[Freeipa-users] IPA server having cert issues
Bret Wortman
bret.wortman at damascusgrp.com
Fri Apr 29 17:07:53 UTC 2016
Hot damn! It's up and running. Web UI works. CLI works.
The chgrp did the trick.
Thank you Rob, Petr and Christian!
Bret
On 04/29/2016 01:04 PM, Rob Crittenden wrote:
> Bret Wortman wrote:
>> We run with selinux disabled.
>>
>> # getenforce
>> Disabled
>> # restorecon -R -v /etc/httpd/alias
>> # ipactl start
>> Starting Directory Service
>> Starting krb5kdc Service
>> Starting kadmin Service
>> Starting named Service
>> Starting ipa_memcached Service
>> Starting httpd Service
>> Starting pki-tomcatd Service
>> Failed to start pki-tomcatd Service
>> Shutting down
>> Aborting ipactl
>> # ipactl status
>> Directory Service: STOPPED
>> Directory Service must be running in order to obtain status of other
>> services
>> ipa: INFO: The ipactl command was successful
>> #
>
> The problem is permissions. Try:
>
> # chgrp apache /etc/httpd/alias/*.db
>
> The mode is ok, Apache only needs read access.
>
> The segfault is fixed upstream and actual usable error messages
> reported. The init system doesn't see it as a failure because this
> happens after Apache forks its children.
>
> I'd also consider re-enabling SELinux eventually.
>
> rob
>
>>
>>
>>
>> On 04/29/2016 12:25 PM, Christian Heimes wrote:
>>> On 2016-04-29 18:17, Bret Wortman wrote:
>>>> I'll put the results inline here, since they're short.
>>>>
>>>> [root at zsipa log]# ls -laZ /etc/httpd/
>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .
>>>> drwxr-xr-x. root root system_u:object_r:etc_t:s0 ..
>>>> drwxr-xr-x. root root system_u:object_r:cert_t:s0 alias
>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf
>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d
>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0
>>>> conf.modules.d
>>>> lrwxrwxrwx root root ? logs ->
>>>> ../../var/log/httpd
>>>> lrwxrwxrwx root root ? modules ->
>>>> ../../usr/lib64/httpd/modules
>>>> lrwxrwxrwx root root ? run ->
>>>> /run/httpd
>>>> [root at zsipa log]# ls -laZ /etc/httpd/alias
>>>> drwxr-xr-x. root root system_u:object_r:cert_t:s0 .
>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 ..
>>>> -r--r--r-- root root ? cacert.asc
>>>> -r--r--r-- root root ? cacert.asc.orig
>>>> -rw-r----- root root ? cert8.db
>>>> -rw-rw---- root apache ? cert8.db.20160426
>>>> -rw-rw---- root apache ? cert8.db.orig
>>>> -rw-------. root root system_u:object_r:cert_t:s0 install.log
>>>> -rw-r----- root root ? key3.db
>>>> -rw-rw---- root apache ? key3.db.20160426
>>>> -rw-rw---- root apache ? key3.db.orig
>>>> lrwxrwxrwx root root ? libnssckbi.so
>>>> -> ../../..//usr/lib64/libnssckbi.so
>>>> -rw-rw---- root apache ? pwdfile.txt
>>>> -rw-rw---- root apache ? pwdfile.txt.orig
>>>> -rw-rw---- root apache ? secmod.db
>>>> -rw-rw---- root apache ? secmod.db.orig
>>> Some files don't have the correct SELinux context or are completely
>>> missing a context. SELinux prevents Apache from accessing this files.
>>> Did you replace some files or restore some from a backup? You should
>>> see
>>> a bunch of SELinux violations in your audit log.
>>>
>>> In order to restore the correct context, please run restorecon:
>>>
>>> # restorecon -R -v /etc/httpd/alias
>>>
>>> This should set correct contexts and allow you to start Apache HTTPD
>>> again.
>>>
>>> Christian
>>>
>>
>>
>>
>
More information about the Freeipa-users
mailing list