[Freeipa-users] IPA server having cert issues
Bret Wortman
bret.wortman at damascusgrp.com
Fri Apr 29 16:17:11 UTC 2016
I'll put the results inline here, since they're short.
[root at zsipa log]# ls -laZ /etc/httpd/
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .
drwxr-xr-x. root root system_u:object_r:etc_t:s0 ..
drwxr-xr-x. root root system_u:object_r:cert_t:s0 alias
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.modules.d
lrwxrwxrwx root root ? logs ->
../../var/log/httpd
lrwxrwxrwx root root ? modules ->
../../usr/lib64/httpd/modules
lrwxrwxrwx root root ? run -> /run/httpd
[root at zsipa log]# ls -laZ /etc/httpd/alias
drwxr-xr-x. root root system_u:object_r:cert_t:s0 .
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 ..
-r--r--r-- root root ? cacert.asc
-r--r--r-- root root ? cacert.asc.orig
-rw-r----- root root ? cert8.db
-rw-rw---- root apache ? cert8.db.20160426
-rw-rw---- root apache ? cert8.db.orig
-rw-------. root root system_u:object_r:cert_t:s0 install.log
-rw-r----- root root ? key3.db
-rw-rw---- root apache ? key3.db.20160426
-rw-rw---- root apache ? key3.db.orig
lrwxrwxrwx root root ? libnssckbi.so -> ../../..//usr/lib64/libnssckbi.so
-rw-rw---- root apache ? pwdfile.txt
-rw-rw---- root apache ? pwdfile.txt.orig
-rw-rw---- root apache ? secmod.db
-rw-rw---- root apache ? secmod.db.orig
[root at zsipa log]# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Signing-Cert u,u,u
Server-Cert u,u,u
ipaCert u,u,u
PRIVATE.NET IPA CA CT,C,C
PRIVATE.NET IPA CA CT,C,C
[root at zsipa log]#
On 04/29/2016 11:02 AM, Christian Heimes wrote:
> On 2016-04-29 16:51, Bret Wortman wrote:
>> It is contacting the correct machine. I tried again by IP with the same
>> results.
>>
>> /etc/httpd/conf.d/ipa-pki-proxy.conf is dated May 20 2014.
>>
>> Web UI won't load. CLI won't respond either. Commands just hang.
>>
>> # netstat -ln | grep 443
>> tcp6 0 0 :::8443
>> :::* LISTEN
>> tcp6 2 0 :::443
>> :::* LISTEN
>> # netstat -ln | grep 8009
>> tcp6 0 0 127.0.0.1:8009
>> :::* LISTEN
>> # curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus
>> * Hostname was NOT found in DNS cache
>> * Trying 192.168.208.53...
>> * Connected to zsipa.private.net (192.168.208.53) port 443 (#0)
>> * Initializing NSS with certpath: sql:/etc/pki/nssdb
>> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
>> CApath: none
>> (long hang at this point, so I ^C-ed)
>>
>> # openssl s_client -connect zsipa.private.net:443 -CAfile
>> /etc/ipa/ca.crt -verify 10
>> verify depth is 10
>> CONNECTED(00000003)
>> (long hang at this point, aborted again)
>>
>> For the other (longer) logs, see http://pastebin.com/esBBKyGZ
>>
>> Also, answering Christian's questions:
>>
>> mod_ssl has not been installed.
>>
>> # ss -tpln | grep 443
>> LISTEN 0 100 :::8443 :::*
>> users:(("java",pid=26522,fd=84))
>> LISTEN 13 128 :::443 :::*
>> users:(("httpd",pid=26323,fd=6))
>> #
> The output of ss looks sane. httpd is Apache, Java is Dogtag PKI's
> Tomcat instance.
>
> The error log of Apache is more troublesome. It looks like your NSSDB is
> busted:
>
> [Mon Apr 04 14:18:49.330238 2016] [:error] [pid 26327] NSS_Initialize
> failed. Certificate database: /etc/httpd/alias.
> [Mon Apr 04 14:18:49.330253 2016] [:error] [pid 26327] SSL Library
> Error: -8038 SEC_ERROR_NOT_INITIALIZED
> [Mon Apr 04 14:18:50.318327 2016] [core:notice] [pid 26323] AH00052:
> child pid 26327 exit signal Segmentation fault (11)
>
> Please run this commands to show us the content of your NSSDB.
>
> # ls -laZ /etc/httpd/
> # ls -laZ /etc/httpd/alias
> # certutil -L -d /etc/httpd/alias
>
>
> Christian
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160429/b71a1b85/attachment.htm>
More information about the Freeipa-users
mailing list