[Freeipa-users] My IPA installation doesn't work after upgrade
Morgan Marodin
morgan at marodin.it
Fri Nov 18 14:30:27 UTC 2016
It works!
Thanks for your support.
Anyway, I will try to update againt mod_nss package! :D
Bye!
2016-11-18 15:21 GMT+01:00 Morgan Marodin <morgan at marodin.it>:
> A little good news.
>
> Downgrading the *mod_nss* RPM package, and restoring the original
> */etc/httpd/alias* folder, *ipa-server-upgrade* procedure has finished
> well:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *# ipa-server-upgradeUpgrading IPA: [1/10]: stopping directory server
> [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling
> DS global lock [5/10]: starting directory server [6/10]: updating schema
> [7/10]: upgrading server [8/10]: stopping directory server [9/10]:
> restoring configuration [10/10]: starting directory serverDone.Update
> completeUpgrading IPA servicesUpgrading the configuration of the IPA
> services[Verifying that root certificate is published][Migrate CRL publish
> directory]CRL tree already moved[Verifying that CA proxy configuration is
> correct][Verifying that KDC configuration is using ipa-kdb backend][Fix DS
> schema file syntax]Syntax already fixed[Removing RA cert from DS NSS
> database]RA cert already removed[Enable sidgen and extdom plugins by
> default][Updating HTTPD service IPA configuration][Updating mod_nss
> protocol versions]Protocol versions already updated[Updating mod_nss cipher
> suite][Fixing trust flags in /etc/httpd/alias]Trust flags already
> processed[Exporting KRA agent PEM file]KRA is not enabled[Removing
> self-signed CA][Removing Dogtag 9 CA][Checking for deprecated KDC
> configuration files][Checking for deprecated backups of Samba configuration
> files][Setting up Firefox extension][Add missing CA DNS records]IPA CA DNS
> records already processed[Removing deprecated DNS configuration
> options][Ensuring minimal number of connections][Enabling serial
> autoincrement in DNS][Updating GSSAPI configuration in DNS][Updating
> pid-file configuration in DNS][Checking global forwarding policy in
> named.conf to avoid conflicts with automatic empty zones]Global forward
> policy in named.conf will be changed to "only" to avoid conflicts with
> automatic empty zones[Adding server_id to named.conf]Changes to named.conf
> have been made, restart namedCustodia service is being
> configuredConfiguring ipa-custodia [1/5]: Generating ipa-custodia config
> file [2/5]: Making sure custodia container exists [3/5]: Generating
> ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring
> ipa-custodia to start on bootDone configuring ipa-custodia.[Upgrading CA
> schema]CA schema update complete[Verifying that CA audit signing cert has 2
> year validity][Update certmonger certificate renewal configuration to
> version 5]Configuring certmonger to stop tracking system certificates for
> CACertmonger certificate renewal configuration updated to version 5[Enable
> PKIX certificate path discovery and validation]PKIX already
> enabled[Authorizing RA Agent to modify profiles][Authorizing RA Agent to
> manage lightweight CAs][Ensuring Lightweight CAs container exists in Dogtag
> database][Adding default OCSP URI configuration]pki-tomcat configuration
> changed, restart pki-tomcat[Ensuring CA is using
> LDAPProfileSubsystem][Migrating certificate profiles to LDAP][Ensuring
> presence of included profiles][Add default CA ACL]Default CA ACL already
> added[Set up lightweight CA key retrieval]Creating principalRetrieving
> keytabCreating Custodia keysConfiguring key retrieverThe IPA services were
> upgradedThe ipa-server-upgrade command was successful*
>
> And Apache has started, BUT there is a problem with the web certificate:
>
>
>
>
> *# tail -f /var/log/httpd/error_log[Fri Nov 18 15:14:43.002268 2016]
> [:info] [pid 18673] Connection to child 2 established (server
> mlv-ipa01.ipa.mydomain.com:443 <http://mlv-ipa01.ipa.mydomain.com:443>,
> client 192.168.0.252)[Fri Nov 18 15:14:43.207349 2016] [:info] [pid 18673]
> SSL input filter read failed.[Fri Nov 18 15:14:43.207389 2016] [:error]
> [pid 18673] SSL Library Error: -12285 Unable to find the certificate or key
> necessary for authentication[Fri Nov 18 15:14:43.207460 2016] [:info] [pid
> 18673] Connection to child 2 closed (server mlv-ipa01.ipa.mydomain.com:443
> <http://mlv-ipa01.ipa.mydomain.com:443>, client 192.168.0.252)*
>
> How do you suggest to go on with my issue?
