[Freeipa-users] My IPA installation doesn't work after upgrade

Morgan Marodin morgan at marodin.it
Thu Nov 17 15:51:32 UTC 2016 

Hi Rob.

I've just tried to remove the group write to the *.db files, but it's not
the problem.

*[root at mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.confNSSNickname
Server-Cert*

I've tried to run manually *dirsrv.target* and *krb5kdc.service*, and it
works, services went up.
The same for *ntpd*, *named-pkcs11.service*, *smb.service*,
*winbind.service*, *kadmin.service*, *memcached.service* and
*pki-tomcatd.target*.

But if I try to start *httpd.service*:








*[root at mlv-ipa01 ~]# tail -f /var/log/messagesNov 17 16:46:06 mlv-ipa01
systemd[1]: Starting The Apache HTTP Server...Nov 17 16:46:06 mlv-ipa01
ipa-httpd-kdcproxy: ipa         : INFO     KDC proxy enabledNov 17 16:46:07
mlv-ipa01 systemd[1]: httpd.service: main process exited, code=exited,
status=1/FAILURENov 17 16:46:07 mlv-ipa01 kill: kill: cannot find process
""Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: control process
exited, code=exited status=1Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to
start The Apache HTTP Server.Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit
httpd.service entered failed state.Nov 17 16:46:07 mlv-ipa01 systemd[1]:
httpd.service failed.*

Any other ideas?

Please let me know, thanks.
Morgan

2016-11-17 16:11 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:

> Morgan Marodin wrote:
> > Hi Florence.
> >
> > Thanks for your support.
> >
> > Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all
> > permissions and certificates are good:
> > /[root at mlv-ipa01 ~]# ls -l /etc/httpd/alias/
> > total 184
> > -r--r--r--  1 root root    1345 Sep  7  2015 cacert.asc
> > -rw-rw----  1 root apache 65536 Nov 17 11:06 cert8.db
> > -rw-r-----. 1 root apache 65536 Sep  4  2015 cert8.db.orig
> > -rw-------. 1 root root    4833 Sep  4  2015 install.log
> > -rw-rw----  1 root apache 16384 Nov 17 11:06 key3.db
> > -rw-r-----. 1 root apache 16384 Sep  4  2015 key3.db.orig
> > lrwxrwxrwx  1 root root      24 Nov 17 10:24 libnssckbi.so ->
> > /usr/lib64/libnssckbi.so
> > -rw-rw----  1 root apache    20 Sep  7  2015 pwdfile.txt
> > -rw-rw----  1 root apache 16384 Sep  7  2015 secmod.db
> > -rw-r-----. 1 root apache 16384 Sep  4  2015 secmod.db.orig/
>
> Eventually you'll want to remove group write on the *.db files.
>
> > And password validations seems ok, too:
> > /[root at mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f
> > /etc/httpd/alias/pwdfile.txt
> good
>
> > Enabling mod-nss debug I can see these logs:
> > /[root at mlv-ipa01 ~]# tail -f /var/log/httpd/error_log
> > [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid 10660] AH01232:
> > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> > [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660]
> > NSSSessionCacheTimeout is deprecated. Ignoring.
> > [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660]
> > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com> -> Server-Cert
> > [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660] Configuring server
> > for SSL protocol
> > [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660]
> > nss_engine_init.c(770): NSSProtocol:  Enabling TLSv1.0
> > [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660]
> > nss_engine_init.c(775): NSSProtocol:  Enabling TLSv1.1
> > [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660]
> > nss_engine_init.c(780): NSSProtocol:  Enabling TLSv1.2
> > [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660]
> > nss_engine_init.c(839): NSSProtocol:  [TLS 1.0] (minimum)
> > [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660]
> > nss_engine_init.c(866): NSSProtocol:  [TLS 1.2] (maximum)
> > [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660]
> > nss_engine_init.c(906): Disabling TLS Session Tickets
> > [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660]
> > nss_engine_init.c(916): Enabling DHE key exchange
> > [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660]
> > nss_engine_init.c(1077): NSSCipherSuite:  Configuring permitted SSL
> > ciphers
> > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_
> gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_
> gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_
> gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_
> gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_
> 256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
> > [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660]
> > [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660] Using nickname
> > Server-Cert.
> [snip]
> > [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660] Certificate not
> > found: 'Server-Cert'
>
> Can you shows what this returns:
>
> # grep NSSNickname /etc/httpd/conf.d/nss.conf
>
> > Do you think there is a kerberos problem?
>
> It definitely is not.
>
> You can bring the system up in a minimal way by manually starting the
> dirsrv at EXAMPLE.COM service and then krb5kdc. This will at least let your
> users authenticate. The management framework (GUI) runs through Apache
> so that will be down until we can get Apache started again.
>
> rob
>
> >
> > Please let me know, thanks.
> > Bye, Morgan
> >
> > 2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com
> > <mailto:flo at redhat.com>>:
> >
> >     On 11/17/2016 12:09 PM, Morgan Marodin wrote:
> >
> >         Hello.
> >
> >         This morning I've tried to upgrade my IPA server, but the upgrade
> >         failed, and now the service doesn't start! :(
> >
> >         If I try lo launch the upgrade manually this is the output:
> >         /[root at mlv-ipa01 download]# ipa-server-upgrade
> >
> >         Upgrading IPA:
> >           [1/8]: saving configuration
> >           [2/8]: disabling listeners
> >           [3/8]: enabling DS global lock
> >           [4/8]: starting directory server
> >           [5/8]: updating schema
> >           [6/8]: upgrading server
> >           [7/8]: stopping directory server
> >           [8/8]: restoring configuration
> >         Done.
> >         Update complete
> >         Upgrading IPA services
> >         Upgrading the configuration of the IPA services
> >         [Verifying that root certificate is published]
> >         [Migrate CRL publish directory]
> >         CRL tree already moved
> >         [Verifying that CA proxy configuration is correct]
> >         [Verifying that KDC configuration is using ipa-kdb backend]
> >         [Fix DS schema file syntax]
> >         Syntax already fixed
> >         [Removing RA cert from DS NSS database]
> >         RA cert already removed
> >         [Enable sidgen and extdom plugins by default]
> >         [Updating HTTPD service IPA configuration]
> >         [Updating mod_nss protocol versions]
> >         Protocol versions already updated
> >         [Updating mod_nss cipher suite]
> >         [Fixing trust flags in /etc/httpd/alias]
> >         Trust flags already processed
> >         [Exporting KRA agent PEM file]
> >         KRA is not enabled
> >         IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and
> run
> >         command ipa-server-upgrade manually.
> >         Unexpected error - see /var/log/ipaupgrade.log for details:
> >         CalledProcessError: Command '/bin/systemctl start httpd.service'
> >         returned non-zero exit status 1
> >         The ipa-server-upgrade command failed. See
> >         /var/log/ipaupgrade.log for
> >         more information/
> >
> >         These are error logs of Apache:
> >         /[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] [pid 5664]
> >         AH01232:
> >         suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> >         [Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664]
> >         NSSSessionCacheTimeout is deprecated. Ignoring.
> >         [Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664]
> >         Certificate not
> >         found: 'Server-Cert'/
> >
> >         The problem seems to be the /Server-Cert /that could not be
> found.
> >         But if I try to execute the certutil command manually I can see
> it:/
> >         [root at mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/
> >         Certificate Nickname
>  Trust
> >         Attributes
> >
> >         SSL,S/MIME,JAR/XPI
> >         Signing-Cert
>  u,u,u
> >         ipaCert
> u,u,u
> >         Server-Cert
> Pu,u,u
> >         IPA.MYDOMAIN.COM <http://IPA.MYDOMAIN.COM>
> >         <http://IPA.MYDOMAIN.COM> IPA
> >         CA                                    CT,C,C/
> >
> >         Could you help me?
> >         What could I try to do to restart my service?
> >
> >     Hi,
> >
> >     I would first make sure that httpd is using /etc/httpd/alias as NSS
> >     DB (check the directive NSSCertificateDatabase in
> >     /etc/httpd/conf.d/nss.conf).
> >     Then it may be a file permission issue: the NSS DB should belong to
> >     root:apache (the relevant files are cert8.db, key3.db and secmod.db).
> >     You should also find a pwdfile.txt in the same directory, containing
> >     the NSS DB password. Check that the password is valid using
> >     certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
> >     (if the command succeeds then the password in pwdfile is OK).
> >
> >     You can also enable mod-nss debug in /etc/httpd/conf/nss.conf by
> >     setting "LogLevel debug", and check the output in
> >     /var/log/httpd/error_log.
> >
> >     HTH,
> >     Flo.
> >
> >         Thanks, Morgan
> >
> >
> >
> >     --
> >     Manage your subscription for the Freeipa-users mailing list:
> >     https://www.redhat.com/mailman/listinfo/freeipa-users
> >     <https://www.redhat.com/mailman/listinfo/freeipa-users>
> >     Go to http://freeipa.org for more info on the project
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161117/e6fb465b/attachment.htm>

More information about the Freeipa-users mailing list