[Freeipa-users] IPA server having cert issues

Bret Wortman bret.wortman at damascusgrp.com
Fri Apr 29 16:41:48 UTC 2016 

We run with selinux disabled.

# getenforce
Disabled
# restorecon -R -v /etc/httpd/alias
# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Shutting down
Aborting ipactl
# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other 
services
ipa: INFO: The ipactl command was successful
#



On 04/29/2016 12:25 PM, Christian Heimes wrote:
> On 2016-04-29 18:17, Bret Wortman wrote:
>> I'll put the results inline here, since they're short.
>>
>> [root at zsipa log]# ls -laZ /etc/httpd/
>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .
>> drwxr-xr-x. root root system_u:object_r:etc_t:s0       ..
>> drwxr-xr-x. root root system_u:object_r:cert_t:s0      alias
>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf
>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d
>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.modules.d
>> lrwxrwxrwx  root root ?                                logs ->
>> ../../var/log/httpd
>> lrwxrwxrwx  root root ?                                modules ->
>> ../../usr/lib64/httpd/modules
>> lrwxrwxrwx  root root ?                                run -> /run/httpd
>> [root at zsipa log]# ls -laZ /etc/httpd/alias
>> drwxr-xr-x. root root   system_u:object_r:cert_t:s0      .
>> drwxr-xr-x. root root   system_u:object_r:httpd_config_t:s0 ..
>> -r--r--r--  root root   ?                                cacert.asc
>> -r--r--r--  root root   ?                                cacert.asc.orig
>> -rw-r-----  root root   ?                                cert8.db
>> -rw-rw----  root apache ?                                cert8.db.20160426
>> -rw-rw----  root apache ?                                cert8.db.orig
>> -rw-------. root root   system_u:object_r:cert_t:s0      install.log
>> -rw-r-----  root root   ?                                key3.db
>> -rw-rw----  root apache ?                                key3.db.20160426
>> -rw-rw----  root apache ?                                key3.db.orig
>> lrwxrwxrwx  root root   ?                                libnssckbi.so
>> -> ../../..//usr/lib64/libnssckbi.so
>> -rw-rw----  root apache ?                                pwdfile.txt
>> -rw-rw----  root apache ?                                pwdfile.txt.orig
>> -rw-rw----  root apache ?                                secmod.db
>> -rw-rw----  root apache ?                                secmod.db.orig
> Some files don't have the correct SELinux context or are completely
> missing a context. SELinux prevents Apache from accessing this files.
> Did you replace some files or restore some from a backup? You should see
> a bunch of SELinux violations in your audit log.
>
> In order to restore the correct context, please run restorecon:
>
> # restorecon -R -v /etc/httpd/alias
>
> This should set correct contexts and allow you to start Apache HTTPD again.
>
> Christian
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160429/d00f2cea/attachment.htm>

More information about the Freeipa-users mailing list