>
> Thanks, Morgan
>
> 2016-11-18 12:11 GMT+01:00 Morgan Marodin <morgan at marodin.it>:
>
>> I've tried to add it to a new test folder, with a new certificate
>> nickname, and then to replace it to *nss.conf*.
>>
>> But the problem persists:
>>
>> *# certutil -V -u V -d /etc/httpd/test -n ipa01certcertutil: certificate
>> is valid*
>>
>>
>> *# tail -f /var/log/httpd/error_log*
>>
>>
>>
>>
>>
>>
>>
>> *[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid 11552] AH01232:
>> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Fri Nov 18
>> 12:09:39.514266 2016] [:warn] [pid 11552] NSSSessionCacheTimeout is
>> deprecated. Ignoring.[Fri Nov 18 12:09:39.514299 2016] [:debug] [pid 11552]
>> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
>> <http://mlv-ipa01.ipa.mydomain.com> -> ipa01cert[Fri Nov 18 12:09:39.824880
>> 2016] [:error] [pid 11552] The server key database has not been
>> initialized.[Fri Nov 18 12:09:39.832443 2016] [:info] [pid 11552]
>> Configuring server for SSL protocol...[Fri Nov 18 12:09:39.832676 2016]
>> [:info] [pid 11552] Using nickname ipa01cert.[Fri Nov 18 12:09:39.832678
>> 2016] [:error] [pid 11552] Certificate not found: 'ipa01cert'*
>>
>> I've found this guide:
>>
>>
>>
>>
>>
>>
>> *Combine the server cert and key into a single file# cp localhost.crt >
>> Server-Cert.txt# cat localhost.key >> Server-Cert.txtConvert the server
>> cert into a p12 file# openssl pkcs12 -export -in Server-Cert.txt -out
>> Server-Cert.p12 -name "Server-Cert"Now Import the Public and Private keys
>> into the database at the same time.#pk12util -i
>> /tmp/cert-files/Server-Cert.p12 -d /etc/httpd/alias -n Server-Cert*
>>
>> Where is stored the key certificate file?
>>
>> Thanks, Morgan
>>
>>
>> 2016-11-18 10:39 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>
>>> On 11/18/2016 10:04 AM, Morgan Marodin wrote:
>>>
>>>> Hi Florence.
>>>>
>>>> I've tried to configure the wrong certificate in nss.conf (/ipaCert/),
>>>> and with this Apache started.
>>>> So I think the problem is in the /Server-Cert/ stored in
>>>> //etc/httpd/alias/, even if all manul checks are ok.
>>>>
>>>> These are logs with the wrong certificate test:
>>>> /# tail -f /var/log/httpd/error_log/
>>>> /[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid 7709] AH01232:
>>>> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>>>> [Fri Nov 18 09:34:32.584142 2016] [:warn] [pid 7709]
>>>> NSSSessionCacheTimeout is deprecated. Ignoring.
>>>> [Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709]
>>>> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
>>>> <http://mlv-ipa01.ipa.mydomain.com> -> ipaCert
>>>>
>>>> [Fri Nov 18 09:34:32.844487 2016] [:info] [pid 7709] Configuring server
>>>> for SSL protocol
>>>> [Fri Nov 18 09:34:32.844635 2016] [:debug] [pid 7709]
>>>> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
>>>> [Fri Nov 18 09:34:32.844657 2016] [:debug] [pid 7709]
>>>> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
>>>> [Fri Nov 18 09:34:32.844668 2016] [:debug] [pid 7709]
>>>> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
>>>> [Fri Nov 18 09:34:32.844677 2016] [:debug] [pid 7709]
>>>> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
>>>> [Fri Nov 18 09:34:32.844684 2016] [:debug] [pid 7709]
>>>> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
>>>> [Fri Nov 18 09:34:32.844738 2016] [:debug] [pid 7709]
>>>> nss_engine_init.c(906): Disabling TLS Session Tickets
>>>> [Fri Nov 18 09:34:32.844746 2016] [:debug] [pid 7709]
>>>> nss_engine_init.c(916): Enabling DHE key exchange
>>>> [Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709]
>>>> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL
>>>> ciphers
>>>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_
>>>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh
>>>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_25
>>>> 6,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+
>>>> ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_
>>>> sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>>>> [Fri Nov 18 09:34:32.844825 2016] [:debug] [pid 7709]
>>>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>>>> ...
>>>> [Fri Nov 18 09:34:32.845105 2016] [:debug] [pid 7709]
>>>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
>>>> [Fri Nov 18 09:34:32.845110 2016] [:info] [pid 7709] Using nickname
>>>> ipaCert.
>>>> [Fri Nov 18 09:34:32.847451 2016] [:error] [pid 7709] Misconfiguration
>>>> of certificate's CN and virtual name. The certificate CN has IPA RA. We
>>>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
>>>> as virtual name.
