<div dir="ltr"><div><div><div>Ok, I did a manual copy of the folder yesterday, bedore testing with the <i>certutil</i> binary.<br><br></div>The working <i>mod_nss</i> RPM is 1.0.11-6.el7.x86_64 version.<br></div>The bad one is 1.0.14-7.el7 version.<br><br></div>Bye<br><div class="gmail_extra"><br><div class="gmail_quote">2016-11-18 16:51 GMT+01:00 Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Morgan Marodin wrote:<br>
> What do you mean with backup database?<br>
><br>
> Updating again the mod_nss RPM, Apache doesn't start ... so, this is the<br>
> problem.<br>
<br>
</span>You said "and restoring the original /etc/httpd/alias/ folder". Original<br>
from what, where did that come from?<br>
<br>
So merely updating mod_nss breaks things? Strange. What is the working<br>
version? rpm -q mod_nss<br>
<br>
rob<br>
<span class=""><br>
><br>
> 2016-11-18 15:43 GMT+01:00 Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
</span><span class="">> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>:<br>
><br>
> Morgan Marodin wrote:<br>
</span><span class="">> > It works!<br>
> > Thanks for your support.<br>
> ><br>
> > Anyway, I will try to update againt mod_nss package! :D<br>
><br>
> Glad it's working for you. I'm curious what the backup database was for.<br>
> Did you create that?<br>
><br>
> rob<br>
><br>
> > Bye!<br>
> ><br>
> ><br>
> > 2016-11-18 15:21 GMT+01:00 Morgan Marodin <<a href="mailto:morgan@marodin.it">morgan@marodin.it</a> <mailto:<a href="mailto:morgan@marodin.it">morgan@marodin.it</a>><br>
</span>> > <mailto:<a href="mailto:morgan@marodin.it">morgan@marodin.it</a> <mailto:<a href="mailto:morgan@marodin.it">morgan@marodin.it</a>>>>:<br>
<div><div class="h5">> ><br>
> > A little good news.<br>
> ><br>
> > Downgrading the /mod_nss/ RPM package, and restoring the original<br>
> > //etc/httpd/alias/ folder, /ipa-server-upgrade/ procedure has<br>
> > finished well:<br>
> > /# ipa-server-upgrade<br>
> > Upgrading IPA:<br>
> > [1/10]: stopping directory server<br>
> > [2/10]: saving configuration<br>
> > [3/10]: disabling listeners<br>
> > [4/10]: enabling DS global lock<br>
> > [5/10]: starting directory server<br>
> > [6/10]: updating schema<br>
> > [7/10]: upgrading server<br>
> > [8/10]: stopping directory server<br>
> > [9/10]: restoring configuration<br>
> > [10/10]: starting directory server<br>
> > Done.<br>
> > Update complete<br>
> > Upgrading IPA services<br>
> > Upgrading the configuration of the IPA services<br>
> > [Verifying that root certificate is published]<br>
> > [Migrate CRL publish directory]<br>
> > CRL tree already moved<br>
> > [Verifying that CA proxy configuration is correct]<br>
> > [Verifying that KDC configuration is using ipa-kdb backend]<br>
> > [Fix DS schema file syntax]<br>
> > Syntax already fixed<br>
> > [Removing RA cert from DS NSS database]<br>
> > RA cert already removed<br>
> > [Enable sidgen and extdom plugins by default]<br>
> > [Updating HTTPD service IPA configuration]<br>
> > [Updating mod_nss protocol versions]<br>
> > Protocol versions already updated<br>
> > [Updating mod_nss cipher suite]<br>
> > [Fixing trust flags in /etc/httpd/alias]<br>
> > Trust flags already processed<br>
> > [Exporting KRA agent PEM file]<br>
> > KRA is not enabled<br>
> > [Removing self-signed CA]<br>
> > [Removing Dogtag 9 CA]<br>
> > [Checking for deprecated KDC configuration files]<br>
> > [Checking for deprecated backups of Samba configuration files]<br>
> > [Setting up Firefox extension]<br>
