<div dir="ltr"><div><div><div><div><div><div><div>Hi Florence. </div>Thanks for your support. </div>Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all permissions and certificates are good: [root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/ total 184 -r--r--r-- 1 root root 1345 Sep 7 2015 cacert.asc -rw-rw---- 1 root apache 65536 Nov 17 11:06 cert8.db -rw-r-----. 1 root apache 65536 Sep 4 2015 cert8.db.orig -rw-------. 1 root root 4833 Sep 4 2015 install.log -rw-rw---- 1 root apache 16384 Nov 17 11:06 key3.db -rw-r-----. 1 root apache 16384 Sep 4 2015 key3.db.orig lrwxrwxrwx 1 root root 24 Nov 17 10:24 libnssckbi.so -> /usr/lib64/libnssckbi.so -rw-rw---- 1 root apache 20 Sep 7 2015 pwdfile.txt -rw-rw---- 1 root apache 16384 Sep 7 2015 secmod.db -rw-r-----. 1 root apache 16384 Sep 4 2015 secmod.db.orig </div>And password validations seems ok, too: [root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa **************************************** NSS Certificate DB:Server-Cert < 1> rsa **************************************** NSS Certificate DB:Signing-Cert < 2> rsa **************************************** NSS Certificate DB:ipaCert </div>Enabling mod-nss debug I can see these logs: [root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid 10660] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660] NSSSessionCacheTimeout is deprecated. Ignoring. [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660] nss_engine_init.c(454): SNI: <a href="http://mlv-ipa01.ipa.mydomain.com">mlv-ipa01.ipa.mydomain.com</a> -> Server-Cert [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660] Configuring server for SSL protocol [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660] nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660] nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660] nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660] nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660] nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660] nss_engine_init.c(906): Disabling TLS Session Tickets [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660] nss_engine_init.c(916): Enabling DHE key exchange [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660] nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL ciphers [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_null_md5 [Thu Nov 17 15:05:11.003483 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_null_sha [Thu Nov 17 15:05:11.003491 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_rc4_40_md5 [Thu Nov 17 15:05:11.003509 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_rc4_128_md5 [Thu Nov 17 15:05:11.003632 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_rc4_128_sha [Thu Nov 17 15:05:11.003740 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_rc2_40_md5 [Thu Nov 17 15:05:11.003747 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_des_sha [Thu Nov 17 15:05:11.003802 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_3des_sha [Thu Nov 17 15:05:11.003902 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_des_sha [Thu Nov 17 15:05:11.004001 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: rsa_aes_128_sha [Thu Nov 17 15:05:11.004167 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: rsa_aes_256_sha [Thu Nov 17 15:05:11.004180 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: null_sha_256 [Thu Nov 17 15:05:11.004191 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: aes_128_sha_256 [Thu Nov 17 15:05:11.004285 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: aes_256_sha_256 [Thu Nov 17 15:05:11.004352 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: camelia_128_sha [Thu Nov 17 15:05:11.004437 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_des_56_sha [Thu Nov 17 15:05:11.004509 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: rsa_rc4_56_sha [Thu Nov 17 15:05:11.004606 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: camelia_256_sha [Thu Nov 17 15:05:11.004668 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: rsa_aes_128_gcm_sha_256 [Thu Nov 17 15:05:11.004724 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: rsa_aes_256_gcm_sha_384 [Thu Nov 17 15:05:11.004806 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: fips_3des_sha [Thu Nov 17 15:05:11.004881 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: fips_des_sha [Thu Nov 17 15:05:11.004956 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_3des_sha [Thu Nov 17 15:05:11.005027 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_aes_128_sha [Thu Nov 17 15:05:11.005106 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_aes_256_sha [Thu Nov 17 15:05:11.005173 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_camellia_128_sha [Thu Nov 17 15:05:11.005238 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_camellia_256_sha [Thu Nov 17 15:05:11.005309 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_aes_128_sha256 [Thu Nov 17 15:05:11.005380 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_aes_256_sha256 [Thu Nov 17 15:05:11.005452 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_aes_128_gcm_sha_256 [Thu Nov 17 15:05:11.005524 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: dhe_rsa_aes_256_gcm_sha_384 [Thu Nov 17 15:05:11.005596 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_ecdsa_null_sha [Thu Nov 17 15:05:11.005655 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_ecdsa_rc4_128_sha [Thu Nov 17 15:05:11.005698 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_ecdsa_3des_sha [Thu Nov 17 15:05:11.005814 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_ecdsa_aes_128_sha [Thu Nov 17 15:05:11.005859 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_ecdsa_aes_256_sha [Thu Nov 17 15:05:11.005904 