>>>> [Fri Nov 18 09:34:33.028056 2016] [auth_digest:notice] [pid 7709]
>>>> AH01757: generating secret for digest authentication ...
>>>> [Fri Nov 18 09:34:33.030039 2016] [lbmethod_heartbeat:notice] [pid
>>>> 7709]
>>>> AH02282: No slotmem from mod_heartmonitor
>>>> [Fri Nov 18 09:34:33.030122 2016] [:warn] [pid 7709]
>>>> NSSSessionCacheTimeout is deprecated. Ignoring.
>>>> [Fri Nov 18 09:34:33.030176 2016] [:debug] [pid 7709]
>>>> nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
>>>> <http://mlv-ipa01.ipa.mydomain.com> -> ipaCert
>>>>
>>>> [Fri Nov 18 09:34:33.051481 2016] [mpm_prefork:notice] [pid 7709]
>>>> AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4
>>>> mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured
>>>> -- resuming normal operations
>>>> [Fri Nov 18 09:34:33.051551 2016] [core:notice] [pid 7709] AH00094:
>>>> Command line: '/usr/sbin/httpd -D FOREGROUND'
>>>> [Fri Nov 18 09:34:33.096050 2016] [proxy:debug] [pid 7717]
>>>> proxy_util.c(1838): AH00924: worker ajp://localhost shared already
>>>> initialized
>>>> [Fri Nov 18 09:34:33.096163 2016] [proxy:debug] [pid 7717]
>>>> proxy_util.c(1880): AH00926: worker ajp://localhost local already
>>>> initialized
>>>> ...
>>>> [Fri Nov 18 09:34:33.105626 2016] [proxy:debug] [pid 7719]
>>>> proxy_util.c(1838): AH00924: worker
>>>> unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ shared already
>>>> initialized
>>>> [Fri Nov 18 09:34:33.105632 2016] [proxy:debug] [pid 7719]
>>>> proxy_util.c(1880): AH00926: worker
>>>> unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/ local already
>>>> initialized
>>>> [Fri Nov 18 09:34:33.342762 2016] [:info] [pid 7717] Configuring server
>>>> for SSL protocol
>>>> [Fri Nov 18 09:34:33.342867 2016] [:debug] [pid 7717]
>>>> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
>>>> [Fri Nov 18 09:34:33.342880 2016] [:debug] [pid 7717]
>>>> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
>>>> [Fri Nov 18 09:34:33.342885 2016] [:debug] [pid 7717]
>>>> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
>>>> [Fri Nov 18 09:34:33.342890 2016] [:debug] [pid 7717]
>>>> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
>>>> [Fri Nov 18 09:34:33.342894 2016] [:debug] [pid 7717]
>>>> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
>>>> [Fri Nov 18 09:34:33.342900 2016] [:debug] [pid 7717]
>>>> nss_engine_init.c(906): Disabling TLS Session Tickets
>>>> [Fri Nov 18 09:34:33.342904 2016] [:debug] [pid 7717]
>>>> nss_engine_init.c(916): Enabling DHE key exchange
>>>> [Fri Nov 18 09:34:33.342917 2016] [:debug] [pid 7717]
>>>> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL
>>>> ciphers
>>>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_
>>>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh
>>>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_25
>>>> 6,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+
>>>> ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_
>>>> sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>>>> [Fri Nov 18 09:34:33.342970 2016] [:debug] [pid 7717]
>>>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>>>> ...
>>>> [Fri Nov 18 09:34:33.343233 2016] [:debug] [pid 7717]
>>>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
>>>> [Fri Nov 18 09:34:33.343237 2016] [:info] [pid 7717] Using nickname
>>>> ipaCert.
>>>> [Fri Nov 18 09:34:33.344533 2016] [:error] [pid 7717] Misconfiguration
>>>> of certificate's CN and virtual name. The certificate CN has IPA RA. We
>>>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
>>>>
>>>> as virtual name.
>>>> [Fri Nov 18 09:34:33.364061 2016] [:info] [pid 7718] Configuring server
>>>> for SSL protocol
>>>> [Fri Nov 18 09:34:33.364156 2016] [:debug] [pid 7718]
>>>> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
>>>> [Fri Nov 18 09:34:33.364167 2016] [:debug] [pid 7718]
>>>> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
>>>> [Fri Nov 18 09:34:33.364172 2016] [:debug] [pid 7718]
>>>> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
>>>> [Fri Nov 18 09:34:33.364176 2016] [:debug] [pid 7718]
>>>> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
>>>> [Fri Nov 18 09:34:33.364180 2016] [:debug] [pid 7718]
>>>> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
>>>> [Fri Nov 18 09:34:33.364187 2016] [:debug] [pid 7718]
>>>> nss_engine_init.c(906): Disabling TLS Session Tickets
>>>> [Fri Nov 18 09:34:33.364191 2016] [:debug] [pid 7718]
>>>> nss_engine_init.c(916): Enabling DHE key exchange
>>>> [Fri Nov 18 09:34:33.364202 2016] [:debug] [pid 7718]
>>>> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL
>>>> ciphers
>>>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_
>>>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh
>>>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_25
>>>> 6,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+
>>>> ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_
>>>> sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>>>> [Fri Nov 18 09:34:33.364240 2016] [:debug] [pid 7718]
>>>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>>>> ...
