[Freeipa-users] My IPA installation doesn't work after upgrade
Rob Crittenden
rcritten at redhat.com
Thu Nov 17 15:11:01 UTC 2016
Morgan Marodin wrote:
> Hi Florence.
>
> Thanks for your support.
>
> Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all
> permissions and certificates are good:
> /[root at mlv-ipa01 ~]# ls -l /etc/httpd/alias/
> total 184
> -r--r--r-- 1 root root 1345 Sep 7 2015 cacert.asc
> -rw-rw---- 1 root apache 65536 Nov 17 11:06 cert8.db
> -rw-r-----. 1 root apache 65536 Sep 4 2015 cert8.db.orig
> -rw-------. 1 root root 4833 Sep 4 2015 install.log
> -rw-rw---- 1 root apache 16384 Nov 17 11:06 key3.db
> -rw-r-----. 1 root apache 16384 Sep 4 2015 key3.db.orig
> lrwxrwxrwx 1 root root 24 Nov 17 10:24 libnssckbi.so ->
> /usr/lib64/libnssckbi.so
> -rw-rw---- 1 root apache 20 Sep 7 2015 pwdfile.txt
> -rw-rw---- 1 root apache 16384 Sep 7 2015 secmod.db
> -rw-r-----. 1 root apache 16384 Sep 4 2015 secmod.db.orig/
Eventually you'll want to remove group write on the *.db files.
> And password validations seems ok, too:
> /[root at mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f
> /etc/httpd/alias/pwdfile.txt
good
> Enabling mod-nss debug I can see these logs:
> /[root at mlv-ipa01 ~]# tail -f /var/log/httpd/error_log
> [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid 10660] AH01232:
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660]
> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
> <http://mlv-ipa01.ipa.mydomain.com> -> Server-Cert
> [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660] Configuring server
> for SSL protocol
> [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660]
> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
> [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660]
> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
> [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660]
> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
> [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660]
> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
> [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660]
> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
> [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660]
> nss_engine_init.c(906): Disabling TLS Session Tickets
> [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660]
> nss_engine_init.c(916): Enabling DHE key exchange
> [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660]
> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL
> ciphers
> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
> [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660]
> [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660] Using nickname
> Server-Cert.
[snip]
> [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660] Certificate not
> found: 'Server-Cert'
Can you shows what this returns:
# grep NSSNickname /etc/httpd/conf.d/nss.conf
> Do you think there is a kerberos problem?
It definitely is not.
You can bring the system up in a minimal way by manually starting the
dirsrv at EXAMPLE.COM service and then krb5kdc. This will at least let your
users authenticate. The management framework (GUI) runs through Apache
so that will be down until we can get Apache started again.
rob
>
> Please let me know, thanks.
> Bye, Morgan
>
> 2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com
> <mailto:flo at redhat.com>>:
>
> On 11/17/2016 12:09 PM, Morgan Marodin wrote:
>
> Hello.
>
> This morning I've tried to upgrade my IPA server, but the upgrade
> failed, and now the service doesn't start! :(
>
> If I try lo launch the upgrade manually this is the output:
> /[root at mlv-ipa01 download]# ipa-server-upgrade
>
> Upgrading IPA:
> [1/8]: saving configuration
> [2/8]: disabling listeners
> [3/8]: enabling DS global lock
> [4/8]: starting directory server
> [5/8]: updating schema
> [6/8]: upgrading server
> [7/8]: stopping directory server
> [8/8]: restoring configuration
> Done.
> Update complete
> Upgrading IPA services
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> CRL tree already moved
> [Verifying that CA proxy configuration is correct]
> [Verifying that KDC configuration is using ipa-kdb backend]
> [Fix DS schema file syntax]
> Syntax already fixed
> [Removing RA cert from DS NSS database]
> RA cert already removed
> [Enable sidgen and extdom plugins by default]
> [Updating HTTPD service IPA configuration]
> [Updating mod_nss protocol versions]
> Protocol versions already updated
> [Updating mod_nss cipher suite]
> [Fixing trust flags in /etc/httpd/alias]
> Trust flags already processed
> [Exporting KRA agent PEM file]
> KRA is not enabled
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
> command ipa-server-upgrade manually.
> Unexpected error - see /var/log/ipaupgrade.log for details:
> CalledProcessError: Command '/bin/systemctl start httpd.service'
> returned non-zero exit status 1
> The ipa-server-upgrade command failed. See
> /var/log/ipaupgrade.log for
> more information/
>
> These are error logs of Apache:
> /[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] [pid 5664]
> AH01232:
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664]
> Certificate not
> found: 'Server-Cert'/
>
> The problem seems to be the /Server-Cert /that could not be found.
> But if I try to execute the certutil command manually I can see it:/
> [root at mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
> Signing-Cert u,u,u
> ipaCert u,u,u
> Server-Cert Pu,u,u
> IPA.MYDOMAIN.COM <http://IPA.MYDOMAIN.COM>
> <http://IPA.MYDOMAIN.COM> IPA
> CA CT,C,C/
>
> Could you help me?
> What could I try to do to restart my service?
>
> Hi,
>
> I would first make sure that httpd is using /etc/httpd/alias as NSS
> DB (check the directive NSSCertificateDatabase in
> /etc/httpd/conf.d/nss.conf).
> Then it may be a file permission issue: the NSS DB should belong to
> root:apache (the relevant files are cert8.db, key3.db and secmod.db).
> You should also find a pwdfile.txt in the same directory, containing
> the NSS DB password. Check that the password is valid using
> certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
> (if the command succeeds then the password in pwdfile is OK).
>
> You can also enable mod-nss debug in /etc/httpd/conf/nss.conf by
> setting "LogLevel debug", and check the output in
> /var/log/httpd/error_log.
>
> HTH,
> Flo.
>
> Thanks, Morgan
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>
> Go to http://freeipa.org for more info on the project
>
>
>
More information about the Freeipa-users
mailing list