<div dir="ltr"><div><div><div><div><div><div><div>Hi Rob. </div>I've just tried to remove the group write to the *.db files, but it's not the problem. [root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf NSSNickname Server-Cert </div>I've tried to run manually dirsrv.target and krb5kdc.service, and it works, services went up. </div>The same for ntpd, named-pkcs11.service, smb.service, winbind.service, kadmin.service, memcached.service and pki-tomcatd.target. </div>But if I try to start httpd.service: [root@mlv-ipa01 ~]# tail -f /var/log/messages Nov 17 16:46:06 mlv-ipa01 systemd[1]: Starting The Apache HTTP Server... Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE Nov 17 16:46:07 mlv-ipa01 kill: kill: cannot find process "" Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service: control process exited, code=exited status=1 Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to start The Apache HTTP Server. Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit httpd.service entered failed state. Nov 17 16:46:07 mlv-ipa01 systemd[1]: httpd.service failed. </div>Any other ideas? </div> Please let me know, thanks. </div>Morgan <div><div><div><div><div><div><div><div><div class="gmail_extra"> <div class="gmail_quote">2016-11-17 16:11 GMT+01:00 Rob Crittenden <<a target="_blank" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>: <blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">Morgan Marodin wrote: > Hi Florence. > > Thanks for your support. > > Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all > permissions and certificates are good: > /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/ > total 184 > -r--r--r-- 1 root root 1345 Sep 7 2015 cacert.asc > -rw-rw---- 1 root apache 65536 Nov 17 11:06 cert8.db > -rw-r-----. 1 root apache 65536 Sep 4 2015 cert8.db.orig > -rw-------. 1 root root 4833 Sep 4 2015 install.log > -rw-rw---- 1 root apache 16384 Nov 17 11:06 key3.db > -rw-r-----. 1 root apache 16384 Sep 4 2015 key3.db.orig > lrwxrwxrwx 1 root root 24 Nov 17 10:24 libnssckbi.so -> > /usr/lib64/libnssckbi.so > -rw-rw---- 1 root apache 20 Sep 7 2015 pwdfile.txt > -rw-rw---- 1 root apache 16384 Sep 7 2015 secmod.db > -rw-r-----. 1 root apache 16384 Sep 4 2015 secmod.db.orig/ Eventually you'll want to remove group write on the *.db files. > And password validations seems ok, too: > /[root@mlv-ipa01 ~]# certutil -K -d /etc/httpd/alias/ -f > /etc/httpd/alias/pwdfile.txt good > Enabling mod-nss debug I can see these logs: > /[root@mlv-ipa01 ~]# tail -f /var/log/httpd/error_log > [Thu Nov 17 15:05:10.807603 2016] [suexec:notice] [pid 10660] AH01232: > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) > [Thu Nov 17 15:05:10.807958 2016] [:warn] [pid 10660] > NSSSessionCacheTimeout is deprecated. Ignoring. > [Thu Nov 17 15:05:10.807991 2016] [:debug] [pid 10660] > nss_engine_init.c(454): SNI: <a target="_blank" rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com">mlv-ipa01.ipa.mydomain.com</a> > <<a target="_blank" rel="noreferrer" href="http://mlv-ipa01.ipa.mydomain.com">http://mlv-ipa01.ipa.mydomain.com</a>> -> Server-Cert > [Thu Nov 17 15:05:11.002664 2016] [:info] [pid 10660] Configuring server > for SSL protocol > [Thu Nov 17 15:05:11.002817 2016] [:debug] [pid 10660] > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0 > [Thu Nov 17 15:05:11.002838 2016] [:debug] [pid 10660] > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1 > [Thu Nov 17 15:05:11.002847 2016] [:debug] [pid 10660] > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2 > [Thu Nov 17 15:05:11.002856 2016] [:debug] [pid 10660] > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum) > [Thu Nov 17 15:05:11.002876 2016] [:debug] [pid 10660] > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum) > [Thu Nov 17 15:05:11.003099 2016] [:debug] [pid 10660] > nss_engine_init.c(906): Disabling TLS Session Tickets > [Thu Nov 17 15:05:11.003198 2016] [:debug] [pid 10660] > nss_engine_init.c(916): Enabling DHE key exchange > [Thu Nov 17 15:05:11.003313 2016] [:debug] [pid 10660] > nss_engine_init.c(1077): NSSCipherSuite: Configuring permitted SSL > ciphers > [+aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha] > [Thu Nov 17 15:05:11.003469 2016] [:debug] [pid 10660] > [Thu Nov 17 15:05:11.006759 2016] [:info] [pid 10660] Using nickname > Server-Cert. [snip] > [Thu Nov 17 15:05:11.006771 2016] [:error] [pid 10660] Certificate not > found: 'Server-Cert' Can you shows what this returns: # grep NSSNickname /etc/httpd/conf.d/nss.conf > Do you think there is a kerberos problem? It