<br>
> [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660]<br>
> NSSSessionCacheTimeout is deprecated. Ignoring.<br>
> [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660]<br>
> nss_engine_init.c(454): SNI: <a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br>
<<a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">http://mlv-ipa01.ipa.mydomain<wbr>.com</a>><br>
<<a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">http://mlv-ipa01.ipa.mydomain<wbr>.com</a><br>
<<a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">http://mlv-ipa01.ipa.mydomain<wbr>.com</a>>><br>
> <<a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">http://mlv-ipa01.ipa.mydomain<wbr>.com</a><br>
<<a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">http://mlv-ipa01.ipa.mydomain<wbr>.com</a>><br>
<br>
<<a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">http://mlv-ipa01.ipa.mydomain<wbr>.com</a><br>
<<a rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com" target="_blank">http://mlv-ipa01.ipa.mydomain<wbr>.com</a>>>> -> Server-Cert<br>
> [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660]<br>
Configuring server<br>
> for SSL protocol<br>
> [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660]<br>
> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0<br>
> [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660]<br>
> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1<br>
> [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660]<br>
> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2<br>
> [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660]<br>
> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)<br>
> [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660]<br>
> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)<br>
> [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660]<br>
> nss_engine_init.c(906): Disabling TLS Session Tickets<br>
> [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660]<br>
> nss_engine_init.c(916): Enabling DHE key exchange<br>
> [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660]<br>
> nss_engine_init.c(1077): NSSCipherSuite: Configuring<br>
permitted SSL<br>
> ciphers<br>
><br>
[+aes_128_sha_256,+aes_256_sha<wbr>_256,+ecdhe_ecdsa_aes_128_gcm_<wbr>sha_256,+ecdhe_ecdsa_aes_128_s<wbr>ha,+ecdhe_ecdsa_aes_256_gcm_sh<wbr>a_384,+ecdhe_ecdsa_aes_256_sha<wbr>,+ecdhe_rsa_aes_128_gcm_sha_25<wbr>6,+ecdhe_rsa_aes_128_sha,+ecdh<wbr>e_rsa_aes_256_gcm_sha_384,+<wbr>ecdhe_rsa_aes_256_sha,+rsa_aes<wbr>_128_gcm_sha_256,+rsa_aes_128_<wbr>sha,+rsa_aes_256_gcm_sha_384,+<wbr>rsa_aes_256_sha]<br>
> [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660]<br>
> [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660]<br>
Using nickname<br>
> Server-Cert.<br>
[snip]<br>
> [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660]<br>
Certificate not<br>
> found: 'Server-Cert'<br>
<br>
Can you shows what this returns:<br>
<br>
# grep NSSNickname /etc/httpd/conf.d/nss.conf<br>
<br>
> Do you think there is a kerberos problem?<br>
<br>
It definitely is not.<br>
<br>
You can bring the system up in a minimal way by manually<br>
starting the<br>
<a href="mailto:dirsrv@EXAMPLE.COM" target="_blank">dirsrv@EXAMPLE.COM</a> <mailto:<a href="mailto:dirsrv@EXAMPLE.COM" target="_blank">dirsrv@EXAMPLE.COM</a>><br></div></div>
<mailto:<a href="mailto:dirsrv@EXAMPLE.COM" target="_blank">dirsrv@EXAMPLE.COM</a> <mailto:<a href="mailto:dirsrv@EXAMPLE.COM" target="_blank">dirsrv@EXAMPLE.COM</a>>> service<div><div class="m_-995450577174437565m_-6759779768427163517gmail-h5"><br>
and then<br>
krb5kdc. This will at least let your<br>
users authenticate. The management framework (GUI) runs<br>
through Apache<br>
so that will be down until we can get Apache started again.<br>
<br>
rob<br>
<br>
><br>
> Please let me know, thanks.<br>
> Bye, Morgan<br>
><br>
> 2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud<br>
<<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>> <mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a><br>
<mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>>><br>
> <mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>><br>
<mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>>>>>:<br>
<br>
><br>
> On 11/17/2016 12:09 PM, Morgan Marodin wrote:<br>
><br>
> Hello.<br>
><br>
> This morning I've tried to upgrade my IPA server,<br>
but the<br>
upgrade<br>
> failed, and now the service doesn't start! :(<br>
><br>
> If I try lo launch the upgrade manually this is<br>
the output:<br>
> /[root@mlv-ipa01 download]# ipa-server-upgrade<br>
><br>
> Upgrading IPA:<br>
> [1/8]: saving configuration<br>
> [2/8]: disabling listeners<br>
> [3/8]: enabling DS global lock<br>
> [4/8]: starting directory server<br>
> [5/8]: updating schema<br>
> [6/8]: upgrading server<br>
> [7/8]: stopping directory server<br>
> [8/8]: restoring configuration<br>