> > [Add missing CA DNS records]<br>
> > IPA CA DNS records already processed<br>
> > [Removing deprecated DNS configuration options]<br>
> > [Ensuring minimal number of connections]<br>
> > [Enabling serial autoincrement in DNS]<br>
> > [Updating GSSAPI configuration in DNS]<br>
> > [Updating pid-file configuration in DNS]<br>
> > [Checking global forwarding policy in named.conf to avoid<br>
> conflicts<br>
> > with automatic empty zones]<br>
> > Global forward policy in named.conf will be changed to "only" to<br>
> > avoid conflicts with automatic empty zones<br>
> > [Adding server_id to named.conf]<br>
> > Changes to named.conf have been made, restart named<br>
> > Custodia service is being configured<br>
> > Configuring ipa-custodia<br>
> > [1/5]: Generating ipa-custodia config file<br>
> > [2/5]: Making sure custodia container exists<br>
> > [3/5]: Generating ipa-custodia keys<br>
> > [4/5]: starting ipa-custodia<br>
> > [5/5]: configuring ipa-custodia to start on boot<br>
> > Done configuring ipa-custodia.<br>
> > [Upgrading CA schema]<br>
> > CA schema update complete<br>
> > [Verifying that CA audit signing cert has 2 year validity]<br>
> > [Update certmonger certificate renewal configuration to version 5]<br>
> > Configuring certmonger to stop tracking system certificates for CA<br>
> > Certmonger certificate renewal configuration updated to version 5<br>
> > [Enable PKIX certificate path discovery and validation]<br>
> > PKIX already enabled<br>
> > [Authorizing RA Agent to modify profiles]<br>
> > [Authorizing RA Agent to manage lightweight CAs]<br>
> > [Ensuring Lightweight CAs container exists in Dogtag database]<br>
> > [Adding default OCSP URI configuration]<br>
> > pki-tomcat configuration changed, restart pki-tomcat<br>
> > [Ensuring CA is using LDAPProfileSubsystem]<br>
> > [Migrating certificate profiles to LDAP]<br>
> > [Ensuring presence of included profiles]<br>
> > [Add default CA ACL]<br>
> > Default CA ACL already added<br>
> > [Set up lightweight CA key retrieval]<br>
> > Creating principal<br>
> > Retrieving keytab<br>
> > Creating Custodia keys<br>
> > Configuring key retriever<br>
> > The IPA services were upgraded<br>
> > The ipa-server-upgrade command was successful/<br>
> ><br>
> > And Apache has started, BUT there is a problem with the web certificate:<br>
> > /# tail -f /var/log/httpd/error_log<br>
> > [Fri Nov 18 15:14:43.002268 2016] [:info] [pid 18673] Connection to<br>
> > child 2 established (server <a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com:443</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com:443</a>><br>
</div></div>> > <<a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com:443</a><br>
<span class="">> <<a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com:443</a>>>, client 192.168.0.252)<br>
> > [Fri Nov 18 15:14:43.207349 2016] [:info] [pid 18673] SSL input<br>
> > filter read failed.<br>
> > [Fri Nov 18 15:14:43.207389 2016] [:error] [pid 18673] SSL Library<br>
> > Error: -12285 Unable to find the certificate or key necessary for<br>
> > authentication<br>
> > [Fri Nov 18 15:14:43.207460 2016] [:info] [pid 18673] Connection to<br>
> > child 2 closed (server <a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com:443</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com:443</a>><br>
</span>> > <<a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com:443</a><br>
<span class="">> <<a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com:443</a>>>, client 192.168.0.252)/<br>