>>>> [Fri Nov 18 09:34:33.364611 2016] [:debug] [pid 7718]
>>>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
>>>> [Fri Nov 18 09:34:33.364625 2016] [:info] [pid 7718] Using nickname
>>>> ipaCert.
>>>> [Fri Nov 18 09:34:33.365549 2016] [:error] [pid 7718] Misconfiguration
>>>> of certificate's CN and virtual name. The certificate CN has IPA RA. We
>>>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
>>>>
>>>> as virtual name.
>>>> [Fri Nov 18 09:34:33.369972 2016] [:info] [pid 7720] Configuring server
>>>> for SSL protocol
>>>> [Fri Nov 18 09:34:33.370200 2016] [:debug] [pid 7720]
>>>> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
>>>> [Fri Nov 18 09:34:33.370224 2016] [:debug] [pid 7720]
>>>> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
>>>> [Fri Nov 18 09:34:33.370239 2016] [:debug] [pid 7720]
>>>> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
>>>> [Fri Nov 18 09:34:33.370255 2016] [:debug] [pid 7720]
>>>> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
>>>> [Fri Nov 18 09:34:33.370269 2016] [:debug] [pid 7720]
>>>> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
>>>> [Fri Nov 18 09:34:33.370286 2016] [:debug] [pid 7720]
>>>> nss_engine_init.c(906): Disabling TLS Session Tickets
>>>> [Fri Nov 18 09:34:33.370301 2016] [:debug] [pid 7720]
>>>> nss_engine_init.c(916): Enabling DHE key exchange
>>>> [Fri Nov 18 09:34:33.370322 2016] [:debug] [pid 7720]
>>>> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL
>>>> ciphers
>>>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_
>>>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh
>>>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_25
>>>> 6,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+
>>>> ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_
>>>> sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>>>> [Fri Nov 18 09:34:33.370383 2016] [:debug] [pid 7720]
>>>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>>>> ...
>>>> [Fri Nov 18 09:34:33.371418 2016] [:debug] [pid 7720]
>>>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
>>>> [Fri Nov 18 09:34:33.371437 2016] [:info] [pid 7720] Using nickname
>>>> ipaCert.
>>>> [Fri Nov 18 09:34:33.371486 2016] [:info] [pid 7716] Configuring server
>>>> for SSL protocol
>>>> [Fri Nov 18 09:34:33.372383 2016] [:debug] [pid 7716]
>>>> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
>>>> [Fri Nov 18 09:34:33.372439 2016] [:debug] [pid 7716]
>>>> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
>>>> [Fri Nov 18 09:34:33.372459 2016] [:debug] [pid 7716]
>>>> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
>>>> [Fri Nov 18 09:34:33.372484 2016] [:debug] [pid 7716]
>>>> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
>>>> [Fri Nov 18 09:34:33.372513 2016] [:debug] [pid 7716]
>>>> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
>>>> [Fri Nov 18 09:34:33.372534 2016] [:debug] [pid 7716]
>>>> nss_engine_init.c(906): Disabling TLS Session Tickets
>>>> [Fri Nov 18 09:34:33.372553 2016] [:debug] [pid 7716]
>>>> nss_engine_init.c(916): Enabling DHE key exchange
>>>> [Fri Nov 18 09:34:33.372580 2016] [:debug] [pid 7716]
>>>> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL
>>>> ciphers
>>>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_
>>>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh
>>>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_25
>>>> 6,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+
>>>> ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_
>>>> sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>>>> [Fri Nov 18 09:34:33.372627 2016] [:debug] [pid 7716]
>>>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>>>> ...
>>>> [Fri Nov 18 09:34:33.373712 2016] [:debug] [pid 7716]
>>>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
>>>> [Fri Nov 18 09:34:33.373734 2016] [:info] [pid 7716] Using nickname
>>>> ipaCert.
>>>> [Fri Nov 18 09:34:33.374652 2016] [:error] [pid 7716] Misconfiguration
>>>> of certificate's CN and virtual name. The certificate CN has IPA RA. We
>>>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
>>>> as virtual name.
