[Freeipa-users] My IPA installation doesn't work after upgrade

Florence Blanc-Renaud flo at redhat.com
Thu Nov 17 13:39:54 UTC 2016 

On 11/17/2016 12:09 PM, Morgan Marodin wrote:
> Hello.
>
> This morning I've tried to upgrade my IPA server, but the upgrade
> failed, and now the service doesn't start! :(
>
> If I try lo launch the upgrade manually this is the output:
> /[root at mlv-ipa01 download]# ipa-server-upgrade
> Upgrading IPA:
>   [1/8]: saving configuration
>   [2/8]: disabling listeners
>   [3/8]: enabling DS global lock
>   [4/8]: starting directory server
>   [5/8]: updating schema
>   [6/8]: upgrading server
>   [7/8]: stopping directory server
>   [8/8]: restoring configuration
> Done.
> Update complete
> Upgrading IPA services
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> CRL tree already moved
> [Verifying that CA proxy configuration is correct]
> [Verifying that KDC configuration is using ipa-kdb backend]
> [Fix DS schema file syntax]
> Syntax already fixed
> [Removing RA cert from DS NSS database]
> RA cert already removed
> [Enable sidgen and extdom plugins by default]
> [Updating HTTPD service IPA configuration]
> [Updating mod_nss protocol versions]
> Protocol versions already updated
> [Updating mod_nss cipher suite]
> [Fixing trust flags in /etc/httpd/alias]
> Trust flags already processed
> [Exporting KRA agent PEM file]
> KRA is not enabled
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
> command ipa-server-upgrade manually.
> Unexpected error - see /var/log/ipaupgrade.log for details:
> CalledProcessError: Command '/bin/systemctl start httpd.service'
> returned non-zero exit status 1
> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
> more information/
>
> These are error logs of Apache:
> /[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] [pid 5664] AH01232:
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664] Certificate not
> found: 'Server-Cert'/
>
> The problem seems to be the /Server-Cert /that could not be found.
> But if I try to execute the certutil command manually I can see it:/
> [root at mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/
> Certificate Nickname                                         Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
> Signing-Cert                                                 u,u,u
> ipaCert                                                      u,u,u
> Server-Cert                                                  Pu,u,u
> IPA.MYDOMAIN.COM <http://IPA.MYDOMAIN.COM> IPA
> CA                                    CT,C,C/
>
> Could you help me?
> What could I try to do to restart my service?
>
Hi,

I would first make sure that httpd is using /etc/httpd/alias as NSS DB 
(check the directive NSSCertificateDatabase in /etc/httpd/conf.d/nss.conf).
Then it may be a file permission issue: the NSS DB should belong to 
root:apache (the relevant files are cert8.db, key3.db and secmod.db).
You should also find a pwdfile.txt in the same directory, containing the 
NSS DB password. Check that the password is valid using
certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
(if the command succeeds then the password in pwdfile is OK).

You can also enable mod-nss debug in /etc/httpd/conf/nss.conf by setting 
"LogLevel debug", and check the output in /var/log/httpd/error_log.

HTH,
Flo.
> Thanks, Morgan
>
>

More information about the Freeipa-users mailing list