[Freeipa-users] IPA server having cert issues
Bret Wortman
bret.wortman at damascusgrp.com
Fri Apr 29 17:29:07 UTC 2016
Scratch that. Decided to be daring and run "getcert resubmit -i" for
each cert (after verifying the first one worked), then shut ipa down,
advanced the date, re-enabled ntpd and started it back up. Looks clean.
On 04/29/2016 01:22 PM, Bret Wortman wrote:
> Of course, I just remembered that the server still thinks it's April
> 4, and I still have some certs that are expiring as of 4-17-16. Before
> I screw anything else up, what's the RIGHT way to renew those certs
> and move the server back to real time?
>
>
>
> On 04/29/2016 01:07 PM, Bret Wortman wrote:
>> Hot damn! It's up and running. Web UI works. CLI works.
>>
>> The chgrp did the trick.
>>
>> Thank you Rob, Petr and Christian!
>>
>>
>> Bret
>>
>> On 04/29/2016 01:04 PM, Rob Crittenden wrote:
>>> Bret Wortman wrote:
>>>> We run with selinux disabled.
>>>>
>>>> # getenforce
>>>> Disabled
>>>> # restorecon -R -v /etc/httpd/alias
>>>> # ipactl start
>>>> Starting Directory Service
>>>> Starting krb5kdc Service
>>>> Starting kadmin Service
>>>> Starting named Service
>>>> Starting ipa_memcached Service
>>>> Starting httpd Service
>>>> Starting pki-tomcatd Service
>>>> Failed to start pki-tomcatd Service
>>>> Shutting down
>>>> Aborting ipactl
>>>> # ipactl status
>>>> Directory Service: STOPPED
>>>> Directory Service must be running in order to obtain status of other
>>>> services
>>>> ipa: INFO: The ipactl command was successful
>>>> #
>>>
>>> The problem is permissions. Try:
>>>
>>> # chgrp apache /etc/httpd/alias/*.db
>>>
>>> The mode is ok, Apache only needs read access.
>>>
>>> The segfault is fixed upstream and actual usable error messages
>>> reported. The init system doesn't see it as a failure because this
>>> happens after Apache forks its children.
>>>
>>> I'd also consider re-enabling SELinux eventually.
>>>
>>> rob
>>>
>>>>
>>>>
>>>>
>>>> On 04/29/2016 12:25 PM, Christian Heimes wrote:
>>>>> On 2016-04-29 18:17, Bret Wortman wrote:
>>>>>> I'll put the results inline here, since they're short.
>>>>>>
>>>>>> [root at zsipa log]# ls -laZ /etc/httpd/
>>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .
>>>>>> drwxr-xr-x. root root system_u:object_r:etc_t:s0 ..
>>>>>> drwxr-xr-x. root root system_u:object_r:cert_t:s0 alias
>>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf
>>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d
>>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0
>>>>>> conf.modules.d
>>>>>> lrwxrwxrwx root root ? logs ->
>>>>>> ../../var/log/httpd
>>>>>> lrwxrwxrwx root root ? modules ->
>>>>>> ../../usr/lib64/httpd/modules
>>>>>> lrwxrwxrwx root root ? run -> /run/httpd
>>>>>> [root at zsipa log]# ls -laZ /etc/httpd/alias
>>>>>> drwxr-xr-x. root root system_u:object_r:cert_t:s0 .
>>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 ..
>>>>>> -r--r--r-- root root ? cacert.asc
>>>>>> -r--r--r-- root root ? cacert.asc.orig
>>>>>> -rw-r----- root root ? cert8.db
>>>>>> -rw-rw---- root apache ? cert8.db.20160426
>>>>>> -rw-rw---- root apache ? cert8.db.orig
>>>>>> -rw-------. root root system_u:object_r:cert_t:s0 install.log
>>>>>> -rw-r----- root root ? key3.db
>>>>>> -rw-rw---- root apache ? key3.db.20160426
>>>>>> -rw-rw---- root apache ? key3.db.orig
>>>>>> lrwxrwxrwx root root ? libnssckbi.so
>>>>>> -> ../../..//usr/lib64/libnssckbi.so
>>>>>> -rw-rw---- root apache ? pwdfile.txt
>>>>>> -rw-rw---- root apache ? pwdfile.txt.orig
>>>>>> -rw-rw---- root apache ? secmod.db
>>>>>> -rw-rw---- root apache ? secmod.db.orig
>>>>> Some files don't have the correct SELinux context or are completely
>>>>> missing a context. SELinux prevents Apache from accessing this files.
>>>>> Did you replace some files or restore some from a backup? You
>>>>> should see
>>>>> a bunch of SELinux violations in your audit log.
>>>>>
>>>>> In order to restore the correct context, please run restorecon:
>>>>>
>>>>> # restorecon -R -v /etc/httpd/alias
>>>>>
>>>>> This should set correct contexts and allow you to start Apache
>>>>> HTTPD again.
>>>>>
>>>>> Christian
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>
More information about the Freeipa-users
mailing list