[Freeipa-users] My IPA installation doesn't work after upgrade
Morgan Marodin
morgan at marodin.it
Fri Nov 18 16:44:46 UTC 2016
Ok, I did a manual copy of the folder yesterday, bedore testing with the
*certutil* binary.
The working *mod_nss* RPM is 1.0.11-6.el7.x86_64 version.
The bad one is 1.0.14-7.el7 version.
Bye
2016-11-18 16:51 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
> Morgan Marodin wrote:
> > What do you mean with backup database?
> >
> > Updating again the mod_nss RPM, Apache doesn't start ... so, this is the
> > problem.
>
> You said "and restoring the original /etc/httpd/alias/ folder". Original
> from what, where did that come from?
>
> So merely updating mod_nss breaks things? Strange. What is the working
> version? rpm -q mod_nss
>
> rob
>
> >
> > 2016-11-18 15:43 GMT+01:00 Rob Crittenden <rcritten at redhat.com
> > <mailto:rcritten at redhat.com>>:
> >
> > Morgan Marodin wrote:
> > > It works!
> > > Thanks for your support.
> > >
> > > Anyway, I will try to update againt mod_nss package! :D
> >
> > Glad it's working for you. I'm curious what the backup database was
> for.
> > Did you create that?
> >
> > rob
> >
> > > Bye!
> > >
> > >
> > > 2016-11-18 15:21 GMT+01:00 Morgan Marodin <morgan at marodin.it
> <mailto:morgan at marodin.it>
> > > <mailto:morgan at marodin.it <mailto:morgan at marodin.it>>>:
> > >
> > > A little good news.
> > >
> > > Downgrading the /mod_nss/ RPM package, and restoring the
> original
> > > //etc/httpd/alias/ folder, /ipa-server-upgrade/ procedure has
> > > finished well:
> > > /# ipa-server-upgrade
> > > Upgrading IPA:
> > > [1/10]: stopping directory server
> > > [2/10]: saving configuration
> > > [3/10]: disabling listeners
> > > [4/10]: enabling DS global lock
> > > [5/10]: starting directory server
> > > [6/10]: updating schema
> > > [7/10]: upgrading server
> > > [8/10]: stopping directory server
> > > [9/10]: restoring configuration
> > > [10/10]: starting directory server
> > > Done.
> > > Update complete
> > > Upgrading IPA services
> > > Upgrading the configuration of the IPA services
> > > [Verifying that root certificate is published]
> > > [Migrate CRL publish directory]
> > > CRL tree already moved
> > > [Verifying that CA proxy configuration is correct]
> > > [Verifying that KDC configuration is using ipa-kdb backend]
> > > [Fix DS schema file syntax]
> > > Syntax already fixed
> > > [Removing RA cert from DS NSS database]
> > > RA cert already removed
> > > [Enable sidgen and extdom plugins by default]
> > > [Updating HTTPD service IPA configuration]
> > > [Updating mod_nss protocol versions]
> > > Protocol versions already updated
> > > [Updating mod_nss cipher suite]
> > > [Fixing trust flags in /etc/httpd/alias]
> > > Trust flags already processed
> > > [Exporting KRA agent PEM file]
> > > KRA is not enabled
> > > [Removing self-signed CA]
> > > [Removing Dogtag 9 CA]
> > > [Checking for deprecated KDC configuration files]
> > > [Checking for deprecated backups of Samba configuration files]
> > > [Setting up Firefox extension]
> > > [Add missing CA DNS records]
> > > IPA CA DNS records already processed
> > > [Removing deprecated DNS configuration options]
> > > [Ensuring minimal number of connections]
> > > [Enabling serial autoincrement in DNS]
> > > [Updating GSSAPI configuration in DNS]
> > > [Updating pid-file configuration in DNS]
> > > [Checking global forwarding policy in named.conf to avoid
> > conflicts
> > > with automatic empty zones]
> > > Global forward policy in named.conf will be changed to "only"
> to
> > > avoid conflicts with automatic empty zones
> > > [Adding server_id to named.conf]
> > > Changes to named.conf have been made, restart named
> > > Custodia service is being configured
> > > Configuring ipa-custodia
> > > [1/5]: Generating ipa-custodia config file
> > > [2/5]: Making sure custodia container exists
> > > [3/5]: Generating ipa-custodia keys
> > > [4/5]: starting ipa-custodia
> > > [5/5]: configuring ipa-custodia to start on boot
> > > Done configuring ipa-custodia.
> > > [Upgrading CA schema]
> > > CA schema update complete
> > > [Verifying that CA audit signing cert has 2 year validity]
> > > [Update certmonger certificate renewal configuration to
> version 5]
> > > Configuring certmonger to stop tracking system certificates
> for CA
> > > Certmonger certificate renewal configuration updated to
> version 5
> > > [Enable PKIX certificate path discovery and validation]
> > > PKIX already enabled
> > > [Authorizing RA Agent to modify profiles]
> > > [Authorizing RA Agent to manage lightweight CAs]
> > > [Ensuring Lightweight CAs container exists in Dogtag database]
> > > [Adding default OCSP URI configuration]
> > > pki-tomcat configuration changed, restart pki-tomcat
> > > [Ensuring CA is using LDAPProfileSubsystem]
> > > [Migrating certificate profiles to LDAP]
> > > [Ensuring presence of included profiles]
> > > [Add default CA ACL]
> > > Default CA ACL already added
> > > [Set up lightweight CA key retrieval]
> > > Creating principal
> > > Retrieving keytab
> > > Creating Custodia keys
> > > Configuring key retriever
> > > The IPA services were upgraded
> > > The ipa-server-upgrade command was successful/
> > >
> > > And Apache has started, BUT there is a problem with the web
> certificate:
> > > /# tail -f /var/log/httpd/error_log
> > > [Fri Nov 18 15:14:43.002268 2016] [:info] [pid 18673]
> Connection to
> > > child 2 established (server mlv-ipa01.ipa.mydomain.com:443
> > <http://mlv-ipa01.ipa.mydomain.com:443>
> > > <http://mlv-ipa01.ipa.mydomain.com:443
> > <http://mlv-ipa01.ipa.mydomain.com:443>>, client 192.168.0.252)
> > > [Fri Nov 18 15:14:43.207349 2016] [:info] [pid 18673] SSL input
> > > filter read failed.
> > > [Fri Nov 18 15:14:43.207389 2016] [:error] [pid 18673] SSL
> Library
> > > Error: -12285 Unable to find the certificate or key necessary
> for
> > > authentication
> > > [Fri Nov 18 15:14:43.207460 2016] [:info] [pid 18673]
> Connection to
> > > child 2 closed (server mlv-ipa01.ipa.mydomain.com:443
> > <http://mlv-ipa01.ipa.mydomain.com:443>
> > > <http://mlv-ipa01.ipa.mydomain.com:443
> > <http://mlv-ipa01.ipa.mydomain.com:443>>, client 192.168.0.252)/
> > >
> > > How do you suggest to go on with my issue?