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_ecdsa_null_sha [Thu Nov 17 15:05:11.005948 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_ecdsa_rc4_128_sha [Thu Nov 17 15:05:11.005993 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_ecdsa_3des_sha [Thu Nov 17 15:05:11.006037 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: ecdhe_ecdsa_aes_128_sha [Thu Nov 17 15:05:11.006081 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: ecdhe_ecdsa_aes_256_sha [Thu Nov 17 15:05:11.006124 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_rsa_null_sha [Thu Nov 17 15:05:11.006181 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_rsa_128_sha [Thu Nov 17 15:05:11.006223 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_rsa_3des_sha [Thu Nov 17 15:05:11.006261 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_rsa_aes_128_sha [Thu Nov 17 15:05:11.006304 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_rsa_aes_256_sha [Thu Nov 17 15:05:11.006348 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_rsa_null [Thu Nov 17 15:05:11.006391 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_rsa_rc4_128_sha [Thu Nov 17 15:05:11.006428 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_rsa_3des_sha [Thu Nov 17 15:05:11.006466 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_sha [Thu Nov 17 15:05:11.006503 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_256_sha [Thu Nov 17 15:05:11.006541 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_anon_null_sha [Thu Nov 17 15:05:11.006580 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_anon_rc4_128sha [Thu Nov 17 15:05:11.006622 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_anon_3des_sha [Thu Nov 17 15:05:11.006649 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_anon_aes_128_sha [Thu Nov 17 15:05:11.006682 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdh_anon_aes_256_sha [Thu Nov 17 15:05:11.006725 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_ecdsa_aes_128_sha_256 [Thu Nov 17 15:05:11.006730 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_rsa_aes_128_sha_256 [Thu Nov 17 15:05:11.006734 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: ecdhe_ecdsa_aes_128_gcm_sha_256 [Thu Nov 17 15:05:11.006737 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_ecdsa_aes_256_sha_384 [Thu Nov 17 15:05:11.006740 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Disable cipher: ecdhe_rsa_aes_256_sha_384 [Thu Nov 17 15:05:11.006743 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: ecdhe_ecdsa_aes_256_gcm_sha_384 [Thu Nov 17 15:05:11.006746 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_256_gcm_sha_384 [Thu Nov 17 15:05:11.006749 2016] [:debug] [pid 10660] nss_engine_init.c(1140): Enable cipher: ecdhe_rsa_aes_128_gcm_sha_256 [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660] Using nickname Server-Cert. [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660] Certificate not found: 'Server-Cert' [root@mlv-ipa01 ~]# tail -f /var/log/messages Nov 17 15:05:04 mlv-ipa01 systemd[1]: Starting Identity, Policy, Audit... Nov 17 15:05:07 mlv-ipa01 ipactl: Existing service file detected! Nov 17 15:05:07 mlv-ipa01 ipactl: Assuming stale, cleaning and proceeding Nov 17 15:05:07 mlv-ipa01 systemd[1]: Starting 389 Directory Server IPA-MYDOMAIN-COM.... Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.799208210 +0100] SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.803853873 +0100] SSL alert: Security Initialization: Enabling default cipher set. Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.805145890 +0100] SSL alert: Configured NSS Ciphers Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.806316182 +0100] SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.807723387 +0100] SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.808923825 +0100] SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.810155882 +0100] SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.811325853 +0100] SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.812784224 +0100] SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.813976726 +0100] SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.815120447 +0100] SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.816327755 +0100] SSL alert: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.817977411 +0100] SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.819254448 +0100] SSL alert: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.820464679 +0100] SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.821632382 +0100] SSL alert: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.822786869 +0100] SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.823971028 +0100] SSL alert: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.825053303 +0100] SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.826194181 +0100] SSL alert: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.827825315 +0100] SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.829462992 +0100] SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.830793383 +0100] SSL alert: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.832242224 +0100] SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.833873583 +0100] SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.885093482 +0100] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.886826410 +0100] 389-Directory/<a href="http://1.3.5.10">1.3.5.10</a> B2016.309.1527 starting up Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.924968051 +0100] default_mr_indexer_create: warning - plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match Nov 17 15:05:07 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:07.960936427 +0100] WARNING: changelog: entry cache size 2097152 B is less than db size 15654912 B; We recommend to increase the entry cache size nsslapd-cachememsize. Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.051517901 +0100] schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.088107275 +0100] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=ipa,dc=mydomain,dc=com does not exist Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.089975405 +0100] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=ipa,dc=mydomain,dc=com does not exist Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.091605059 +0100] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=ipa,dc=mydomain,dc=com does not exist Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.093396173 +0100] NSACLPlugin - The ACL target ou=sudoers,dc=ipa,dc=mydomain,dc=com does not exist Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.095072910 +0100] NSACLPlugin - The ACL target cn=users,cn=compat,dc=ipa,dc=mydomain,dc=com does not exist Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.097647403 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not exist Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.099159503 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not exist Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.100703471 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not exist Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.102286938 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not exist Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.103852482 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not exist Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.105586463 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not exist Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.107026360 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not exist Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.108476210 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not exist Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.110187640 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not exist Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.111655019 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not exist Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.113841889 +0100] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=ipa,dc=mydomain,dc=com does not exist Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.133500119 +0100] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=com does not exist Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.135098802 +0100] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=mydomain,dc=com does not exist Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.363531779 +0100] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.373037600 +0100] Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ipa,dc=mydomain,dc=com--no CoS Templates found, which should be added before the CoS Definition. Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.412160395 +0100] set_krb5_creds - Could not get initial credentials for principal [ldap/<a href="mailto:mlv-ipa01.ipa.mydomain.com@IPA.MYDOMAIN.COM">mlv-ipa01.ipa.mydomain.com@IPA.MYDOMAIN.COM</a>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.417620890 +0100] schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.430081973 +0100] slapd started. Listening on All Interfaces port 389 for LDAP requests Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.431273848 +0100] Listening on All Interfaces port 636 for LDAPS requests Nov 17 15:05:08 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:08.432861124 +0100] Listening on /var/run/slapd-IPA-MYDOMAIN-COM.socket for LDAPI requests Nov 17 15:05:08 mlv-ipa01 systemd[1]: Started 389 Directory Server IPA-MYDOMAIN-COM.. Nov 17 15:05:09 mlv-ipa01 systemd[1]: Starting Kerberos 5 KDC... Nov 17 15:05:09 mlv-ipa01 systemd[1]: Started Kerberos 5 KDC. Nov 17 15:05:09 mlv-ipa01 systemd[1]: Starting Kerberos 5 Password-changing and Administration... Nov 17 15:05:09 mlv-ipa01 systemd[1]: Started Kerberos 5 Password-changing and Administration. Nov 17 15:05:09 mlv-ipa01 systemd[1]: Starting Generate rndc key for BIND (DNS)... Nov 17 15:05:09 mlv-ipa01 systemd[1]: Started Generate rndc key for BIND (DNS). Nov 17 15:05:09 mlv-ipa01 systemd[1]: Starting Berkeley Internet Name Domain (DNS) with native PKCS#11... Nov 17 15:05:09 mlv-ipa01 bash: zone localhost.localdomain/IN: loaded serial 0 Nov 17 15:05:09 mlv-ipa01 bash: zone localhost/IN: loaded serial 0 Nov 17 15:05:09 mlv-ipa01 bash: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Nov 17 15:05:09 mlv-ipa01 bash: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Nov 17 15:05:09 mlv-ipa01 bash: zone 0.in-addr.arpa/IN: loaded serial 0 Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: starting BIND 9.9.4-RedHat-9.9.4-38.el7_3 -u named Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--with-geoip' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: ---------------------------------------------------- Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: BIND 9 is maintained by Internet Systems Consortium, Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: corporation. Support and training for BIND 9 are Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: available at <a href="https://www.isc.org/support">https://www.isc.org/support</a> Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: ---------------------------------------------------- Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: adjusted limit on open files from 4096 to 1048576 Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: found 8 CPUs, using 8 worker threads Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: using 8 UDP listeners per