definitely is not. You can bring the system up in a minimal way by manually starting the <a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a> service and then krb5kdc. This will at least let your users authenticate. The management framework (GUI) runs through Apache so that will be down until we can get Apache started again. rob > > Please let me know, thanks. > Bye, Morgan > > 2016-11-17 14:39 GMT+01:00 Florence Blanc-Renaud <<a href="mailto:flo@redhat.com">flo@redhat.com</a> > <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>>>: <div class="gmail-HOEnZb"><div class="gmail-h5">> > On 11/17/2016 12:09 PM, Morgan Marodin wrote: > > Hello. > > This morning I've tried to upgrade my IPA server, but the upgrade > failed, and now the service doesn't start! :( > > If I try lo launch the upgrade manually this is the output: > /[root@mlv-ipa01 download]# ipa-server-upgrade > > Upgrading IPA: > [1/8]: saving configuration > [2/8]: disabling listeners > [3/8]: enabling DS global lock > [4/8]: starting directory server > [5/8]: updating schema > [6/8]: upgrading server > [7/8]: stopping directory server > [8/8]: restoring configuration > Done. > Update complete > Upgrading IPA services > Upgrading the configuration of the IPA services > [Verifying that root certificate is published] > [Migrate CRL publish directory] > CRL tree already moved > [Verifying that CA proxy configuration is correct] > [Verifying that KDC configuration is using ipa-kdb backend] > [Fix DS schema file syntax] > Syntax already fixed > [Removing RA cert from DS NSS database] > RA cert already removed > [Enable sidgen and extdom plugins by default] > [Updating HTTPD service IPA configuration] > [Updating mod_nss protocol versions] > Protocol versions already updated > [Updating mod_nss cipher suite] > [Fixing trust flags in /etc/httpd/alias] > Trust flags already processed > [Exporting KRA agent PEM file] > KRA is not enabled > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run > command ipa-server-upgrade manually. > Unexpected error - see /var/log/ipaupgrade.log for details: > CalledProcessError: Command '/bin/systemctl start httpd.service' > returned non-zero exit status 1 > The ipa-server-upgrade command failed. See > /var/log/ipaupgrade.log for > more information/ > > These are error logs of Apache: > /[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] [pid 5664] > AH01232: > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) > [Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664] > NSSSessionCacheTimeout is deprecated. Ignoring. > [Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664] > Certificate not > found: 'Server-Cert'/ > > The problem seems to be the /Server-Cert /that could not be found. > But if I try to execute the certutil command manually I can see it:/ > [root@mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/ > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > Signing-Cert u,u,u > ipaCert u,u,u > Server-Cert Pu,u,u > <a target="_blank" rel="noreferrer" href="http://IPA.MYDOMAIN.COM">IPA.MYDOMAIN.COM</a> <<a target="_blank" rel="noreferrer" href="http://IPA.MYDOMAIN.COM">http://IPA.MYDOMAIN.COM</a>> > <<a target="_blank" rel="noreferrer" href="http://IPA.MYDOMAIN.COM">http://IPA.MYDOMAIN.COM</a>> IPA > CA CT,C,C/ > > Could you help me? > What could I try to do to restart my service? > > Hi, > > I would first make sure that httpd is using /etc/httpd/alias as NSS > DB (check the directive NSSCertificateDatabase in > /etc/httpd/conf.d/nss.conf). > Then it may be a file permission issue: the NSS DB should belong to > root:apache (the relevant files are cert8.db, key3.db and secmod.db). > You should also find a pwdfile.txt in the same directory, containing > the NSS DB password. Check that the password is valid using > certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt > (if the command succeeds then the password in pwdfile is OK). > > You can also enable mod-nss debug in /etc/httpd/conf/nss.conf by > setting "LogLevel debug", and check the output in > /var/log/httpd/error_log. > > HTH, > Flo. > > Thanks, Morgan > > > > -- > Manage your subscription for the Freeipa-users mailing list: > <a target="_blank" rel="noreferrer" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > <<a target="_blank" rel="noreferrer" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>> > Go to <a target="_blank" rel="noreferrer" href="http://freeipa.org">http://freeipa.org</a> for more info on the project > > </div></div></blockquote></div></div></div></div></div></div></div></div></div></div></div>