> > >
> > > Thanks, Morgan
> > >
> > > 2016-11-18 12:11 GMT+01:00 Morgan Marodin <morgan at marodin.it
> <mailto:morgan at marodin.it>
> > > <mailto:morgan at marodin.it <mailto:morgan at marodin.it>>>:
> > >
> > > I've tried to add it to a new test folder, with a new
> > > certificate nickname, and then to replace it to /nss.conf/.
> > >
> > > But the problem persists:
> > > /# certutil -V -u V -d /etc/httpd/test -n ipa01cert
> > > certutil: certificate is valid/
> > >
> > > /# tail -f /var/log/httpd/error_log
> > > /
> > > /[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid
> 11552]
> > > AH01232: suEXEC mechanism enabled (wrapper:
> /usr/sbin/suexec)
> > > [Fri Nov 18 12:09:39.514266 2016] [:warn] [pid 11552]
> > > NSSSessionCacheTimeout is deprecated. Ignoring.
> > > [Fri Nov 18 12:09:39.514299 2016] [:debug] [pid 11552]
> > > nss_engine_init.c(454): SNI: mlv-ipa01.ipa.mydomain.com <
> http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>> -> ipa01cert
> > > [Fri Nov 18 12:09:39.824880 2016] [:error] [pid 11552] The
> > > server key database has not been initialized.
> > > [Fri Nov 18 12:09:39.832443 2016] [:info] [pid 11552]
> > > Configuring server for SSL protocol
> > > ...
> > > [Fri Nov 18 12:09:39.832676 2016] [:info] [pid 11552] Using
> > > nickname ipa01cert.
> > > [Fri Nov 18 12:09:39.832678 2016] [:error] [pid 11552]
> > > Certificate not found: 'ipa01cert'/
> > >
> > > I've found this guide:/
> > > Combine the server cert and key into a single file
> > > # cp localhost.crt > Server-Cert.txt
> > > # cat localhost.key >> Server-Cert.txt
> > > Convert the server cert into a p12 file
> > > # openssl pkcs12 -export -in Server-Cert.txt -out
> > > Server-Cert.p12 -name "Server-Cert"
> > > Now Import the Public and Private keys into the database
> at the
> > > same time.
> > > #pk12util -i /tmp/cert-files/Server-Cert.p12 -d
> /etc/httpd/alias
> > > -n Server-Cert/
> > >
> > > Where is stored the key certificate file?
> > >
> > > Thanks, Morgan
> > >
> > >
> > > 2016-11-18 10:39 GMT+01:00 Florence Blanc-Renaud <
> flo at redhat.com <mailto:flo at redhat.com>
> > > <mailto:flo at redhat.com <mailto:flo at redhat.com>>>:
> > >
> > > On 11/18/2016 10:04 AM, Morgan Marodin wrote:
> > >
> > > Hi Florence.
> > >
> > > I've tried to configure the wrong certificate in
> > > nss.conf (/ipaCert/),
> > > and with this Apache started.
> > > So I think the problem is in the /Server-Cert/
> stored in
> > > //etc/httpd/alias/, even if all manul checks are
> ok.
> > >
> > > These are logs with the wrong certificate test:
> > > /# tail -f /var/log/httpd/error_log/
> > > /[Fri Nov 18 09:34:32.583700 2016] [suexec:notice]
> [pid
> > > 7709] AH01232:
> > > suEXEC mechanism enabled (wrapper:
> /usr/sbin/suexec)
> > > [Fri Nov 18 09:34:32.584142 2016] [:warn] [pid
> 7709]
> > > NSSSessionCacheTimeout is deprecated. Ignoring.
> > > [Fri Nov 18 09:34:32.584178 2016] [:debug] [pid
> 7709]
> > > nss_engine_init.c(454): SNI:
> mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com <
> http://mlv-ipa01.ipa.mydomain.com>>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>>> -> ipaCert
> > >
> > > [Fri Nov 18 09:34:32.844487 2016] [:info] [pid
> 7709]
> > > Configuring server
> > > for SSL protocol
> > > [Fri Nov 18 09:34:32.844635 2016] [:debug] [pid
> 7709]
> > > nss_engine_init.c(770): NSSProtocol: Enabling
> TLSv1.0
> > > [Fri Nov 18 09:34:32.844657 2016] [:debug] [pid
> 7709]
> > > nss_engine_init.c(775): NSSProtocol: Enabling
> TLSv1.1
> > > [Fri Nov 18 09:34:32.844668 2016] [:debug] [pid
> 7709]
> > > nss_engine_init.c(780): NSSProtocol: Enabling
> TLSv1.2
> > > [Fri Nov 18 09:34:32.844677 2016] [:debug] [pid
> 7709]
> > > nss_engine_init.c(839): NSSProtocol: [TLS 1.0]
> > (minimum)
> > > [Fri Nov 18 09:34:32.844684 2016] [:debug] [pid
> 7709]
> > > nss_engine_init.c(866): NSSProtocol: [TLS 1.2]
> > (maximum)
> > > [Fri Nov 18 09:34:32.844738 2016] [:debug] [pid
> 7709]
> > > nss_engine_init.c(906): Disabling TLS Session
> Tickets
> > > [Fri Nov 18 09:34:32.844746 2016] [:debug] [pid
> 7709]
> > > nss_engine_init.c(916): Enabling DHE key exchange
> > > [Fri Nov 18 09:34:32.844760 2016] [:debug] [pid
> 7709]
> > > nss_engine_init.c(1077): NSSCipherSuite:
> Configuring
> > > permitted SSL
> > > ciphers
> > >
> > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_
> gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_
> gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_
> gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_
> gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_
> 256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
> > > [Fri Nov 18 09:34:32.844825 2016] [:debug] [pid
> 7709]
> > > nss_engine_init.c(1140): Disable cipher:
> rsa_null_md5
> > > ...
> > > [Fri Nov 18 09:34:32.845105 2016] [:debug] [pid
> 7709]
> > > nss_engine_init.c(1140): Enable cipher:
> > > ecdhe_rsa_aes_128_gcm_sha_256
> > > [Fri Nov 18 09:34:32.845110 2016] [:info] [pid
> 7709]
> > > Using nickname ipaCert.
> > > [Fri Nov 18 09:34:32.847451 2016] [:error] [pid
> 7709]
> > > Misconfiguration
> > > of certificate's CN and virtual name. The
> > certificate CN
> > > has IPA RA. We
> > > expected mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com <
> http://mlv-ipa01.ipa.mydomain.com>>>
> > > as virtual name.
> > > [Fri Nov 18 09:34:33.028056 2016
> > <tel:028056%202016> <tel:028056%202016>]
> > > [auth_digest:notice] [pid 7709]
> > > AH01757: generating secret for digest
> authentication ...
> > > [Fri Nov 18 09:34:33.030039 2016
> > <tel:030039%202016> <tel:030039%202016>]
> > > [lbmethod_heartbeat:notice] [pid 7709]
> > > AH02282: No slotmem from mod_heartmonitor
> > > [Fri Nov 18 09:34:33.030122 2016
> > <tel:030122%202016> <tel:030122%202016>]
> > > [:warn] [pid 7709]
> > > NSSSessionCacheTimeout is deprecated. Ignoring.