>>>> [Fri Nov 18 09:34:33.372295 2016] [:error] [pid 7720] Misconfiguration
>>>> of certificate's CN and virtual name. The certificate CN has IPA RA. We
>>>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
>>>>
>>>> as virtual name.
>>>> [Fri Nov 18 09:34:33.412689 2016] [:info] [pid 7719] Configuring server
>>>> for SSL protocol
>>>> [Fri Nov 18 09:34:33.412791 2016] [:debug] [pid 7719]
>>>> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
>>>> [Fri Nov 18 09:34:33.412803 2016] [:debug] [pid 7719]
>>>> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
>>>> [Fri Nov 18 09:34:33.412807 2016] [:debug] [pid 7719]
>>>> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
>>>> [Fri Nov 18 09:34:33.412812 2016] [:debug] [pid 7719]
>>>> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
>>>> [Fri Nov 18 09:34:33.412817 2016] [:debug] [pid 7719]
>>>> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
>>>> [Fri Nov 18 09:34:33.412824 2016] [:debug] [pid 7719]
>>>> nss_engine_init.c(906): Disabling TLS Session Tickets
>>>> [Fri Nov 18 09:34:33.412828 2016] [:debug] [pid 7719]
>>>> nss_engine_init.c(916): Enabling DHE key exchange
>>>> [Fri Nov 18 09:34:33.412840 2016] [:debug] [pid 7719]
>>>> nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL
>>>> ciphers
>>>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_
>>>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh
>>>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_25
>>>> 6,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+
>>>> ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_
>>>> sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>>>> [Fri Nov 18 09:34:33.412891 2016] [:debug] [pid 7719]
>>>> nss_engine_init.c(1140): Disable cipher: rsa_null_md5
>>>> ...
>>>> [Fri Nov 18 09:34:33.413159 2016] [:debug] [pid 7719]
>>>> nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256
>>>> [Fri Nov 18 09:34:33.413164 2016] [:info] [pid 7719] Using nickname
>>>> ipaCert.
>>>> [Fri Nov 18 09:34:33.414462 2016] [:error] [pid 7719] Misconfiguration
>>>> of certificate's CN and virtual name. The certificate CN has IPA RA. We
>>>> expected mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
>>>> as virtual name.
>>>> [Fri Nov 18 09:34:35.558286 2016] [:error] [pid 7715] ipa: WARNING:
>>>> session memcached servers not running
>>>> [Fri Nov 18 09:34:35.559653 2016] [:error] [pid 7714] ipa: WARNING:
>>>> session memcached servers not running
>>>> [Fri Nov 18 09:34:37.511457 2016] [:error] [pid 7714] ipa: INFO: ***
>>>> PROCESS START ***
>>>> [Fri Nov 18 09:34:37.517899 2016] [:error] [pid 7715] ipa: INFO: ***
>>>> PROCESS START ***
>>>> [Fri Nov 18 09:34:51.498536 2016] [:info] [pid 7717] Connection to child
>>>> 1 established (server mlv-ipa01.ipa.mydomain.com
>>>> <http://mlv-ipa01.ipa.mydomain.com>, client 192.168.0.239)
>>>> [Fri Nov 18 09:34:51.510292 2016] [:info] [pid 7717] SSL input filter
>>>> read failed.
>>>> [Fri Nov 18 09:34:51.510311 2016] [:error] [pid 7717] SSL Library Error:
>>>> -12285 Unable to find the certificate or key necessary for
>>>> authentication
>>>> [Fri Nov 18 09:34:51.510356 2016] [:info] [pid 7717] Connection to child
>>>> 1 closed (server mlv-ipa01.ipa.mydomain.com:443
>>>> <http://mlv-ipa01.ipa.mydomain.com:443>, client 192.168.0.239)
>>>> [Fri Nov 18 09:35:18.790760 2016] [mpm_prefork:notice] [pid 7709]
>>>> AH00170: caught SIGWINCH, shutting down gracefully/
>>>>
>>>> Is possible to delete /Server-Cert/ from //etc/httpd/alias/ and reimport
>>>> it from the original certificates of /mlv-ipa01.ipa.mydomain.com
>>>> <http://mlv-ipa01.ipa.mydomain.com>/?
>>>> Where are stored the original certificates?
>>>>
>>>> Hi Morgan,
>>>
>>> with ldapsearch you should be able to find the certificate:
>>> ldapsearch -h ipaserver.ipadomain -p 389 -D "cn=directory manager" -w
>>> password -LLL -b krbprincipalname=HTTP/ipaserver.ipadomain at IPADOMAIN
>>> ,cn=services,cn=accounts,dc=IPADOMAIN
>>>
>>> The cert will be stored in the field "usercertificate".
