[Freeipa-users] My IPA installation doesn't work after upgrade
Morgan Marodin
morgan at marodin.it
Thu Nov 17 17:18:14 UTC 2016
Hi.
I've tried to delete and reimport only the *Server-Cert* certificate (I've
a copy of the original folder).
But it happened a strange behaviour:
*# certutil -L -d /etc/httpd/alias -n Server-Cert -a >
/tmp/Server-Cert.crt# certutil -D -d /etc/httpd/alias -n Server-Cert#
certutil -L -d .Certificate
Nickname Trust
Attributes
SSL,S/MIME,JAR/XPISigning-Cert
u,u,uipaCert
u,u,uIPA.PEDONGROUP.COM <http://IPA.PEDONGROUP.COM> IPA
CA CT,C,C# certutil -A -d
/etc/httpd/alias -n Server-Cert -t u,u,u -a -i /tmp/Server-Cert.crtNotice:
Trust flag u is set automatically if the private key is present.p11-kit:
objects of this type cannot be created# certutil -L -d
/etc/httpd/aliasCertificate
Nickname Trust
Attributes
SSL,S/MIME,JAR/XPISigning-Cert
u,u,uipaCert
u,u,uIPA.PEDONGROUP.COM <http://IPA.PEDONGROUP.COM> IPA
CA
CT,C,CServer-Cert Pu,u,u*
What's the error message in bold?
And why trust flags are set different from ones specified?
Thanks, Morgan
2016-11-17 17:36 GMT+01:00 Morgan Marodin <morgan at marodin.it>:
> Hi.
>
> I've upgraded all packages of my distribution, not only ipa packages.
> There were a lot of packages.
>
> *[root at mlv-ipa01 ~]# rpm -q mod_nssmod_nss-1.0.14-7.el7.x86_64*
>
> All other checks seem ok:
>
>
>
>
>
>
>
>
>
>
>
> *[root at mlv-ipa01 ~]# certutil -V -u V -d /etc/httpd/alias -n
> Server-Certcertutil: certificate is valid[root at mlv-ipa01 ~]#
> getseboolgetsebool: SELinux is disabled[root at mlv-ipa01 ~]# certutil -K -d
> /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txtcertutil: Checking token
> "NSS Certificate DB" in slot "NSS User Private Key and Certificate
> Services"< 0> rsa 736... NSS Certificate DB:Server-Cert< 1> rsa
> a4b... NSS Certificate DB:Signing-Cert< 2> rsa 0ff... NSS
> Certificate DB:ipaCert*
>
>
> *[root at mlv-ipa01 ~]# certutil -L -d /etc/httpd/alias/ -n Server-Cert |
> egrep "Not Before|Not After" Not Before: Mon Sep 07 10:15:34
> 2015 Not After : Thu Sep 07 10:15:34 2017*
>
> Could it be a good idea to export and re-import all certs from
> */etc/httpd/alias* folder?
>
> Thanks
>
> 2016-11-17 17:07 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>
>> Morgan Marodin wrote:
>> > Hi Rob.
>> >
>> > I've just tried to remove the group write to the *.db files, but it's
>> > not the problem.
>>
>> I didn't expect it to be but you don't want Apache having write access
>> to your certs and keys.
>>
>> > /[root at mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
>> > NSSNickname Server-Cert/
>>
>> Ok.
>>
>> >
>> > I've tried to run manually /dirsrv.target/ and /krb5kdc.service/, and it
>> > works, services went up.
>> > The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
>> > /winbind.service/, /kadmin.service/, /memcached.service/ and
>> > /pki-tomcatd.target/.
>>
>> Good, so you can limp along for a while then.
>>
>> > Any other ideas?
>>
>> So you upgraded. What did you actually upgrade? Only the IPA packages or
>> a lot more?
>>
>> What version is running now, and what version of mod_nss?
>>
>> $ rpm -q mod_nss
>>
>> Let's see if the NSS tools can find the cert:
>>
>> # certutil -V -u V -d /etc/httpd/alias -n Server-Cert
>>
>> Should come back with: certutil: certificate is valid
>>
>> rob
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161117/6f1776c6/attachment.htm>
More information about the Freeipa-users
mailing list