> ><br>
> > How do you suggest to go on with my issue?<br>
> ><br>
> > Thanks, Morgan<br>
> ><br>
> > 2016-11-18 12:11 GMT+01:00 Morgan Marodin <<a href="mailto:morgan@marodin.it">morgan@marodin.it</a> <mailto:<a href="mailto:morgan@marodin.it">morgan@marodin.it</a>><br>
</span>> > <mailto:<a href="mailto:morgan@marodin.it">morgan@marodin.it</a> <mailto:<a href="mailto:morgan@marodin.it">morgan@marodin.it</a>>>>:<br>
<span class="">> ><br>
> > I've tried to add it to a new test folder, with a new<br>
> > certificate nickname, and then to replace it to /nss.conf/.<br>
> ><br>
> > But the problem persists:<br>
> > /# certutil -V -u V -d /etc/httpd/test -n ipa01cert<br>
> > certutil: certificate is valid/<br>
> ><br>
> > /# tail -f /var/log/httpd/error_log<br>
> > /<br>
> > /[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid 11552]<br>
> > AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)<br>
> > [Fri Nov 18 12:09:39.514266 2016] [:warn] [pid 11552]<br>
> > NSSSessionCacheTimeout is deprecated. Ignoring.<br>
> > [Fri Nov 18 12:09:39.514299 2016] [:debug] [pid 11552]<br>
> > nss_engine_init.c(454): SNI: <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
</span>> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
<span class="">> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>> -> ipa01cert<br>
> > [Fri Nov 18 12:09:39.824880 2016] [:error] [pid 11552] The<br>
> > server key database has not been initialized.<br>
> > [Fri Nov 18 12:09:39.832443 2016] [:info] [pid 11552]<br>
> > Configuring server for SSL protocol<br>
> > ...<br>
> > [Fri Nov 18 12:09:39.832676 2016] [:info] [pid 11552] Using<br>
> > nickname ipa01cert.<br>
> > [Fri Nov 18 12:09:39.832678 2016] [:error] [pid 11552]<br>
> > Certificate not found: 'ipa01cert'/<br>
> ><br>
> > I've found this guide:/<br>
> > Combine the server cert and key into a single file<br>
> > # cp localhost.crt > Server-Cert.txt<br>
> > # cat localhost.key >> Server-Cert.txt<br>
> > Convert the server cert into a p12 file<br>
> > # openssl pkcs12 -export -in Server-Cert.txt -out<br>
> > Server-Cert.p12 -name "Server-Cert"<br>
> > Now Import the Public and Private keys into the database at the<br>
> > same time.<br>
> > #pk12util -i /tmp/cert-files/Server-Cert.<wbr>p12 -d /etc/httpd/alias<br>
> > -n Server-Cert/<br>
> ><br>
> > Where is stored the key certificate file?<br>
> ><br>
> > Thanks, Morgan<br>
> ><br>
> ><br>
> > 2016-11-18 10:39 GMT+01:00 Florence Blanc-Renaud <<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>><br>
</span>> > <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>>>>:<br>
> ><br>
<span class="">> > On 11/18/2016 10:04 AM, Morgan Marodin wrote:<br>
> ><br>
> > Hi Florence.<br>
> ><br>
> > I've tried to configure the wrong certificate in<br>
> > nss.conf (/ipaCert/),<br>
> > and with this Apache started.<br>
> > So I think the problem is in the /Server-Cert/ stored in<br>
> > //etc/httpd/alias/, even if all manul checks are ok.<br>
> ><br>
> > These are logs with the wrong certificate test:<br>
> > /# tail -f /var/log/httpd/error_log/<br>
> > /[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid<br>
> > 7709] AH01232:<br>
> > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)<br>
> > [Fri Nov 18 09:34:32.584142 2016] [:warn] [pid 7709]<br>
> > NSSSessionCacheTimeout is deprecated. Ignoring.<br>
> > [Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709]<br>
> > nss_engine_init.c(454): SNI: <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