>>>
>>> HTH,
>>> Flo.
>>>
>>> Please let me know, thanks.
>>>> Bye, Morgan
>>>>
>>>> 2016-11-17 17:09 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com
>>>> <mailto:flo at redhat.com>>:
>>>>
>>>>
>>>> On 11/17/2016 04:51 PM, Morgan Marodin wrote:
>>>>
>>>> Hi Rob.
>>>>
>>>> I've just tried to remove the group write to the *.db files, but
>>>> it's
>>>> not the problem.
>>>> /[root at mlv-ipa01 ~]# grep NSSNickname
>>>> /etc/httpd/conf.d/nss.conf
>>>> NSSNickname Server-Cert/
>>>>
>>>> I've tried to run manually /dirsrv.target/ and
>>>> /krb5kdc.service/, and it
>>>> works, services went up.
>>>> The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
>>>> /winbind.service/, /kadmin.service/, /memcached.service/ and
>>>> /pki-tomcatd.target/.
>>>>
>>>> But if I try to start /httpd.service/:
>>>> /[root at mlv-ipa01 ~]# tail -f /var/log/messages
>>>> Nov 17 16:46:06 mlv-ipa01 systemd[1]: Starting The Apache HTTP
>>>> Server...
>>>> Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy: ipa :
>>>> INFO KDC
>>>> proxy enabled
>>>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: main
>>>> process
>>>> exited, code=exited, status=1/FAILURE
>>>> Nov 17 16:46:07 mlv-ipa01 kill: kill: cannot find process ""
>>>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: control
>>>> process
>>>> exited, code=exited status=1
>>>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to start The Apache
>>>> HTTP
>>>> Server.
>>>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit httpd.service entered
>>>> failed
>>>> state.
>>>> Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service failed./
>>>>
>>>> Any other ideas?
>>>>
>>>> Hi,
>>>>
>>>> - Does the NSS Db contain the private key for Server-Cert? If yes,
>>>> the command
>>>> $ certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
>>>> should display a line like this one:
>>>> < 0> rsa 01a6cbd773f3d785ffa44233148dcb8ade266ea5 NSS
>>>> Certificate DB:Server-Cert
>>>>
>>>> - Is your system running with SElinux enforcing? If yes, you can
>>>> check if there were SElinux permission denials using
>>>> $ ausearch -m avc --start recent
>>>>
>>>> - If the certificate was expired, I believe you would see a
>>>> different message, but it doesn't hurt to check its validity
>>>> $ certutil -L -d /etc/httpd/alias/ -n Server-Cert | egrep "Not
>>>> Before|Not After"
>>>>
>>>>
>>>> Flo.
>>>>
>>>>
>>>> Please let me know, thanks.
>>>> Morgan
>>>>
>>>> 2016-11-17 16:11 GMT+01:00 Rob Crittenden <rcritten at redhat.com
>>>> <mailto:rcritten at redhat.com>
>>>> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>:
>>>>
>>>>
>>>>
>>>> Morgan Marodin wrote:
>>>> > Hi Florence.
>>>> >
>>>> > Thanks for your support.
>>>> >
>>>> > Yes, httpd is using /etc/httpd/alias as NSS DB. And seems
>>>> that all
>>>> > permissions and certificates are good:
>>>> > /[root at mlv-ipa01 ~]# ls -l /etc/httpd/alias/
>>>> > total 184
>>>> > -r--r--r-- 1 root root 1345 Sep 7 2015 cacert.asc
>>>> > -rw-rw---- 1 root apache 65536 Nov 17 11:06 cert8.db
>>>> > -rw-r-----. 1 root apache 65536 Sep 4 2015 cert8.db.orig
>>>> > -rw-------. 1 root root 4833 Sep 4 2015 install.log
>>>> > -rw-rw---- 1 root apache 16384 Nov 17 11:06 key3.db
>>>> > -rw-r-----. 1 root apache 16384 Sep 4 2015 key3.db.orig
>>>> > lrwxrwxrwx 1 root root 24 Nov 17 10:24
>>>> libnssckbi.so ->
>>>> > /usr/lib64/libnssckbi.so
>>>> > -rw-rw---- 1 root apache 20 Sep 7 2015 pwdfile.txt
>>>> > -rw-rw---- 1 root apache 16384 Sep 7 2015 secmod.db
>>>> > -rw-r-----. 1 root apache 16384 Sep 4 2015
>>>> secmod.db.orig/
>>>>
>>>> Eventually you'll want to remove group write on the *.db
>>>> files.
