[Freeipa-users] IPA server having cert issues

Bret Wortman bret.wortman at damascusgrp.com
Fri Apr 29 17:29:07 UTC 2016 

Scratch that. Decided to be daring and run "getcert resubmit -i" for 
each cert (after verifying the first one worked), then shut ipa down, 
advanced the date, re-enabled ntpd and started it back up. Looks clean.


On 04/29/2016 01:22 PM, Bret Wortman wrote:
> Of course, I just remembered that the server still thinks it's April 
> 4, and I still have some certs that are expiring as of 4-17-16. Before 
> I screw anything else up, what's the RIGHT way to renew those certs 
> and move the server back to real time?
>
>
>
> On 04/29/2016 01:07 PM, Bret Wortman wrote:
>> Hot damn! It's up and running.  Web UI works. CLI works.
>>
>> The chgrp did the trick.
>>
>> Thank you Rob, Petr and Christian!
>>
>>
>> Bret
>>
>> On 04/29/2016 01:04 PM, Rob Crittenden wrote:
>>> Bret Wortman wrote:
>>>> We run with selinux disabled.
>>>>
>>>> # getenforce
>>>> Disabled
>>>> # restorecon -R -v /etc/httpd/alias
>>>> # ipactl start
>>>> Starting Directory Service
>>>> Starting krb5kdc Service
>>>> Starting kadmin Service
>>>> Starting named Service
>>>> Starting ipa_memcached Service
>>>> Starting httpd Service
>>>> Starting pki-tomcatd Service
>>>> Failed to start pki-tomcatd Service
>>>> Shutting down
>>>> Aborting ipactl
>>>> # ipactl status
>>>> Directory Service: STOPPED
>>>> Directory Service must be running in order to obtain status of other
>>>> services
>>>> ipa: INFO: The ipactl command was successful
>>>> #
>>>
>>> The problem is permissions. Try:
>>>
>>> # chgrp apache /etc/httpd/alias/*.db
>>>
>>> The mode is ok, Apache only needs read access.
>>>
>>> The segfault is fixed upstream and actual usable error messages 
>>> reported. The init system doesn't see it as a failure because this 
>>> happens after Apache forks its children.
>>>
>>> I'd also consider re-enabling SELinux eventually.
>>>
>>> rob
>>>
>>>>
>>>>
>>>>
>>>> On 04/29/2016 12:25 PM, Christian Heimes wrote:
>>>>> On 2016-04-29 18:17, Bret Wortman wrote:
>>>>>> I'll put the results inline here, since they're short.
>>>>>>
>>>>>> [root at zsipa log]# ls -laZ /etc/httpd/
>>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .
>>>>>> drwxr-xr-x. root root system_u:object_r:etc_t:s0 ..
>>>>>> drwxr-xr-x. root root system_u:object_r:cert_t:s0 alias
>>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf
>>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d
>>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 
>>>>>> conf.modules.d
>>>>>> lrwxrwxrwx  root root ? logs ->
>>>>>> ../../var/log/httpd
>>>>>> lrwxrwxrwx  root root ? modules ->
>>>>>> ../../usr/lib64/httpd/modules
>>>>>> lrwxrwxrwx  root root ? run -> /run/httpd
>>>>>> [root at zsipa log]# ls -laZ /etc/httpd/alias
>>>>>> drwxr-xr-x. root root   system_u:object_r:cert_t:s0 .
>>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 ..
>>>>>> -r--r--r--  root root   ? cacert.asc
>>>>>> -r--r--r--  root root   ? cacert.asc.orig
>>>>>> -rw-r-----  root root   ? cert8.db
>>>>>> -rw-rw----  root apache ? cert8.db.20160426
>>>>>> -rw-rw----  root apache ? cert8.db.orig
>>>>>> -rw-------. root root   system_u:object_r:cert_t:s0 install.log
>>>>>> -rw-r-----  root root   ? key3.db
>>>>>> -rw-rw----  root apache ? key3.db.20160426
>>>>>> -rw-rw----  root apache ? key3.db.orig
>>>>>> lrwxrwxrwx  root root   ? libnssckbi.so
>>>>>> -> ../../..//usr/lib64/libnssckbi.so
>>>>>> -rw-rw----  root apache ? pwdfile.txt
>>>>>> -rw-rw----  root apache ? pwdfile.txt.orig
>>>>>> -rw-rw----  root apache ? secmod.db
>>>>>> -rw-rw----  root apache ? secmod.db.orig
>>>>> Some files don't have the correct SELinux context or are completely
>>>>> missing a context. SELinux prevents Apache from accessing this files.
>>>>> Did you replace some files or restore some from a backup? You 
>>>>> should see
>>>>> a bunch of SELinux violations in your audit log.
>>>>>
>>>>> In order to restore the correct context, please run restorecon:
>>>>>
>>>>> # restorecon -R -v /etc/httpd/alias
>>>>>
>>>>> This should set correct contexts and allow you to start Apache 
>>>>> HTTPD again.
>>>>>
>>>>> Christian
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>

More information about the Freeipa-users mailing list