</span><span class="">> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
</span><div><div class="h5">> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>>> -> ipaCert<br>
> ><br>
> > [Fri Nov 18 09:34:32.844487 2016] [:info] [pid 7709]<br>
> > Configuring server<br>
> > for SSL protocol<br>
> > [Fri Nov 18 09:34:32.844635 2016] [:debug] [pid 7709]<br>
> > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0<br>
> > [Fri Nov 18 09:34:32.844657 2016] [:debug] [pid 7709]<br>
> > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1<br>
> > [Fri Nov 18 09:34:32.844668 2016] [:debug] [pid 7709]<br>
> > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2<br>
> > [Fri Nov 18 09:34:32.844677 2016] [:debug] [pid 7709]<br>
> > nss_engine_init.c(839): NSSProtocol: [TLS 1.0]<br>
> (minimum)<br>
> > [Fri Nov 18 09:34:32.844684 2016] [:debug] [pid 7709]<br>
> > nss_engine_init.c(866): NSSProtocol: [TLS 1.2]<br>
> (maximum)<br>
> > [Fri Nov 18 09:34:32.844738 2016] [:debug] [pid 7709]<br>
> > nss_engine_init.c(906): Disabling TLS Session Tickets<br>
> > [Fri Nov 18 09:34:32.844746 2016] [:debug] [pid 7709]<br>
> > nss_engine_init.c(916): Enabling DHE key exchange<br>
> > [Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709]<br>
> > nss_engine_init.c(1077): NSSCipherSuite: Configuring<br>
> > permitted SSL<br>
> > ciphers<br>
> ><br>
> [+aes_128_sha_256,+aes_256_<wbr>sha_256,+ecdhe_ecdsa_aes_128_<wbr>gcm_sha_256,+ecdhe_ecdsa_aes_<wbr>128_sha,+ecdhe_ecdsa_aes_256_<wbr>gcm_sha_384,+ecdhe_ecdsa_aes_<wbr>256_sha,+ecdhe_rsa_aes_128_<wbr>gcm_sha_256,+ecdhe_rsa_aes_<wbr>128_sha,+ecdhe_rsa_aes_256_<wbr>gcm_sha_384,+ecdhe_rsa_aes_<wbr>256_sha,+rsa_aes_128_gcm_sha_<wbr>256,+rsa_aes_128_sha,+rsa_aes_<wbr>256_gcm_sha_384,+rsa_aes_256_<wbr>sha]<br>
> > [Fri Nov 18 09:34:32.844825 2016] [:debug] [pid 7709]<br>
> > nss_engine_init.c(1140): Disable cipher: rsa_null_md5<br>
> > ...<br>
> > [Fri Nov 18 09:34:32.845105 2016] [:debug] [pid 7709]<br>
> > nss_engine_init.c(1140): Enable cipher:<br>
> > ecdhe_rsa_aes_128_gcm_sha_256<br>
> > [Fri Nov 18 09:34:32.845110 2016] [:info] [pid 7709]<br>
> > Using nickname ipaCert.<br>
> > [Fri Nov 18 09:34:32.847451 2016] [:error] [pid 7709]<br>
> > Misconfiguration<br>
> > of certificate's CN and virtual name. The<br>
> certificate CN<br>
> > has IPA RA. We<br>
> > expected <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
</div></div><span class="">> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>>><br>
</span><span class="">> > as virtual name.<br>
> > [Fri Nov 18 09:34:33.<a href="tel:028056%202016" value="+390280562016">028056 2016</a><br>
</span>> <tel:028056%202016> <tel:028056%202016>]<br>
<span class="">> > [auth_digest:notice] [pid 7709]<br>
> > AH01757: generating secret for digest authentication ...<br>
> > [Fri Nov 18 09:34:33.<a href="tel:030039%202016" value="+390300392016">030039 2016</a><br>
</span>> <tel:030039%202016> <tel:030039%202016>]<br>
<span class="">> > [lbmethod_heartbeat:notice] [pid 7709]<br>
> > AH02282: No slotmem from mod_heartmonitor<br>
> > [Fri Nov 18 09:34:33.<a href="tel:030122%202016" value="+390301222016">030122 2016</a><br>
</span>> <tel:030122%202016> <tel:030122%202016>]<br>
<span class="">> > [:warn] [pid 7709]<br>
> > NSSSessionCacheTimeout is deprecated. Ignoring.<br>
> > [Fri Nov 18 09:34:33.<a href="tel:030176%202016" value="+390301762016">030176 2016</a><br>
</span>> <tel:030176%202016> <tel:030176%202016>]<br>
<span class="">> > [:debug] [pid 7709]<br>