> Done.<br>
> Update complete<br>
> Upgrading IPA services<br>
> Upgrading the configuration of the IPA services<br>
> [Verifying that root certificate is published]<br>
> [Migrate CRL publish directory]<br>
> CRL tree already moved<br>
> [Verifying that CA proxy configuration is correct]<br>
> [Verifying that KDC configuration is using ipa-kdb<br>
backend]<br>
> [Fix DS schema file syntax]<br>
> Syntax already fixed<br>
> [Removing RA cert from DS NSS database]<br>
> RA cert already removed<br>
> [Enable sidgen and extdom plugins by default]<br>
> [Updating HTTPD service IPA configuration]<br>
> [Updating mod_nss protocol versions]<br>
> Protocol versions already updated<br>
> [Updating mod_nss cipher suite]<br>
> [Fixing trust flags in /etc/httpd/alias]<br>
> Trust flags already processed<br>
> [Exporting KRA agent PEM file]<br>
> KRA is not enabled<br>
> IPA server upgrade failed: Inspect<br>
/var/log/ipaupgrade.log<br>
and run<br>
> command ipa-server-upgrade manually.<br>
> Unexpected error - see /var/log/ipaupgrade.log for<br>
details:<br>
> CalledProcessError: Command '/bin/systemctl start<br>
httpd.service'<br>
> returned non-zero exit status 1<br>
> The ipa-server-upgrade command failed. See<br>
> /var/log/ipaupgrade.log for<br>
> more information/<br>
><br>
> These are error logs of Apache:<br>
> /[Thu Nov 17 11:48:45.498510 2016] [suexec:notice]<br>
[pid 5664]<br>
> AH01232:<br>
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)<br>
> [Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664]<br>
> NSSSessionCacheTimeout is deprecated. Ignoring.<br>
> [Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664]<br>
> Certificate not<br>
> found: 'Server-Cert'/<br>
><br>
> The problem seems to be the /Server-Cert /that<br>
could not<br>
be found.<br>
> But if I try to execute the certutil command<br>
manually I<br>
can see it:/<br>
> [root@mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/<br>
> Certificate Nickname<br>
Trust<br>
> Attributes<br>
><br>
> SSL,S/MIME,JAR/XPI<br>
> Signing-Cert<br>
u,u,u<br>
> ipaCert<br>
u,u,u<br>
> Server-Cert<br>
Pu,u,u<br>
> <a rel="noreferrer" href="http://IPA.MYDOMAIN.COM" target="_blank">IPA.MYDOMAIN.COM</a> <<a rel="noreferrer" href="http://IPA.MYDOMAIN.COM" target="_blank">http://IPA.MYDOMAIN.COM</a>><br>
<<a rel="noreferrer" href="http://IPA.MYDOMAIN.COM" target="_blank">http://IPA.MYDOMAIN.COM</a>><br>
<<a rel="noreferrer" href="http://IPA.MYDOMAIN.COM" target="_blank">http://IPA.MYDOMAIN.COM</a>><br>
> <<a rel="noreferrer" href="http://IPA.MYDOMAIN.COM" target="_blank">http://IPA.MYDOMAIN.COM</a>> IPA<br>
> CA CT,C,C/<br>
><br>
> Could you help me?<br>
> What could I try to do to restart my service?<br>
><br>
> Hi,<br>
><br>
> I would first make sure that httpd is using<br>
/etc/httpd/alias<br>
as NSS<br>
> DB (check the directive NSSCertificateDatabase in<br>
> /etc/httpd/conf.d/nss.conf).<br>
> Then it may be a file permission issue: the NSS DB should<br>
belong to<br>
> root:apache (the relevant files are cert8.db, key3.db and<br>
secmod.db).<br>
> You should also find a pwdfile.txt in the same directory,<br>
containing<br>
> the NSS DB password. Check that the password is valid<br>
using<br>
> certutil -K -d /etc/httpd/alias/ -f<br>
/etc/httpd/alias/pwdfile.txt<br>
> (if the command succeeds then the password in pwdfile<br>
is OK).<br>
><br>
> You can also enable mod-nss debug in<br>
/etc/httpd/conf/nss.conf by<br>
> setting "LogLevel debug", and check the output in<br>
> /var/log/httpd/error_log.<br>
><br>
> HTH,<br>
> Flo.<br>
><br>
> Thanks, Morgan<br>
><br>
><br>
><br>
> --<br>
> Manage your subscription for the Freeipa-users mailing<br>
list:<br>
> <a rel="noreferrer" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailma<wbr>n/listinfo/freeipa-users</a><br>
<<a rel="noreferrer" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailma<wbr>n/listinfo/freeipa-users</a>><br>
<<a rel="noreferrer" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailma<wbr>n/listinfo/freeipa-users</a><br>
<<a rel="noreferrer" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailma<wbr>n/listinfo/freeipa-users</a>>><br>
> <<a rel="noreferrer" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailm<wbr>an/listinfo/freeipa-users</a><br>
<<a rel="noreferrer" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailma<wbr>n/listinfo/freeipa-users</a>><br>
<<a rel="noreferrer" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailma<wbr>n/listinfo/freeipa-users</a><br>
<<a rel="noreferrer" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailma<wbr>n/listinfo/freeipa-users</a>>>><br>
> Go to <a rel="noreferrer" href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br>
><br>
><br>
<br>
</div></div></blockquote>
</blockquote></div></div></div></div></div></div></div></div></div></div></div></blockquote></div></div></div></div></div>
</blockquote></div></div></div>