> > > [Fri Nov 18 09:34:33.030176 2016
> > <tel:030176%202016> <tel:030176%202016>]
> > > [:debug] [pid 7709]
> > > nss_engine_init.c(454): SNI:
> mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com <
> http://mlv-ipa01.ipa.mydomain.com>>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>>> -> ipaCert
> > >
> > > [Fri Nov 18 09:34:33.051481 2016
> > <tel:051481%202016> <tel:051481%202016>]
> > > [mpm_prefork:notice] [pid 7709]
> > > AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0
> > > mod_auth_kerb/5.4
> > > mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4
> > > Python/2.7.5 configured
> > > -- resuming normal operations
> > > [Fri Nov 18 09:34:33.051551 2016
> > <tel:051551%202016> <tel:051551%202016>]
> > > [core:notice] [pid 7709] AH00094:
> > > Command line: '/usr/sbin/httpd -D FOREGROUND'
> > > [Fri Nov 18 09:34:33.096050 2016] [proxy:debug]
> [pid 7717]
> > > proxy_util.c(1838): AH00924: worker ajp://localhost
> > > shared already
> > > initialized
> > > [Fri Nov 18 09:34:33.096163 2016
> > <tel:096163%202016> <tel:096163%202016>]
> > > [proxy:debug] [pid 7717]
> > > proxy_util.c(1880): AH00926: worker ajp://localhost
> > > local already
> > > initialized
> > > ...
> > > [Fri Nov 18 09:34:33.105626 2016] [proxy:debug]
> [pid 7719]
> > > proxy_util.c(1838): AH00924: worker
> > > unix:/run/httpd/ipa-custodia.sock|
> http://localhost/keys/
> > > shared already
> > > initialized
> > > [Fri Nov 18 09:34:33.105632 2016] [proxy:debug]
> [pid 7719]
> > > proxy_util.c(1880): AH00926: worker
> > > unix:/run/httpd/ipa-custodia.sock|
> http://localhost/keys/
> > > local already
> > > initialized
> > > [Fri Nov 18 09:34:33.342762 2016
> > <tel:342762%202016> <tel:342762%202016>]
> > > [:info] [pid 7717] Configuring server
> > > for SSL protocol
> > > [Fri Nov 18 09:34:33.342867 2016
> > <tel:342867%202016> <tel:342867%202016>]
> > > [:debug] [pid 7717]
> > > nss_engine_init.c(770): NSSProtocol: Enabling
> TLSv1.0
> > > [Fri Nov 18 09:34:33.342880 2016
> > <tel:342880%202016> <tel:342880%202016>]
> > > [:debug] [pid 7717]
> > > nss_engine_init.c(775): NSSProtocol: Enabling
> TLSv1.1
> > > [Fri Nov 18 09:34:33.342885 2016
> > <tel:342885%202016> <tel:342885%202016>]
> > > [:debug] [pid 7717]
> > > nss_engine_init.c(780): NSSProtocol: Enabling
> TLSv1.2
> > > [Fri Nov 18 09:34:33.342890 2016
> > <tel:342890%202016> <tel:342890%202016>]
> > > [:debug] [pid 7717]
> > > nss_engine_init.c(839): NSSProtocol: [TLS 1.0]
> (minimum)
> > > [Fri Nov 18 09:34:33.342894 2016
> <tel:342894%202016>]
> > > [:debug] [pid 7717]
> > > nss_engine_init.c(866): NSSProtocol: [TLS 1.2]
> (maximum)
> > > [Fri Nov 18 09:34:33.342900 2016
> <tel:342900%202016>]
> > > [:debug] [pid 7717]
> > > nss_engine_init.c(906): Disabling TLS Session
> Tickets
> > > [Fri Nov 18 09:34:33.342904 2016
> <tel:342904%202016>]
> > > [:debug] [pid 7717]
> > > nss_engine_init.c(916): Enabling DHE key exchange
> > > [Fri Nov 18 09:34:33.342917 2016
> <tel:342917%202016>]
> > > [:debug] [pid 7717]
> > > nss_engine_init.c(1077): NSSCipherSuite:
> Configuring
> > > permitted SSL
> > > ciphers
> > > [+aes_128_sha_256,+aes_256_
> sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_
> 128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_
> 256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_
> 128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_
> 256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_
> 256_gcm_sha_384,+rsa_aes_256_sha]
> > > [Fri Nov 18 09:34:33.342970 2016
> <tel:342970%202016>]
> > > [:debug] [pid 7717]
> > > nss_engine_init.c(1140): Disable cipher:
> rsa_null_md5
> > > ...
> > > [Fri Nov 18 09:34:33.343233 2016
> <tel:343233%202016>]
> > > [:debug] [pid 7717]
> > > nss_engine_init.c(1140): Enable cipher:
> > > ecdhe_rsa_aes_128_gcm_sha_256
> > > [Fri Nov 18 09:34:33.343237 2016
> <tel:343237%202016>]
> > > [:info] [pid 7717] Using nickname ipaCert.
> > > [Fri Nov 18 09:34:33.344533 2016
> <tel:344533%202016>]
> > > [:error] [pid 7717] Misconfiguration
> > > of certificate's CN and virtual name. The
> certificate CN
> > > has IPA RA. We
> > > expected mlv-ipa01.ipa.mydomain.com <
> http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com <
> http://mlv-ipa01.ipa.mydomain.com>>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com <
> http://mlv-ipa01.ipa.mydomain.com>>>
> > >
> > > as virtual name.
> > > [Fri Nov 18 09:34:33.364061 2016
> <tel:364061%202016>]
> > > [:info] [pid 7718] Configuring server
> > > for SSL protocol
> > > [Fri Nov 18 09:34:33.364156 2016
> <tel:364156%202016>]
> > > [:debug] [pid 7718]
> > > nss_engine_init.c(770): NSSProtocol: Enabling
> TLSv1.0
> > > [Fri Nov 18 09:34:33.364167 2016
> <tel:364167%202016>]
> > > [:debug] [pid 7718]
> > > nss_engine_init.c(775): NSSProtocol: Enabling
> TLSv1.1
> > > [Fri Nov 18 09:34:33.364172 2016
> <tel:364172%202016>]
> > > [:debug] [pid 7718]
> > > nss_engine_init.c(780): NSSProtocol: Enabling
> TLSv1.2
> > > [Fri Nov 18 09:34:33.364176 2016
> <tel:364176%202016>]
> > > [:debug] [pid 7718]
> > > nss_engine_init.c(839): NSSProtocol: [TLS 1.0]
> (minimum)
> > > [Fri Nov 18 09:34:33.364180 2016
> <tel:364180%202016>]
> > > [:debug] [pid 7718]
> > > nss_engine_init.c(866): NSSProtocol: [TLS 1.2]
> (maximum)
> > > [Fri Nov 18 09:34:33.364187 2016
> <tel:364187%202016>]
> > > [:debug] [pid 7718]
> > > nss_engine_init.c(906): Disabling TLS Session
> Tickets
> > > [Fri Nov 18 09:34:33.364191 2016
> <tel:364191%202016>]
> > > [:debug] [pid 7718]
> > > nss_engine_init.c(916): Enabling DHE key exchange
> > > [Fri Nov 18 09:34:33.364202 2016
> <tel:364202%202016>]
> > > [:debug] [pid 7718]
> > > nss_engine_init.c(1077): NSSCipherSuite:
> Configuring
> > > permitted SSL
> > > ciphers
> > > [+aes_128_sha_256,+aes_256_
> sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_
> 128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_
> 256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_
> 128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_
> 256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_
> 256_gcm_sha_384,+rsa_aes_256_sha]
> > > [Fri Nov 18 09:34:33.364240 2016
> <tel:364240%202016>]
> > > [:debug] [pid 7718]
> > > nss_engine_init.c(1140): Disable cipher:
> rsa_null_md5
> > > ...
