<html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> I'll put the results inline here, since they're short. [root@zsipa log]# ls -laZ /etc/httpd/ drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 . drwxr-xr-x. root root system_u:object_r:etc_t:s0 .. drwxr-xr-x. root root system_u:object_r:cert_t:s0 alias drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.modules.d lrwxrwxrwx root root ? logs -> ../../var/log/httpd lrwxrwxrwx root root ? modules -> ../../usr/lib64/httpd/modules lrwxrwxrwx root root ? run -> /run/httpd [root@zsipa log]# ls -laZ /etc/httpd/alias drwxr-xr-x. root root system_u:object_r:cert_t:s0 . drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .. -r--r--r-- root root ? cacert.asc -r--r--r-- root root ? cacert.asc.orig -rw-r----- root root ? cert8.db -rw-rw---- root apache ? cert8.db.20160426 -rw-rw---- root apache ? cert8.db.orig -rw-------. root root system_u:object_r:cert_t:s0 install.log -rw-r----- root root ? key3.db -rw-rw---- root apache ? key3.db.20160426 -rw-rw---- root apache ? key3.db.orig lrwxrwxrwx root root ? libnssckbi.so -> ../../..//usr/lib64/libnssckbi.so -rw-rw---- root apache ? pwdfile.txt -rw-rw---- root apache ? pwdfile.txt.orig -rw-rw---- root apache ? secmod.db -rw-rw---- root apache ? secmod.db.orig [root@zsipa log]# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u Server-Cert u,u,u ipaCert u,u,u PRIVATE.NET IPA CA CT,C,C PRIVATE.NET IPA CA CT,C,C [root@zsipa log]# <div class="moz-cite-prefix">On 04/29/2016 11:02 AM, Christian Heimes wrote: </div> <blockquote cite="mid:49c392e7-3ed0-c46c-f09e-ec683644f0c1@redhat.com" type="cite"> <pre wrap="">On 2016-04-29 16:51, Bret Wortman wrote: </pre> <blockquote type="cite"> <pre wrap="">It is contacting the correct machine. I tried again by IP with the same results. /etc/httpd/conf.d/ipa-pki-proxy.conf is dated May 20 2014. Web UI won't load. CLI won't respond either. Commands just hang. # netstat -ln | grep 443 tcp6 0 0 :::8443 :::* LISTEN tcp6 2 0 :::443 :::* LISTEN # netstat -ln | grep 8009 tcp6 0 0 127.0.0.1:8009 :::* LISTEN # curl -v <a class="moz-txt-link-freetext" href="https://zsipa.private.net:443/ca/admin/ca/getStatus">https://zsipa.private.net:443/ca/admin/ca/getStatus</a> * Hostname was NOT found in DNS cache * Trying 192.168.208.53... * Connected to zsipa.private.net (192.168.208.53) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none (long hang at this point, so I ^C-ed) # openssl s_client -connect zsipa.private.net:443 -CAfile /etc/ipa/ca.crt -verify 10 verify depth is 10 CONNECTED(00000003) (long hang at this point, aborted again) For the other (longer) logs, see <a class="moz-txt-link-freetext" href="http://pastebin.com/esBBKyGZ">http://pastebin.com/esBBKyGZ</a> Also, answering Christian's questions: mod_ssl has not been installed. # ss -tpln | grep 443 LISTEN 0 100 :::8443 :::* users:(("java",pid=26522,fd=84)) LISTEN 13 128 :::443 :::* users:(("httpd",pid=26323,fd=6)) # </pre> </blockquote> <pre wrap=""> The output of ss looks sane. httpd is Apache, Java is Dogtag PKI's Tomcat instance. The error log of Apache is more troublesome. It looks like your NSSDB is busted: [Mon Apr 04 14:18:49.330238 2016] [:error] [pid 26327] NSS_Initialize failed. Certificate database: /etc/httpd/alias. [Mon Apr 04 14:18:49.330253 2016] [:error] [pid 26327] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Mon Apr 04 14:18:50.318327 2016] [core:notice] [pid 26323] AH00052: child pid 26327 exit signal Segmentation fault (11) Please run this commands to show us the content of your NSSDB. # ls -laZ /etc/httpd/ # ls -laZ /etc/httpd/alias # certutil -L -d /etc/httpd/alias Christian </pre> </blockquote> </body> </html>