>>>>
>>>> > And password validations seems ok, too:
>>>> > /[root at mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f
>>>> > /etc/httpd/alias/pwdfile.txt
>>>> good
>>>>
>>>> > Enabling mod-nss debug I can see these logs:
>>>> > /[root at mlv-ipa01 ~]# tail -f /var/log/httpd/error_log
>>>> > [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid
>>>> 10660] AH01232:
>>>> > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>>>> > [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660]
>>>> > NSSSessionCacheTimeout is deprecated. Ignoring.
>>>> > [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660]
>>>> > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com
>>>> <http://mlv-ipa01.ipa.mydomain.com>
>>>> <http://mlv-ipa01.ipa.mydomain.com
>>>> <http://mlv-ipa01.ipa.mydomain.com>>
>>>> > <http://mlv-ipa01.ipa.mydomain.com
>>>> <http://mlv-ipa01.ipa.mydomain.com>
>>>>
>>>> <http://mlv-ipa01.ipa.mydomain.com
>>>> <http://mlv-ipa01.ipa.mydomain.com>>> -> Server-Cert
>>>> > [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660]
>>>> Configuring server
>>>> > for SSL protocol
>>>> > [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660]
>>>> > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0
>>>> > [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660]
>>>> > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1
>>>> > [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660]
>>>> > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2
>>>> > [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660]
>>>> > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)
>>>> > [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660]
>>>> > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)
>>>> > [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660]
>>>> > nss_engine_init.c(906): Disabling TLS Session Tickets
>>>> > [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660]
>>>> > nss_engine_init.c(916): Enabling DHE key exchange
>>>> > [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660]
>>>> > nss_engine_init.c(1077): NSSCipherSuite: Configuring
>>>> permitted SSL
>>>> > ciphers
>>>> >
>>>> [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_
>>>> sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sh
>>>> a_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_25
>>>> 6,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+
>>>> ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_
>>>> sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
>>>> > [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660]
>>>> > [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660]
>>>> Using nickname
>>>> > Server-Cert.
>>>> [snip]
>>>> > [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660]
>>>> Certificate not
>>>> > found: 'Server-Cert'
>>>>
>>>> Can you shows what this returns:
>>>>
>>>> # grep NSSNickname /etc/httpd/conf.d/nss.conf
>>>>
>>>> > Do you think there is a kerberos problem?
>>>>
>>>> It definitely is not.
>>>>
>>>> You can bring the system up in a minimal way by manually
>>>> starting the
>>>> dirsrv at EXAMPLE.COM <mailto:dirsrv at EXAMPLE.COM>
>>>> <mailto:dirsrv at EXAMPLE.COM <mailto:dirsrv at EXAMPLE.COM>> service
>>>>
>>>> and then
>>>> krb5kdc. This will at least let your
>>>> users authenticate. The management framework (GUI) runs
>>>> through Apache
>>>> so that will be down until we can get Apache started again.
>>>>
>>>> rob
>>>>
>>>> >
>>>> > Please let me know, thanks.
>>>> > Bye, Morgan
>>>> >
>>>> > 2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud
>>>> <flo at redhat.com <mailto:flo at redhat.com> <mailto:flo at redhat.com
>>>> <mailto:flo at redhat.com>>
>>>> > <mailto:flo at redhat.com <mailto:flo at redhat.com>
>>>> <mailto:flo at redhat.com <mailto:flo at redhat.com>>>>:
>>>>
>>>> >
>>>> > On 11/17/2016 12:09 PM, Morgan Marodin wrote:
>>>> >
>>>> > Hello.
>>>> >
>>>> > This morning I've tried to upgrade my IPA server,
>>>> but the
>>>> upgrade
>>>> > failed, and now the service doesn't start! :(
>>>> >
>>>> > If I try lo launch the upgrade manually this is
>>>> the output:
>>>> > /[root at mlv-ipa01 download]# ipa-server-upgrade
>>>> >
>>>> > Upgrading IPA:
>>>> > [1/8]: saving configuration
>>>> > [2/8]: disabling listeners
>>>> > [3/8]: enabling DS global lock
>>>> > [4/8]: starting directory server
>>>> > [5/8]: updating schema
>>>> > [6/8]: upgrading server
>>>> > [7/8]: stopping directory server
>>>> > [8/8]: restoring configuration
>>>> > Done.