> > > [Fri Nov 18 09:34:33.364611 2016
> <tel:364611%202016>]
> > > [:debug] [pid 7718]
> > > nss_engine_init.c(1140): Enable cipher:
> > > ecdhe_rsa_aes_128_gcm_sha_256
> > > [Fri Nov 18 09:34:33.364625 2016
> <tel:364625%202016>]
> > > [:info] [pid 7718] Using nickname ipaCert.
> > > [Fri Nov 18 09:34:33.365549 2016
> <tel:365549%202016>]
> > > [:error] [pid 7718] Misconfiguration
> > > of certificate's CN and virtual name. The
> certificate CN
> > > has IPA RA. We
> > > expected mlv-ipa01.ipa.mydomain.com <
> http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com <
> http://mlv-ipa01.ipa.mydomain.com>>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com <
> http://mlv-ipa01.ipa.mydomain.com>>>
> > >
> > > as virtual name.
> > > [Fri Nov 18 09:34:33.369972 2016
> <tel:369972%202016>]
> > > [:info] [pid 7720] Configuring server
> > > for SSL protocol
> > > [Fri Nov 18 09:34:33.370200 2016
> <tel:370200%202016>]
> > > [:debug] [pid 7720]
> > > nss_engine_init.c(770): NSSProtocol: Enabling
> TLSv1.0
> > > [Fri Nov 18 09:34:33.370224 2016
> <tel:370224%202016>]
> > > [:debug] [pid 7720]
> > > nss_engine_init.c(775): NSSProtocol: Enabling
> TLSv1.1
> > > [Fri Nov 18 09:34:33.370239 2016
> <tel:370239%202016>]
> > > [:debug] [pid 7720]
> > > nss_engine_init.c(780): NSSProtocol: Enabling
> TLSv1.2
> > > [Fri Nov 18 09:34:33.370255 2016
> <tel:370255%202016>]
> > > [:debug] [pid 7720]
> > > nss_engine_init.c(839): NSSProtocol: [TLS 1.0]
> (minimum)
> > > [Fri Nov 18 09:34:33.370269 2016
> <tel:370269%202016>]
> > > [:debug] [pid 7720]
> > > nss_engine_init.c(866): NSSProtocol: [TLS 1.2]
> (maximum)
> > > [Fri Nov 18 09:34:33.370286 2016
> <tel:370286%202016>]
> > > [:debug] [pid 7720]
> > > nss_engine_init.c(906): Disabling TLS Session
> Tickets
> > > [Fri Nov 18 09:34:33.370301 2016
> <tel:370301%202016>]
> > > [:debug] [pid 7720]
> > > nss_engine_init.c(916): Enabling DHE key exchange
> > > [Fri Nov 18 09:34:33.370322 2016
> <tel:370322%202016>]
> > > [:debug] [pid 7720]
> > > nss_engine_init.c(1077): NSSCipherSuite:
> Configuring
> > > permitted SSL
> > > ciphers
> > > [+aes_128_sha_256,+aes_256_
> sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_
> 128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_
> 256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_
> 128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_
> 256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_
> 256_gcm_sha_384,+rsa_aes_256_sha]
> > > [Fri Nov 18 09:34:33.370383 2016
> <tel:370383%202016>]
> > > [:debug] [pid 7720]
> > > nss_engine_init.c(1140): Disable cipher:
> rsa_null_md5
> > > ...
> > > [Fri Nov 18 09:34:33.371418 2016
> <tel:371418%202016>]
> > > [:debug] [pid 7720]
> > > nss_engine_init.c(1140): Enable cipher:
> > > ecdhe_rsa_aes_128_gcm_sha_256
> > > [Fri Nov 18 09:34:33.371437 2016
> <tel:371437%202016>]
> > > [:info] [pid 7720] Using nickname ipaCert.
> > > [Fri Nov 18 09:34:33.371486 2016
> <tel:371486%202016>]
> > > [:info] [pid 7716] Configuring server
> > > for SSL protocol
> > > [Fri Nov 18 09:34:33.372383 2016
> <tel:372383%202016>]
> > > [:debug] [pid 7716]
> > > nss_engine_init.c(770): NSSProtocol: Enabling
> TLSv1.0
> > > [Fri Nov 18 09:34:33.372439 2016
> <tel:372439%202016>]
> > > [:debug] [pid 7716]
> > > nss_engine_init.c(775): NSSProtocol: Enabling
> TLSv1.1
> > > [Fri Nov 18 09:34:33.372459 2016
> <tel:372459%202016>]
> > > [:debug] [pid 7716]
> > > nss_engine_init.c(780): NSSProtocol: Enabling
> TLSv1.2
> > > [Fri Nov 18 09:34:33.372484 2016
> <tel:372484%202016>]
> > > [:debug] [pid 7716]
> > > nss_engine_init.c(839): NSSProtocol: [TLS 1.0]
> (minimum)
> > > [Fri Nov 18 09:34:33.372513 2016
> <tel:372513%202016>]
> > > [:debug] [pid 7716]
> > > nss_engine_init.c(866): NSSProtocol: [TLS 1.2]
> (maximum)
> > > [Fri Nov 18 09:34:33.372534 2016
> <tel:372534%202016>]
> > > [:debug] [pid 7716]
> > > nss_engine_init.c(906): Disabling TLS Session
> Tickets
> > > [Fri Nov 18 09:34:33.372553 2016
> <tel:372553%202016>]
> > > [:debug] [pid 7716]
> > > nss_engine_init.c(916): Enabling DHE key exchange
> > > [Fri Nov 18 09:34:33.372580 2016
> <tel:372580%202016>]
> > > [:debug] [pid 7716]
> > > nss_engine_init.c(1077): NSSCipherSuite:
> Configuring
> > > permitted SSL
> > > ciphers
> > > [+aes_128_sha_256,+aes_256_
> sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_
> 128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_
> 256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_
> 128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_
> 256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_
> 256_gcm_sha_384,+rsa_aes_256_sha]
> > > [Fri Nov 18 09:34:33.372627 2016
> <tel:372627%202016>]
> > > [:debug] [pid 7716]
> > > nss_engine_init.c(1140): Disable cipher:
> rsa_null_md5
> > > ...