interface Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: using up to 4096 sockets Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: loading configuration from '/etc/named.conf' Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: reading built-in trusted keys from file '/etc/named.iscdlv.key' Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: initializing GeoIP Country (IPv4) (type 1) DB Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GEO-106FREE 20160607 Build 1 Copyright (c) 2016 MaxMind Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: initializing GeoIP Country (IPv6) (type 12) DB Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GEO-106FREE 20160607 Build 1 Copy Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP City (IPv4) (type 2) DB not available Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP City (IPv4) (type 6) DB not available Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP City (IPv6) (type 30) DB not available Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP City (IPv6) (type 31) DB not available Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP Region (type 3) DB not available Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP Region (type 7) DB not available Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP ISP (type 4) DB not available Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP Org (type 5) DB not available Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP AS (type 9) DB not available Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP Domain (type 11) DB not available Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: GeoIP NetSpeed (type 10) DB not available Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: using default UDP/IPv4 port range: [1024, 65535] Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: using default UDP/IPv6 port range: [1024, 65535] Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: listening on IPv6 interfaces, port 53 Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: listening on IPv4 interface lo, 127.0.0.1#53 Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: listening on IPv4 interface eth0, 192.168.0.65#53 Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: generating session key for dynamic DNS Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: sizing zone task pool based on 6 zones Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind' Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: bind-dyndb-ldap version 10.0 compiled at 16:25:21 Nov 4 2016, compiler 4.8.5 20150623 (Red Hat 4.8.5-11) Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: option 'serial_autoincrement' is not supported, ignoring Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: automatic empty zone: 10.IN-ADDR.ARPA ... Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: command channel listening on 127.0.0.1#953 Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: command channel listening on ::1#953 Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: managed-keys-zone: loaded serial 10165 Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: ignoring inherited 'forward first;' for zone '.' - did you want 'forward only;' to override automatic empty zone '10.IN-ADDR.ARPA'? ... Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: zone <a href="http://ipa.mydomain.com/IN">ipa.mydomain.com/IN</a>: loaded serial 1479391509 Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: zone <a href="http://ipa.mydomain.com/IN">ipa.mydomain.com/IN</a>: sending notifies (serial 1479391509) Nov 17 15:05:09 mlv-ipa01 named-pkcs11[10634]: 1 master zones from LDAP instance 'ipa' loaded (1 zones defined, 0 inactive, 0 failed to load) Nov 17 15:05:10 mlv-ipa01 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Nov 17 15:05:11 mlv-ipa01 systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE Nov 17 15:05:11 mlv-ipa01 kill: kill: cannot find process "" Nov 17 15:05:11 mlv-ipa01 systemd[1]: httpd.service: control process exited, code=exited status=1 Nov 17 15:05:11 mlv-ipa01 systemd[1]: Failed to start The Apache HTTP Server. Nov 17 15:05:11 mlv-ipa01 systemd[1]: Unit httpd.service entered failed state. Nov 17 15:05:11 mlv-ipa01 systemd[1]: httpd.service failed. Nov 17 15:05:11 mlv-ipa01 systemctl[10657]: Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details. Nov 17 15:05:11 mlv-ipa01 ipactl: Failed to start httpd Service Nov 17 15:05:11 mlv-ipa01 ipactl: Shutting down Nov 17 15:05:11 mlv-ipa01 systemd[1]: Stopping Kerberos 5 KDC... Nov 17 15:05:11 mlv-ipa01 systemd[1]: Stopped Kerberos 5 KDC. Nov 17 15:05:11 mlv-ipa01 systemd[1]: Stopping Kerberos 5 Password-changing and Administration... Nov 17 15:05:11 mlv-ipa01 systemd[1]: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT Nov 17 15:05:11 mlv-ipa01 systemd[1]: Stopped Kerberos 5 Password-changing and Administration. Nov 17 15:05:11 mlv-ipa01 systemd[1]: Unit kadmin.service entered failed state. Nov 17 15:05:11 mlv-ipa01 systemd[1]: kadmin.service failed. Nov 17 15:05:11 mlv-ipa01 systemd[1]: Stopping Berkeley Internet Name Domain (DNS) with native PKCS#11... Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: received control channel command 'stop' Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: shutting down: flushing changes Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: stopping command channel on 127.0.0.1#953 Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: stopping command channel on ::1#953 Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: zone <a href="http://ipa.mydomain.com/IN">ipa.mydomain.com/IN</a>: shutting down Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: no longer listening on ::#53 Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: no longer listening on 127.0.0.1#53 Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: no longer listening on 192.168.0.65#53 Nov 17 15:05:11 mlv-ipa01 named-pkcs11[10634]: exiting Nov 17 15:05:11 mlv-ipa01 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with native PKCS#11. Nov 17 15:05:11 mlv-ipa01 systemd[1]: Stopping IPA memcached daemon, increases IPA server performance... Nov 17 15:05:11 mlv-ipa01 systemd[1]: Stopped IPA memcached daemon, increases IPA server performance. Nov 17 15:05:11 mlv-ipa01 systemctl[10685]: Warning: httpd.service changed on disk. Run 'systemctl daemon-reload' to reload units. Nov 17 15:05:11 mlv-ipa01 systemd[1]: Stopping 389 Directory Server IPA-MYDOMAIN-COM.... Nov 17 15:05:11 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:11.357603144 +0100] slapd shutting down - signaling operation threads - op stack size 1 max work q size 1 max work q stack size 1 Nov 17 15:05:11 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:11.359785218 +0100] slapd shutting down - waiting for 25 threads to terminate Nov 17 15:05:11 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:11.361826680 +0100] slapd shutting down - closing down internal subsystems and plugins Nov 17 15:05:13 mlv-ipa01 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_996)) Nov 17 15:05:13 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:13.811837199 +0100] Waiting for 4 database threads to stop Nov 17 15:05:14 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:14.000534924 +0100] All database threads now stopped Nov 17 15:05:14 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:14.015405431 +0100] slapd shutting down - freed 1 work q stack objects - freed 1 op stack objects Nov 17 15:05:14 mlv-ipa01 ns-slapd: [17/Nov/2016:15:05:14.437288197 +0100] slapd stopped. Nov 17 15:05:14 mlv-ipa01 systemd[1]: Stopped 389 Directory Server IPA-MYDOMAIN-COM.. Nov 17 15:05:14 mlv-ipa01 ipactl: Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed Nov 17 15:05:14 mlv-ipa01 ipactl: Aborting ipactl Nov 17 15:05:14 mlv-ipa01 ipactl: Starting Directory Service Nov 17 15:05:14 mlv-ipa01 ipactl: Starting krb5kdc Service Nov 17 15:05:14 mlv-ipa01 ipactl: Starting kadmin Service Nov 17 15:05:14 mlv-ipa01 ipactl: Starting named Service Nov 17 15:05:14 mlv-ipa01 ipactl: Starting ipa_memcached Service Nov 17 15:05:14 mlv-ipa01 ipactl: Starting httpd Service Nov 17 15:05:14 mlv-ipa01 systemd[1]: ipa.service: main process exited, code=exited, status=1/FAILURE Nov 17 15:05:14 mlv-ipa01 systemd[1]: Failed to start Identity, Policy, Audit. Nov 17 15:05:14 mlv-ipa01 systemd[1]: Unit ipa.service entered failed state. Nov 17 15:05:14 mlv-ipa01 systemd[1]: ipa.service failed. </div>Do you think there is a kerberos problem? </div>Please let me know, thanks. </div>Bye, Morgan <div><div><div><div><div><div><div><div><div><div><div class="gmail_extra"> <div class="gmail_quote">2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud <<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 11/17/2016 12:09 PM, Morgan Marodin wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> Hello. This morning I've tried to upgrade my IPA server, but the upgrade failed, and now the service doesn't start! :( If I try lo launch the upgrade manually this is the output: /[root@mlv-ipa01 download]# ipa-server-upgrade<div><div class="gmail-h5"> Upgrading IPA: [1/8]: saving configuration [2/8]: disabling listeners [3/8]: enabling DS global lock [4/8]: starting directory server [5/8]: updating schema [6/8]: upgrading server [7/8]: stopping directory server [8/8]: restoring configuration Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating mod_nss protocol versions] Protocol versions already updated [Updating mod_nss cipher suite] [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Exporting KRA agent PEM file] KRA is not enabled IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: Command '/bin/systemctl start httpd.service' returned non-zero exit status 1 The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for </div></div> more information/ These are error logs of Apache: /[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] [pid 5664] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664] NSSSessionCacheTimeout is deprecated. Ignoring. [Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664] Certificate not found: 'Server-Cert'/ The problem seems to be the /Server-Cert /that could not be found. But if I try to execute the certutil command manually I can see it:/ [root@mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u ipaCert u,u,u Server-Cert Pu,u,u <a href="http://IPA.MYDOMAIN.COM" rel="noreferrer" target="_blank">IPA.MYDOMAIN.COM</a> <<a href="http://IPA.MYDOMAIN.COM" rel="noreferrer" target="_blank">http://IPA.MYDOMAIN.COM</a>> IPA CA CT,C,C/ Could you help me? What could I try to do to restart my service? </blockquote> Hi, I would first make sure that httpd is using /etc/httpd/alias as NSS DB (check the directive NSSCertificateDatabase in /etc/httpd/conf.d/nss.conf). Then it may be a file permission issue: the NSS DB should belong to root:apache (the relevant files are cert8.db, key3.db and secmod.db). You should also find a pwdfile.txt in the same directory, containing the NSS DB password. Check that the password is valid using certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt (if the command succeeds then the password in pwdfile is OK). You can also enable mod-nss debug in /etc/httpd/conf/nss.conf by setting "LogLevel debug", and check the output in /var/log/httpd/error_log. HTH, Flo. <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> Thanks, Morgan </blockquote> -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project </blockquote></div></div></div></div></div></div></div></div></div></div></div></div></div>