> > nss_engine_init.c(454): SNI: <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
</span><span class="">> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
</span><span class="">> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>>> -> ipaCert<br>
> ><br>
> > [Fri Nov 18 09:34:33.<a href="tel:051481%202016" value="+390514812016">051481 2016</a><br>
</span>> <tel:051481%202016> <tel:051481%202016>]<br>
<span class="">> > [mpm_prefork:notice] [pid 7709]<br>
> > AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0<br>
> > mod_auth_kerb/5.4<br>
> > mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4<br>
> > Python/2.7.5 configured<br>
> > -- resuming normal operations<br>
> > [Fri Nov 18 09:34:33.051551 2016<br>
</span>> <tel:051551%202016> <tel:051551%202016>]<br>
<span class="">> > [core:notice] [pid 7709] AH00094:<br>
> > Command line: '/usr/sbin/httpd -D FOREGROUND'<br>
> > [Fri Nov 18 09:34:33.096050 2016] [proxy:debug] [pid 7717]<br>
> > proxy_util.c(1838): AH00924: worker ajp://localhost<br>
> > shared already<br>
> > initialized<br>
> > [Fri Nov 18 09:34:33.096163 2016<br>
</span>> <tel:096163%202016> <tel:096163%202016>]<br>
<span class="">> > [proxy:debug] [pid 7717]<br>
> > proxy_util.c(1880): AH00926: worker ajp://localhost<br>
> > local already<br>
> > initialized<br>
> > ...<br>
> > [Fri Nov 18 09:34:33.105626 2016] [proxy:debug] [pid 7719]<br>
> > proxy_util.c(1838): AH00924: worker<br>
> > unix:/run/httpd/ipa-custodia.<wbr>sock|<a href="http://localhost/keys/" rel="noreferrer" target="_blank">http://localhost/keys/</a><br>
> > shared already<br>
> > initialized<br>
> > [Fri Nov 18 09:34:33.105632 2016] [proxy:debug] [pid 7719]<br>
> > proxy_util.c(1880): AH00926: worker<br>
> > unix:/run/httpd/ipa-custodia.<wbr>sock|<a href="http://localhost/keys/" rel="noreferrer" target="_blank">http://localhost/keys/</a><br>
> > local already<br>
> > initialized<br>
> > [Fri Nov 18 09:34:33.<a href="tel:342762%202016" value="+393427622016">342762 2016</a><br>
</span>> <tel:342762%202016> <tel:342762%202016>]<br>
<span class="">> > [:info] [pid 7717] Configuring server<br>
> > for SSL protocol<br>
> > [Fri Nov 18 09:34:33.<a href="tel:342867%202016" value="+393428672016">342867 2016</a><br>
</span>> <tel:342867%202016> <tel:342867%202016>]<br>
<span class="">> > [:debug] [pid 7717]<br>
> > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0<br>
> > [Fri Nov 18 09:34:33.342880 2016<br>
</span>> <tel:342880%202016> <tel:342880%202016>]<br>
<span class="">> > [:debug] [pid 7717]<br>
> > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1<br>
> > [Fri Nov 18 09:34:33.342885 2016<br>
</span>> <tel:342885%202016> <tel:342885%202016>]<br>
<span class="">> > [:debug] [pid 7717]<br>
> > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2<br>
> > [Fri Nov 18 09:34:33.342890 2016<br>
</span>> <tel:342890%202016> <tel:342890%202016>]<br>
<div class="HOEnZb"><div class="h5">> > [:debug] [pid 7717]<br>
> > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)<br>
> > [Fri Nov 18 09:34:33.342894 2016 <tel:342894%202016>]<br>
> > [:debug] [pid 7717]<br>
> > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)<br>
> > [Fri Nov 18 09:34:33.342900 2016 <tel:342900%202016>]<br>
> > [:debug] [pid 7717]<br>
> > nss_engine_init.c(906): Disabling TLS Session Tickets<br>
> > [Fri Nov 18 09:34:33.342904 2016 <tel:342904%202016>]<br>
> > [:debug] [pid 7717]<br>
> > nss_engine_init.c(916): Enabling DHE key exchange<br>
> > [Fri Nov 18 09:34:33.342917 2016 <tel:342917%202016>]<br>