> > > [Fri Nov 18 09:34:33.373712 2016
> <tel:373712%202016>]
> > > [:debug] [pid 7716]
> > > nss_engine_init.c(1140): Enable cipher:
> > > ecdhe_rsa_aes_128_gcm_sha_256
> > > [Fri Nov 18 09:34:33.373734 2016
> <tel:373734%202016>]
> > > [:info] [pid 7716] Using nickname ipaCert.
> > > [Fri Nov 18 09:34:33.374652 2016
> <tel:374652%202016>]
> > > [:error] [pid 7716] Misconfiguration
> > > of certificate's CN and virtual name. The
> certificate CN
> > > has IPA RA. We
> > > expected mlv-ipa01.ipa.mydomain.com <
> http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com <
> http://mlv-ipa01.ipa.mydomain.com>>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com <
> http://mlv-ipa01.ipa.mydomain.com>>>
> > > as virtual name.
> > > [Fri Nov 18 09:34:33.372295 2016
> <tel:372295%202016>]
> > > [:error] [pid 7720] Misconfiguration
> > > of certificate's CN and virtual name. The
> certificate CN
> > > has IPA RA. We
> > > expected mlv-ipa01.ipa.mydomain.com <
> http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com <
> http://mlv-ipa01.ipa.mydomain.com>>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>>>
> > >
> > > as virtual name.
> > > [Fri Nov 18 09:34:33.412689 2016] [:info] [pid
> 7719]
> > > Configuring server
> > > for SSL protocol
> > > [Fri Nov 18 09:34:33.412791 2016] [:debug] [pid
> 7719]
> > > nss_engine_init.c(770): NSSProtocol: Enabling
> TLSv1.0
> > > [Fri Nov 18 09:34:33.412803 2016] [:debug] [pid
> 7719]
> > > nss_engine_init.c(775): NSSProtocol: Enabling
> TLSv1.1
> > > [Fri Nov 18 09:34:33.412807 2016] [:debug] [pid
> 7719]
> > > nss_engine_init.c(780): NSSProtocol: Enabling
> TLSv1.2
> > > [Fri Nov 18 09:34:33.412812 2016] [:debug] [pid
> 7719]
> > > nss_engine_init.c(839): NSSProtocol: [TLS 1.0]
> > (minimum)
> > > [Fri Nov 18 09:34:33.412817 2016] [:debug] [pid
> 7719]
> > > nss_engine_init.c(866): NSSProtocol: [TLS 1.2]
> > (maximum)
> > > [Fri Nov 18 09:34:33.412824 2016] [:debug] [pid
> 7719]
> > > nss_engine_init.c(906): Disabling TLS Session
> Tickets
> > > [Fri Nov 18 09:34:33.412828 2016] [:debug] [pid
> 7719]
> > > nss_engine_init.c(916): Enabling DHE key exchange
> > > [Fri Nov 18 09:34:33.412840 2016] [:debug] [pid
> 7719]
> > > nss_engine_init.c(1077): NSSCipherSuite:
> Configuring
> > > permitted SSL
> > > ciphers
> > >
> > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_
> gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_
> gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_
> gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_
> gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_
> 256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
> > > [Fri Nov 18 09:34:33.412891 2016] [:debug] [pid
> 7719]
> > > nss_engine_init.c(1140): Disable cipher:
> rsa_null_md5
> > > ...
> > > [Fri Nov 18 09:34:33.413159 2016] [:debug] [pid
> 7719]
> > > nss_engine_init.c(1140): Enable cipher:
> > > ecdhe_rsa_aes_128_gcm_sha_256
> > > [Fri Nov 18 09:34:33.413164 2016] [:info] [pid
> 7719]
> > > Using nickname ipaCert.
> > > [Fri Nov 18 09:34:33.414462 2016] [:error] [pid
> 7719]
> > > Misconfiguration
> > > of certificate's CN and virtual name. The
> > certificate CN
> > > has IPA RA. We
> > > expected mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com <
> http://mlv-ipa01.ipa.mydomain.com>>>
> > > as virtual name.
> > > [Fri Nov 18 09:34:35.558286 2016
> <tel:558286%202016>]
> > > [:error] [pid 7715] ipa: WARNING:
> > > session memcached servers not running
> > > [Fri Nov 18 09:34:35.559653 2016
> <tel:559653%202016>]
> > > [:error] [pid 7714] ipa: WARNING:
> > > session memcached servers not running
> > > [Fri Nov 18 09:34:37.511457 2016] [:error] [pid
> 7714]
> > > ipa: INFO: ***
> > > PROCESS START ***
> > > [Fri Nov 18 09:34:37.517899 2016] [:error] [pid
> 7715]
> > > ipa: INFO: ***
> > > PROCESS START ***
> > > [Fri Nov 18 09:34:51.498536 2016] [:info] [pid
> 7717]
> > > Connection to child
> > > 1 established (server mlv-ipa01.ipa.mydomain.com <
> http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com <
> http://mlv-ipa01.ipa.mydomain.com>>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>>>, client 192.168.0.239)
> > > [Fri Nov 18 09:34:51.510292 2016] [:info] [pid
> 7717] SSL
> > > input filter
> > > read failed.
> > > [Fri Nov 18 09:34:51.510311 2016] [:error] [pid
> 7717]
> > > SSL Library Error:
> > > -12285 Unable to find the certificate or key
> necessary
> > > for authentication
> > > [Fri Nov 18 09:34:51.510356 2016] [:info] [pid
> 7717]
> > > Connection to child
> > > 1 closed (server mlv-ipa01.ipa.mydomain.com:443 <
> http://mlv-ipa01.ipa.mydomain.com:443>
> > > <http://mlv-ipa01.ipa.mydomain.com:443
> > <http://mlv-ipa01.ipa.mydomain.com:443>>
> > > <http://mlv-ipa01.ipa.mydomain.com:443
> > <http://mlv-ipa01.ipa.mydomain.com:443>
> > > <http://mlv-ipa01.ipa.mydomain.com:443
> > <http://mlv-ipa01.ipa.mydomain.com:443>>>, client
> > > 192.168.0.239)
> > > [Fri Nov 18 09:35:18.790760 2016]
> [mpm_prefork:notice]
> > > [pid 7709]
> > > AH00170: caught SIGWINCH, shutting down gracefully/
> > >
> > > Is possible to delete /Server-Cert/ from
> > > //etc/httpd/alias/ and reimport
> > > it from the original certificates of
> > > /mlv-ipa01.ipa.mydomain.com <http://mlv-ipa01.ipa.
> mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com <
> http://mlv-ipa01.ipa.mydomain.com>>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>>>/?
> > > Where are stored the original certificates?
> > >
> > > Hi Morgan,
> > >
> > > with ldapsearch you should be able to find the
> certificate:
> > > ldapsearch -h ipaserver.ipadomain -p 389 -D
> "cn=directory
> > > manager" -w password -LLL -b
> > > krbprincipalname=HTTP/ipaserver.ipadomain at IPADOMAIN,
> cn=services,cn=accounts,dc=IPADOMAIN
> > >
> > > The cert will be stored in the field "usercertificate".
> > >
> > > HTH,
> > > Flo.
> > >
> > > Please let me know, thanks.
