[Freeipa-users] IPA server having cert issues
Bret Wortman
bret.wortman at damascusgrp.com
Fri Apr 29 17:22:16 UTC 2016
Of course, I just remembered that the server still thinks it's April 4,
and I still have some certs that are expiring as of 4-17-16. Before I
screw anything else up, what's the RIGHT way to renew those certs and
move the server back to real time?
On 04/29/2016 01:07 PM, Bret Wortman wrote:
> Hot damn! It's up and running. Web UI works. CLI works.
>
> The chgrp did the trick.
>
> Thank you Rob, Petr and Christian!
>
>
> Bret
>
> On 04/29/2016 01:04 PM, Rob Crittenden wrote:
>> Bret Wortman wrote:
>>> We run with selinux disabled.
>>>
>>> # getenforce
>>> Disabled
>>> # restorecon -R -v /etc/httpd/alias
>>> # ipactl start
>>> Starting Directory Service
>>> Starting krb5kdc Service
>>> Starting kadmin Service
>>> Starting named Service
>>> Starting ipa_memcached Service
>>> Starting httpd Service
>>> Starting pki-tomcatd Service
>>> Failed to start pki-tomcatd Service
>>> Shutting down
>>> Aborting ipactl
>>> # ipactl status
>>> Directory Service: STOPPED
>>> Directory Service must be running in order to obtain status of other
>>> services
>>> ipa: INFO: The ipactl command was successful
>>> #
>>
>> The problem is permissions. Try:
>>
>> # chgrp apache /etc/httpd/alias/*.db
>>
>> The mode is ok, Apache only needs read access.
>>
>> The segfault is fixed upstream and actual usable error messages
>> reported. The init system doesn't see it as a failure because this
>> happens after Apache forks its children.
>>
>> I'd also consider re-enabling SELinux eventually.
>>
>> rob
>>
>>>
>>>
>>>
>>> On 04/29/2016 12:25 PM, Christian Heimes wrote:
>>>> On 2016-04-29 18:17, Bret Wortman wrote:
>>>>> I'll put the results inline here, since they're short.
>>>>>
>>>>> [root at zsipa log]# ls -laZ /etc/httpd/
>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .
>>>>> drwxr-xr-x. root root system_u:object_r:etc_t:s0 ..
>>>>> drwxr-xr-x. root root system_u:object_r:cert_t:s0 alias
>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf
>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d
>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0
>>>>> conf.modules.d
>>>>> lrwxrwxrwx root root ? logs ->
>>>>> ../../var/log/httpd
>>>>> lrwxrwxrwx root root ? modules ->
>>>>> ../../usr/lib64/httpd/modules
>>>>> lrwxrwxrwx root root ? run ->
>>>>> /run/httpd
>>>>> [root at zsipa log]# ls -laZ /etc/httpd/alias
>>>>> drwxr-xr-x. root root system_u:object_r:cert_t:s0 .
>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 ..
>>>>> -r--r--r-- root root ? cacert.asc
>>>>> -r--r--r-- root root ? cacert.asc.orig
>>>>> -rw-r----- root root ? cert8.db
>>>>> -rw-rw---- root apache ? cert8.db.20160426
>>>>> -rw-rw---- root apache ? cert8.db.orig
>>>>> -rw-------. root root system_u:object_r:cert_t:s0 install.log
>>>>> -rw-r----- root root ? key3.db
>>>>> -rw-rw---- root apache ? key3.db.20160426
>>>>> -rw-rw---- root apache ? key3.db.orig
>>>>> lrwxrwxrwx root root ? libnssckbi.so
>>>>> -> ../../..//usr/lib64/libnssckbi.so
>>>>> -rw-rw---- root apache ? pwdfile.txt
>>>>> -rw-rw---- root apache ? pwdfile.txt.orig
>>>>> -rw-rw---- root apache ? secmod.db
>>>>> -rw-rw---- root apache ? secmod.db.orig
>>>> Some files don't have the correct SELinux context or are completely
>>>> missing a context. SELinux prevents Apache from accessing this files.
>>>> Did you replace some files or restore some from a backup? You
>>>> should see
>>>> a bunch of SELinux violations in your audit log.
>>>>
>>>> In order to restore the correct context, please run restorecon:
>>>>
>>>> # restorecon -R -v /etc/httpd/alias
>>>>
>>>> This should set correct contexts and allow you to start Apache
>>>> HTTPD again.
>>>>
>>>> Christian
>>>>
>>>
>>>
>>>
>>
>
More information about the Freeipa-users
mailing list