> > [:debug] [pid 7717]<br>
> > nss_engine_init.c(1077): NSSCipherSuite: Configuring<br>
> > permitted SSL<br>
> > ciphers<br>
> > [+aes_128_sha_256,+aes_256_<wbr>sha_256,+ecdhe_ecdsa_aes_128_<wbr>gcm_sha_256,+ecdhe_ecdsa_aes_<wbr>128_sha,+ecdhe_ecdsa_aes_256_<wbr>gcm_sha_384,+ecdhe_ecdsa_aes_<wbr>256_sha,+ecdhe_rsa_aes_128_<wbr>gcm_sha_256,+ecdhe_rsa_aes_<wbr>128_sha,+ecdhe_rsa_aes_256_<wbr>gcm_sha_384,+ecdhe_rsa_aes_<wbr>256_sha,+rsa_aes_128_gcm_sha_<wbr>256,+rsa_aes_128_sha,+rsa_aes_<wbr>256_gcm_sha_384,+rsa_aes_256_<wbr>sha]<br>
> > [Fri Nov 18 09:34:33.342970 2016 <tel:342970%202016>]<br>
> > [:debug] [pid 7717]<br>
> > nss_engine_init.c(1140): Disable cipher: rsa_null_md5<br>
> > ...<br>
> > [Fri Nov 18 09:34:33.343233 2016 <tel:343233%202016>]<br>
> > [:debug] [pid 7717]<br>
> > nss_engine_init.c(1140): Enable cipher:<br>
> > ecdhe_rsa_aes_128_gcm_sha_256<br>
> > [Fri Nov 18 09:34:33.343237 2016 <tel:343237%202016>]<br>
> > [:info] [pid 7717] Using nickname ipaCert.<br>
> > [Fri Nov 18 09:34:33.344533 2016 <tel:344533%202016>]<br>
> > [:error] [pid 7717] Misconfiguration<br>
> > of certificate's CN and virtual name. The certificate CN<br>
> > has IPA RA. We<br>
> > expected <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
</div></div><span class="im HOEnZb">> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>>><br>
> ><br>
</span><div class="HOEnZb"><div class="h5">> > as virtual name.<br>
> > [Fri Nov 18 09:34:33.<a href="tel:364061%202016" value="+393640612016">364061 2016</a> <tel:364061%202016>]<br>
> > [:info] [pid 7718] Configuring server<br>
> > for SSL protocol<br>
> > [Fri Nov 18 09:34:33.364156 2016 <tel:364156%202016>]<br>
> > [:debug] [pid 7718]<br>
> > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0<br>
> > [Fri Nov 18 09:34:33.364167 2016 <tel:364167%202016>]<br>
> > [:debug] [pid 7718]<br>
> > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1<br>
> > [Fri Nov 18 09:34:33.364172 2016 <tel:364172%202016>]<br>
> > [:debug] [pid 7718]<br>
> > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2<br>
> > [Fri Nov 18 09:34:33.364176 2016 <tel:364176%202016>]<br>
> > [:debug] [pid 7718]<br>
> > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)<br>
> > [Fri Nov 18 09:34:33.364180 2016 <tel:364180%202016>]<br>
> > [:debug] [pid 7718]<br>
> > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)<br>
> > [Fri Nov 18 09:34:33.364187 2016 <tel:364187%202016>]<br>
> > [:debug] [pid 7718]<br>
> > nss_engine_init.c(906): Disabling TLS Session Tickets<br>
> > [Fri Nov 18 09:34:33.364191 2016 <tel:364191%202016>]<br>
> > [:debug] [pid 7718]<br>
> > nss_engine_init.c(916): Enabling DHE key exchange<br>
> > [Fri Nov 18 09:34:33.364202 2016 <tel:364202%202016>]<br>
> > [:debug] [pid 7718]<br>
> > nss_engine_init.c(1077): NSSCipherSuite: Configuring<br>
> > permitted SSL<br>
> > ciphers<br>
> > [+aes_128_sha_256,+aes_256_<wbr>sha_256,+ecdhe_ecdsa_aes_128_<wbr>gcm_sha_256,+ecdhe_ecdsa_aes_<wbr>128_sha,+ecdhe_ecdsa_aes_256_<wbr>gcm_sha_384,+ecdhe_ecdsa_aes_<wbr>256_sha,+ecdhe_rsa_aes_128_<wbr>gcm_sha_256,+ecdhe_rsa_aes_<wbr>128_sha,+ecdhe_rsa_aes_256_<wbr>gcm_sha_384,+ecdhe_rsa_aes_<wbr>256_sha,+rsa_aes_128_gcm_sha_<wbr>256,+rsa_aes_128_sha,+rsa_aes_<wbr>256_gcm_sha_384,+rsa_aes_256_<wbr>sha]<br>
> > [Fri Nov 18 09:34:33.364240 2016 <tel:364240%202016>]<br>
> > [:debug] [pid 7718]<br>
> > nss_engine_init.c(1140): Disable cipher: rsa_null_md5<br>
> > ...<br>
> > [Fri Nov 18 09:34:33.364611 2016 <tel:364611%202016>]<br>