> > > Bye, Morgan
> > >
> > > 2016-11-17 17:09 GMT+01:00 Florence Blanc-Renaud
> > > <flo at redhat.com <mailto:flo at redhat.com> <mailto:
> flo at redhat.com
> > <mailto:flo at redhat.com>>
> > > <mailto:flo at redhat.com <mailto:flo at redhat.com>
> > <mailto:flo at redhat.com <mailto:flo at redhat.com>>>>:
> > >
> > >
> > > On 11/17/2016 04:51 PM, Morgan Marodin wrote:
> > >
> > > Hi Rob.
> > >
> > > I've just tried to remove the group write
> > to the
> > > *.db files, but
> > > it's
> > > not the problem.
> > > /[root at mlv-ipa01 ~]# grep NSSNickname
> > > /etc/httpd/conf.d/nss.conf
> > > NSSNickname Server-Cert/
> > >
> > > I've tried to run manually /dirsrv.target/
> and
> > > /krb5kdc.service/, and it
> > > works, services went up.
> > > The same for /ntpd/,
> /named-pkcs11.service/,
> > > /smb.service/,
> > > /winbind.service/, /kadmin.service/,
> > > /memcached.service/ and
> > > /pki-tomcatd.target/.
> > >
> > > But if I try to start /httpd.service/:
> > > /[root at mlv-ipa01 ~]# tail -f
> /var/log/messages
> > > Nov 17 16:46:06 mlv-ipa01 systemd[1]:
> Starting
> > > The Apache HTTP
> > > Server...
> > > Nov 17 16:46:06 mlv-ipa01
> ipa-httpd-kdcproxy:
> > > ipa :
> > > INFO KDC
> > > proxy enabled
> > > Nov 17 16:46:07 mlv-ipa01 systemd[1]:
> > > httpd.service: main process
> > > exited, code=exited, status=1/FAILURE
> > > Nov 17 16:46:07 mlv-ipa01 kill: kill:
> cannot
> > > find process ""
> > > Nov 17 16:46:07 mlv-ipa01 systemd[1]:
> > > httpd.service: control process
> > > exited, code=exited status=1
> > > Nov 17 16:46:07 mlv-ipa01 systemd[1]:
> > Failed to
> > > start The Apache
> > > HTTP
> > > Server.
> > > Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit
> > > httpd.service entered
> > > failed
> > > state.
> > > Nov 17 16:46:07 mlv-ipa01 systemd[1]:
> > > httpd.service failed./
> > >
> > > Any other ideas?
> > >
> > > Hi,
> > >
> > > - Does the NSS Db contain the private key for
> > > Server-Cert? If yes,
> > > the command
> > > $ certutil -K -d /etc/httpd/alias/ -f
> > > /etc/httpd/alias/pwdfile.txt
> > > should display a line like this one:
> > > < 0> rsa
> > > 01a6cbd773f3d785ffa44233148dcb8ade266ea5 NSS
> > > Certificate DB:Server-Cert
> > >
> > > - Is your system running with SElinux
> > enforcing? If
> > > yes, you can
> > > check if there were SElinux permission denials
> > using
> > > $ ausearch -m avc --start recent
> > >
> > > - If the certificate was expired, I believe you
> > > would see a
> > > different message, but it doesn't hurt to
> > check its
> > > validity
> > > $ certutil -L -d /etc/httpd/alias/ -n
> > Server-Cert |
> > > egrep "Not
> > > Before|Not After"
> > >
> > >
> > > Flo.
> > >
> > >
> > > Please let me know, thanks.
> > > Morgan
> > >
> > > 2016-11-17 16:11 GMT+01:00 Rob Crittenden
> > > <rcritten at redhat.com <mailto:rcritten at redhat.com>
> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
> > > <mailto:rcritten at redhat.com
> > <mailto:rcritten at redhat.com>
> > > <mailto:rcritten at redhat.com
> > <mailto:rcritten at redhat.com>>>
> > > <mailto:rcritten at redhat.com
> > <mailto:rcritten at redhat.com>
> > > <mailto:rcritten at redhat.com
> > <mailto:rcritten at redhat.com>> <mailto:rcritten at redhat.com
> > <mailto:rcritten at redhat.com>
> > > <mailto:rcritten at redhat.com
> > <mailto:rcritten at redhat.com>>>>>:
> > >
> > >
> > >
> > > Morgan Marodin wrote:
> > > > Hi Florence.
> > > >
> > > > Thanks for your support.
> > > >
> > > > Yes, httpd is using /etc/httpd/alias
> as
> > > NSS DB. And seems
> > > that all
> > > > permissions and certificates are
> good:
> > > > /[root at mlv-ipa01 ~]# ls -l
> > /etc/httpd/alias/
> > > > total 184
> > > > -r--r--r-- 1 root root 1345 Sep
> 7
> > > 2015 cacert.asc
> > > > -rw-rw---- 1 root apache 65536 Nov
> 17
> > > 11:06 cert8.db
> > > > -rw-r-----. 1 root apache 65536 Sep
> 4
> > > 2015 cert8.db.orig
> > > > -rw-------. 1 root root 4833 Sep
> 4
> > > 2015 install.log
> > > > -rw-rw---- 1 root apache 16384 Nov
> 17
> > > 11:06 key3.db
> > > > -rw-r-----. 1 root apache 16384 Sep
> 4
> > > 2015 key3.db.orig
> > > > lrwxrwxrwx 1 root root 24 Nov
> 17
> > > 10:24 libnssckbi.so ->
> > > > /usr/lib64/libnssckbi.so
> > > > -rw-rw---- 1 root apache 20 Sep
> 7
> > > 2015 pwdfile.txt
> > > > -rw-rw---- 1 root apache 16384 Sep
> 7
> > > 2015 secmod.db
> > > > -rw-r-----. 1 root apache 16384 Sep
> 4
> > > 2015 secmod.db.orig/
> > >
> > > Eventually you'll want to remove group
> > write
> > > on the *.db files.
> > >
> > > > And password validations seems ok,
> too:
> > > > /[root at mlv-ipa01 ~]# certutil -K -d
> > > /etc/httpd/alias/ -f
> > > > /etc/httpd/alias/pwdfile.txt
> > > good
> > >
> > > > Enabling mod-nss debug I can see
> > these logs:
> > > > /[root at mlv-ipa01 ~]# tail -f
> > > /var/log/httpd/error_log
> > > > [Thu Nov 17 15:05:10.807603 2016]
> > > [suexec:notice] [pid
> > > 10660] AH01232:
> > > > suEXEC mechanism enabled (wrapper:
> > > /usr/sbin/suexec)
> > > > [Thu Nov 17 15:05:10.807958 2016]
> > [:warn]
> > > [pid 10660]
> > > > NSSSessionCacheTimeout is deprecated.
> > > Ignoring.
