[Freeipa-users] IPA server having cert issues

Christian Heimes cheimes at redhat.com
Fri Apr 29 15:02:42 UTC 2016 

On 2016-04-29 16:51, Bret Wortman wrote:
> It is contacting the correct machine. I tried again by IP with the same
> results.
> 
> /etc/httpd/conf.d/ipa-pki-proxy.conf is dated May 20 2014.
> 
> Web UI won't load. CLI won't respond either. Commands just hang.
> 
> # netstat -ln | grep 443
> tcp6           0     0 :::8443                  
> :::*                     LISTEN
> tcp6           2     0 :::443                   
> :::*                     LISTEN
> # netstat -ln | grep 8009
> tcp6           0     0 127.0.0.1:8009           
> :::*                     LISTEN
> # curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus
> * Hostname was NOT found in DNS cache
> *   Trying 192.168.208.53...
> * Connected to zsipa.private.net (192.168.208.53) port 443 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>   CApath: none
> (long hang at this point, so I ^C-ed)
> 
> # openssl s_client -connect zsipa.private.net:443 -CAfile
> /etc/ipa/ca.crt -verify 10
> verify depth is 10
> CONNECTED(00000003)
> (long hang at this point, aborted again)
> 
> For the other (longer) logs, see http://pastebin.com/esBBKyGZ
> 
> Also, answering Christian's questions:
> 
> mod_ssl has not been installed.
> 
> # ss -tpln | grep 443
> LISTEN      0       100                :::8443               :::*
> users:(("java",pid=26522,fd=84))
> LISTEN      13      128                :::443                :::*
> users:(("httpd",pid=26323,fd=6))
> #

The output of ss looks sane. httpd is Apache, Java is Dogtag PKI's
Tomcat instance.

The error log of Apache is more troublesome. It looks like your NSSDB is
busted:

[Mon Apr 04 14:18:49.330238 2016] [:error] [pid 26327] NSS_Initialize
failed. Certificate database: /etc/httpd/alias.
[Mon Apr 04 14:18:49.330253 2016] [:error] [pid 26327] SSL Library
Error: -8038 SEC_ERROR_NOT_INITIALIZED
[Mon Apr 04 14:18:50.318327 2016] [core:notice] [pid 26323] AH00052:
child pid 26327 exit signal Segmentation fault (11)

Please run this commands to show us the content of your NSSDB.

# ls -laZ /etc/httpd/
# ls -laZ /etc/httpd/alias
# certutil -L -d /etc/httpd/alias


Christian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160429/098fe406/attachment.sig>

More information about the Freeipa-users mailing list