>>>> > Update complete
>>>> > Upgrading IPA services
>>>> > Upgrading the configuration of the IPA services
>>>> > [Verifying that root certificate is published]
>>>> > [Migrate CRL publish directory]
>>>> > CRL tree already moved
>>>> > [Verifying that CA proxy configuration is correct]
>>>> > [Verifying that KDC configuration is using ipa-kdb
>>>> backend]
>>>> > [Fix DS schema file syntax]
>>>> > Syntax already fixed
>>>> > [Removing RA cert from DS NSS database]
>>>> > RA cert already removed
>>>> > [Enable sidgen and extdom plugins by default]
>>>> > [Updating HTTPD service IPA configuration]
>>>> > [Updating mod_nss protocol versions]
>>>> > Protocol versions already updated
>>>> > [Updating mod_nss cipher suite]
>>>> > [Fixing trust flags in /etc/httpd/alias]
>>>> > Trust flags already processed
>>>> > [Exporting KRA agent PEM file]
>>>> > KRA is not enabled
>>>> > IPA server upgrade failed: Inspect
>>>> /var/log/ipaupgrade.log
>>>> and run
>>>> > command ipa-server-upgrade manually.
>>>> > Unexpected error - see /var/log/ipaupgrade.log for
>>>> details:
>>>> > CalledProcessError: Command '/bin/systemctl start
>>>> httpd.service'
>>>> > returned non-zero exit status 1
>>>> > The ipa-server-upgrade command failed. See
>>>> > /var/log/ipaupgrade.log for
>>>> > more information/
>>>> >
>>>> > These are error logs of Apache:
>>>> > /[Thu Nov 17 11:48:45.498510 2016] [suexec:notice]
>>>> [pid 5664]
>>>> > AH01232:
>>>> > suEXEC mechanism enabled (wrapper:
>>>> /usr/sbin/suexec)
>>>> > [Thu Nov 17 11:48:45.499220 2016] [:warn] [pid
>>>> 5664]
>>>> > NSSSessionCacheTimeout is deprecated. Ignoring.
>>>> > [Thu Nov 17 11:48:45.830910 2016] [:error] [pid
>>>> 5664]
>>>> > Certificate not
>>>> > found: 'Server-Cert'/
>>>> >
>>>> > The problem seems to be the /Server-Cert /that
>>>> could not
>>>> be found.
>>>> > But if I try to execute the certutil command
>>>> manually I
>>>> can see it:/
>>>> > [root at mlv-ipa01 log]# certutil -L -d
>>>> /etc/httpd/alias/
>>>> > Certificate Nickname
>>>> Trust
>>>> > Attributes
>>>> >
>>>> > SSL,S/MIME,JAR/XPI
>>>> > Signing-Cert
>>>> u,u,u
>>>> > ipaCert
>>>> u,u,u
>>>> > Server-Cert
>>>> Pu,u,u
>>>> > IPA.MYDOMAIN.COM <http://IPA.MYDOMAIN.COM>
>>>> <http://IPA.MYDOMAIN.COM>
>>>> <http://IPA.MYDOMAIN.COM>
>>>> > <http://IPA.MYDOMAIN.COM> IPA
>>>> > CA CT,C,C/
>>>> >
>>>> > Could you help me?
>>>> > What could I try to do to restart my service?
>>>> >
>>>> > Hi,
>>>> >
>>>> > I would first make sure that httpd is using
>>>> /etc/httpd/alias
>>>> as NSS
>>>> > DB (check the directive NSSCertificateDatabase in
>>>> > /etc/httpd/conf.d/nss.conf).
>>>> > Then it may be a file permission issue: the NSS DB
>>>> should
>>>> belong to
>>>> > root:apache (the relevant files are cert8.db, key3.db
>>>> and
>>>> secmod.db).
>>>> > You should also find a pwdfile.txt in the same
>>>> directory,
>>>> containing
>>>> > the NSS DB password. Check that the password is valid
>>>> using
>>>> > certutil -K -d /etc/httpd/alias/ -f
>>>> /etc/httpd/alias/pwdfile.txt
>>>> > (if the command succeeds then the password in pwdfile
>>>> is OK).
>>>> >
>>>> > You can also enable mod-nss debug in
>>>> /etc/httpd/conf/nss.conf by
>>>> > setting "LogLevel debug", and check the output in
>>>> > /var/log/httpd/error_log.
>>>> >
>>>> > HTH,
>>>> > Flo.
>>>> >
>>>> > Thanks, Morgan
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Manage your subscription for the Freeipa-users mailing
>>>> list:
>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> <https://www.redhat.com/mailman/listinfo/freeipa-users>
>>>> <https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> <https://www.redhat.com/mailman/listinfo/freeipa-users>>
>>>> > <https://www.redhat.com/mailm
>>>> an/listinfo/freeipa-users
>>>> <https://www.redhat.com/mailman/listinfo/freeipa-users>
>>>> <https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> <https://www.redhat.com/mailman/listinfo/freeipa-users>>>
>>>> > Go to http://freeipa.org for more info on the project
>>>> >
>>>> >
>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161118/94eb1454/attachment.htm>
More information about the Freeipa-users
mailing list