> > > > [Thu Nov 17 15:05:10.807991 2016]
> > [:debug]
> > > [pid 10660]
> > > > nss_engine_init.c(454): SNI:
> > > mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>>>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>>>>
> > > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>>>
> > >
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>
> > > <http://mlv-ipa01.ipa.mydomain.com
> > <http://mlv-ipa01.ipa.mydomain.com>>>>> -> Server-Cert
> > > > [Thu Nov 17 15:05:11.002664 2016]
> > [:info]
> > > [pid 10660]
> > > Configuring server
> > > > for SSL protocol
> > > > [Thu Nov 17 15:05:11.002817 2016]
> > [:debug]
> > > [pid 10660]
> > > > nss_engine_init.c(770): NSSProtocol:
> > > Enabling TLSv1.0
> > > > [Thu Nov 17 15:05:11.002838 2016]
> > [:debug]
> > > [pid 10660]
> > > > nss_engine_init.c(775): NSSProtocol:
> > > Enabling TLSv1.1
> > > > [Thu Nov 17 15:05:11.002847 2016]
> > [:debug]
> > > [pid 10660]
> > > > nss_engine_init.c(780): NSSProtocol:
> > > Enabling TLSv1.2
> > > > [Thu Nov 17 15:05:11.002856 2016]
> > [:debug]
> > > [pid 10660]
> > > > nss_engine_init.c(839):
> > NSSProtocol: [TLS
> > > 1.0] (minimum)
> > > > [Thu Nov 17 15:05:11.002876 2016]
> > [:debug]
> > > [pid 10660]
> > > > nss_engine_init.c(866):
> > NSSProtocol: [TLS
> > > 1.2] (maximum)
> > > > [Thu Nov 17 15:05:11.003099 2016]
> > [:debug]
> > > [pid 10660]
> > > > nss_engine_init.c(906): Disabling TLS
> > > Session Tickets
> > > > [Thu Nov 17 15:05:11.003198 2016]
> > [:debug]
> > > [pid 10660]
> > > > nss_engine_init.c(916): Enabling DHE
> key
> > > exchange
> > > > [Thu Nov 17 15:05:11.003313 2016]
> > [:debug]
> > > [pid 10660]
> > > > nss_engine_init.c(1077):
> NSSCipherSuite:
> > > Configuring
> > > permitted SSL
> > > > ciphers
> > > >
> > >
> > >
> > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_
> gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_
> gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_
> gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_
> gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_
> 256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha]
> > > > [Thu Nov 17 15:05:11.003469 2016]
> > [:debug]
> > > [pid 10660]
> > > > [Thu Nov 17 15:05:11.006759 2016]
> > [:info]
> > > [pid 10660]
> > > Using nickname
> > > > Server-Cert.
> > > [snip]
> > > > [Thu Nov 17 15:05:11.006771 2016]
> > [:error]
> > > [pid 10660]
> > > Certificate not
> > > > found: 'Server-Cert'
> > >
> > > Can you shows what this returns:
> > >
> > > # grep NSSNickname
> > /etc/httpd/conf.d/nss.conf
> > >
> > > > Do you think there is a kerberos
> > problem?
> > >
> > > It definitely is not.
> > >
> > > You can bring the system up in a
> > minimal way
> > > by manually
> > > starting the
> > > dirsrv at EXAMPLE.COM
> > <mailto:dirsrv at EXAMPLE.COM>
> > > <mailto:dirsrv at EXAMPLE.COM
> > <mailto:dirsrv at EXAMPLE.COM>> <mailto:dirsrv at EXAMPLE.COM
> > <mailto:dirsrv at EXAMPLE.COM>
> > > <mailto:dirsrv at EXAMPLE.COM
> > <mailto:dirsrv at EXAMPLE.COM>>>
> > > <mailto:dirsrv at EXAMPLE.COM
> > <mailto:dirsrv at EXAMPLE.COM>
> > > <mailto:dirsrv at EXAMPLE.COM
> > <mailto:dirsrv at EXAMPLE.COM>> <mailto:dirsrv at EXAMPLE.COM
> > <mailto:dirsrv at EXAMPLE.COM>
> > > <mailto:dirsrv at EXAMPLE.COM
> > <mailto:dirsrv at EXAMPLE.COM>>>> service
> > >
> > > and then
> > > krb5kdc. This will at least let your
> > > users authenticate. The management
> > framework
> > > (GUI) runs
> > > through Apache
> > > so that will be down until we can get
> > Apache
> > > started again.
> > >
> > > rob
> > >
> > > >
> > > > Please let me know, thanks.
> > > > Bye, Morgan
> > > >
> > > > 2016-11-17 14:39 GMT+01:00 Florence
> > > Blanc-Renaud
> > > <flo at redhat.com <mailto:flo at redhat.com>
> > <mailto:flo at redhat.com <mailto:flo at redhat.com>>
> > > <mailto:flo at redhat.com <mailto:flo at redhat.com>
> > <mailto:flo at redhat.com <mailto:flo at redhat.com>>>
> > > <mailto:flo at redhat.com <mailto:flo at redhat.com>
> > <mailto:flo at redhat.com <mailto:flo at redhat.com>>
> > > <mailto:flo at redhat.com
> > <mailto:flo at redhat.com> <mailto:flo at redhat.com
> > <mailto:flo at redhat.com>>>>
> > > > <mailto:flo at redhat.com
> > <mailto:flo at redhat.com>
> > > <mailto:flo at redhat.com <mailto:flo at redhat.com>>
> > <mailto:flo at redhat.com <mailto:flo at redhat.com>
> > > <mailto:flo at redhat.com <mailto:flo at redhat.com>>>
> > > <mailto:flo at redhat.com
> > <mailto:flo at redhat.com> <mailto:flo at redhat.com <mailto:
> flo at redhat.com>>
> > > <mailto:flo at redhat.com <mailto:flo at redhat.com>
> > <mailto:flo at redhat.com <mailto:flo at redhat.com>>>>>>:
> > >
> > > >
> > > > On 11/17/2016 12:09 PM, Morgan
> > Marodin
> > > wrote:
> > > >
> > > > Hello.
> > > >
> > > > This morning I've tried to
> > upgrade
> > > my IPA server,
> > > but the
> > > upgrade
> > > > failed, and now the service
> > > doesn't start! :(
> > > >
> > > > If I try lo launch the
> upgrade
> > > manually this is
> > > the output:
> > > > /[root at mlv-ipa01 download]#
> > > ipa-server-upgrade
> > > >
> > > > Upgrading IPA:
> > > > [1/8]: saving configuration
> > > > [2/8]: disabling listeners
> > > > [3/8]: enabling DS global
> lock
> > > > [4/8]: starting directory
> > server
> > > > [5/8]: updating schema
> > > > [6/8]: upgrading server
> > > > [7/8]: stopping directory
> > server
> > > > [8/8]: restoring
> configuration
> > > > Done.
> > > > Update complete
> > > > Upgrading IPA services
> > > > Upgrading the configuration
> > of the
> > > IPA services
> > > > [Verifying that root
> certificate
> > > is published]
> > > > [Migrate CRL publish
> directory]
> > > > CRL tree already moved
> > > > [Verifying that CA proxy
> > > configuration is correct]
> > > > [Verifying that KDC
> > configuration
> > > is using ipa-kdb
> > > backend]
> > > > [Fix DS schema file syntax]
> > > > Syntax already fixed
> > > > [Removing RA cert from DS NSS
> > > database]
> > > > RA cert already removed
> > > > [Enable sidgen and extdom
> > plugins
> > > by default]
> > > > [Updating HTTPD service IPA
> > > configuration]
> > > > [Updating mod_nss protocol
> > versions]
> > > > Protocol versions already
> > updated
> > > > [Updating mod_nss cipher
> suite]
> > > > [Fixing trust flags in
> > > /etc/httpd/alias]
> > > > Trust flags already processed
> > > > [Exporting KRA agent PEM
> file]
> > > > KRA is not enabled
> > > > IPA server upgrade failed:
> > Inspect
> > > /var/log/ipaupgrade.log
> > > and run
> > > > command ipa-server-upgrade
> > manually.
> > > > Unexpected error - see
> > > /var/log/ipaupgrade.log for
> > > details:
> > > > CalledProcessError: Command
> > > '/bin/systemctl start
> > > httpd.service'
> > > > returned non-zero exit
> status 1
> > > > The ipa-server-upgrade
> command
> > > failed. See
> > > > /var/log/ipaupgrade.log for
> > > > more information/
> > > >
> > > > These are error logs of
> Apache:
> > > > /[Thu Nov 17 11:48:45.498510
> > 2016]
> > > [suexec:notice]
> > > [pid 5664]
> > > > AH01232:
> > > > suEXEC mechanism enabled
> > (wrapper:
> > > /usr/sbin/suexec)
> > > > [Thu Nov 17 11:48:45.499220
> > 2016]
> > > [:warn] [pid 5664]
> > > > NSSSessionCacheTimeout is
> > > deprecated. Ignoring.
> > > > [Thu Nov 17 11:48:45.830910
> > 2016]
> > > [:error] [pid 5664]
> > > > Certificate not
> > > > found: 'Server-Cert'/
> > > >
> > > > The problem seems to be the
> > > /Server-Cert /that
> > > could not
> > > be found.
> > > > But if I try to execute the
> > > certutil command
> > > manually I
> > > can see it:/
> > > > [root at mlv-ipa01 log]#
> > certutil -L
> > > -d /etc/httpd/alias/
> > > > Certificate Nickname
> > > Trust
> > > > Attributes
> > > >
> > > > SSL,S/MIME,JAR/XPI
> > > > Signing-Cert
> > > u,u,u
> > > > ipaCert
> > > u,u,u
> > > > Server-Cert
> > > Pu,u,u
> > > > IPA.MYDOMAIN.COM
> > <http://IPA.MYDOMAIN.COM>
> > > <http://IPA.MYDOMAIN.COM> <http://IPA.MYDOMAIN.COM
> >
> > > <http://IPA.MYDOMAIN.COM>
> > > <http://IPA.MYDOMAIN.COM>
> > > > <http://IPA.MYDOMAIN.COM>
> IPA
> > > > CA
> > > CT,C,C/
> > > >
> > > > Could you help me?
> > > > What could I try to do to
> > restart
> > > my service?
> > > >
> > > > Hi,
> > > >
> > > > I would first make sure that
> > httpd is
> > > using
> > > /etc/httpd/alias
> > > as NSS
> > > > DB (check the directive
> > > NSSCertificateDatabase in
> > > > /etc/httpd/conf.d/nss.conf).
> > > > Then it may be a file permission
> > > issue: the NSS DB should
> > > belong to
> > > > root:apache (the relevant files
> are
> > > cert8.db, key3.db and
> > > secmod.db).
> > > > You should also find a
> > pwdfile.txt in
> > > the same directory,
> > > containing
> > > > the NSS DB password. Check that
> the
> > > password is valid
> > > using
> > > > certutil -K -d /etc/httpd/alias/
> -f
> > > /etc/httpd/alias/pwdfile.txt
> > > > (if the command succeeds then the
> > > password in pwdfile
> > > is OK).
> > > >
> > > > You can also enable mod-nss
> debug in
> > > /etc/httpd/conf/nss.conf by
> > > > setting "LogLevel debug", and
> check
> > > the output in
> > > > /var/log/httpd/error_log.
> > > >
> > > > HTH,
> > > > Flo.
> > > >
> > > > Thanks, Morgan
> > > >
> > > >
> > > >
> > > > --
> > > > Manage your subscription for the
> > > Freeipa-users mailing
> > > list:
> > > >
> > >
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > <https://www.redhat.com/mailman/listinfo/freeipa-users>
> > >
> > <https://www.redhat.com/mailman/listinfo/freeipa-users
> > <https://www.redhat.com/mailman/listinfo/freeipa-users>>
> > >
> > >
> > <https://www.redhat.com/mailman/listinfo/freeipa-users
> > <https://www.redhat.com/mailman/listinfo/freeipa-users>
> > >
> > <https://www.redhat.com/mailman/listinfo/freeipa-users
> > <https://www.redhat.com/mailman/listinfo/freeipa-users>>>
> > >
> > >
> > <https://www.redhat.com/mailman/listinfo/freeipa-users
> > <https://www.redhat.com/mailman/listinfo/freeipa-users>
> > >
> > <https://www.redhat.com/mailman/listinfo/freeipa-users
> > <https://www.redhat.com/mailman/listinfo/freeipa-users>>
> > >
> > >
> > <https://www.redhat.com/mailman/listinfo/freeipa-users
> > <https://www.redhat.com/mailman/listinfo/freeipa-users>
> > >
> > <https://www.redhat.com/mailman/listinfo/freeipa-users
> > <https://www.redhat.com/mailman/listinfo/freeipa-users>>>>
> > > >
> > >
> > <https://www.redhat.com/mailman/listinfo/freeipa-users
> > <https://www.redhat.com/mailman/listinfo/freeipa-users>
> > >
> > <https://www.redhat.com/mailman/listinfo/freeipa-users
> > <https://www.redhat.com/mailman/listinfo/freeipa-users>>
> > >
> > >
> > <https://www.redhat.com/mailman/listinfo/freeipa-users
> > <https://www.redhat.com/mailman/listinfo/freeipa-users>
> > >
> > <https://www.redhat.com/mailman/listinfo/freeipa-users
> > <https://www.redhat.com/mailman/listinfo/freeipa-users>>>
> > >
> > >
> > <https://www.redhat.com/mailman/listinfo/freeipa-users
> > <https://www.redhat.com/mailman/listinfo/freeipa-users>
> > >
> > <https://www.redhat.com/mailman/listinfo/freeipa-users
> > <https://www.redhat.com/mailman/listinfo/freeipa-users>>
> > >
> > >
> > <https://www.redhat.com/mailman/listinfo/freeipa-users
> > <https://www.redhat.com/mailman/listinfo/freeipa-users>
> > >
> > <https://www.redhat.com/mailman/listinfo/freeipa-users
> > <https://www.redhat.com/mailman/listinfo/freeipa-users>>>>>
> > > > Go to http://freeipa.org for
> > more info
> > > on the project
> > > >
> > > >
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161118/3219b10d/attachment.htm>
More information about the Freeipa-users
mailing list