> > [:debug] [pid 7718]<br>
> > nss_engine_init.c(1140): Enable cipher:<br>
> > ecdhe_rsa_aes_128_gcm_sha_256<br>
> > [Fri Nov 18 09:34:33.364625 2016 <tel:364625%202016>]<br>
> > [:info] [pid 7718] Using nickname ipaCert.<br>
> > [Fri Nov 18 09:34:33.365549 2016 <tel:365549%202016>]<br>
> > [:error] [pid 7718] Misconfiguration<br>
> > of certificate's CN and virtual name. The certificate CN<br>
> > has IPA RA. We<br>
> > expected <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
</div></div><span class="im HOEnZb">> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>>><br>
> ><br>
</span><div class="HOEnZb"><div class="h5">> > as virtual name.<br>
> > [Fri Nov 18 09:34:33.<a href="tel:369972%202016" value="+393699722016">369972 2016</a> <tel:369972%202016>]<br>
> > [:info] [pid 7720] Configuring server<br>
> > for SSL protocol<br>
> > [Fri Nov 18 09:34:33.370200 2016 <tel:370200%202016>]<br>
> > [:debug] [pid 7720]<br>
> > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0<br>
> > [Fri Nov 18 09:34:33.370224 2016 <tel:370224%202016>]<br>
> > [:debug] [pid 7720]<br>
> > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1<br>
> > [Fri Nov 18 09:34:33.370239 2016 <tel:370239%202016>]<br>
> > [:debug] [pid 7720]<br>
> > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2<br>
> > [Fri Nov 18 09:34:33.370255 2016 <tel:370255%202016>]<br>
> > [:debug] [pid 7720]<br>
> > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)<br>
> > [Fri Nov 18 09:34:33.370269 2016 <tel:370269%202016>]<br>
> > [:debug] [pid 7720]<br>
> > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)<br>
> > [Fri Nov 18 09:34:33.370286 2016 <tel:370286%202016>]<br>
> > [:debug] [pid 7720]<br>
> > nss_engine_init.c(906): Disabling TLS Session Tickets<br>
> > [Fri Nov 18 09:34:33.370301 2016 <tel:370301%202016>]<br>
> > [:debug] [pid 7720]<br>
> > nss_engine_init.c(916): Enabling DHE key exchange<br>
> > [Fri Nov 18 09:34:33.370322 2016 <tel:370322%202016>]<br>
> > [:debug] [pid 7720]<br>
> > nss_engine_init.c(1077): NSSCipherSuite: Configuring<br>
> > permitted SSL<br>
> > ciphers<br>
> > [+aes_128_sha_256,+aes_256_<wbr>sha_256,+ecdhe_ecdsa_aes_128_<wbr>gcm_sha_256,+ecdhe_ecdsa_aes_<wbr>128_sha,+ecdhe_ecdsa_aes_256_<wbr>gcm_sha_384,+ecdhe_ecdsa_aes_<wbr>256_sha,+ecdhe_rsa_aes_128_<wbr>gcm_sha_256,+ecdhe_rsa_aes_<wbr>128_sha,+ecdhe_rsa_aes_256_<wbr>gcm_sha_384,+ecdhe_rsa_aes_<wbr>256_sha,+rsa_aes_128_gcm_sha_<wbr>256,+rsa_aes_128_sha,+rsa_aes_<wbr>256_gcm_sha_384,+rsa_aes_256_<wbr>sha]<br>
> > [Fri Nov 18 09:34:33.370383 2016 <tel:370383%202016>]<br>
> > [:debug] [pid 7720]<br>
> > nss_engine_init.c(1140): Disable cipher: rsa_null_md5<br>
> > ...<br>
> > [Fri Nov 18 09:34:33.371418 2016 <tel:371418%202016>]<br>
> > [:debug] [pid 7720]<br>
> > nss_engine_init.c(1140): Enable cipher:<br>
> > ecdhe_rsa_aes_128_gcm_sha_256<br>
> > [Fri Nov 18 09:34:33.371437 2016 <tel:371437%202016>]<br>
> > [:info] [pid 7720] Using nickname ipaCert.<br>
> > [Fri Nov 18 09:34:33.371486 2016 <tel:371486%202016>]<br>
> > [:info] [pid 7716] Configuring server<br>
> > for SSL protocol<br>
> > [Fri Nov 18 09:34:33.372383 2016 <tel:372383%202016>]<br>
> > [:debug] [pid 7716]<br>
> > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0<br>
> > [Fri Nov 18 09:34:33.372439 2016 <tel:372439%202016>]<br>
> > [:debug] [pid 7716]<br>
> > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1<br>
> > [Fri Nov 18 09:34:33.372459 2016 <tel:372459%202016>]<br>
> > [:debug] [pid 7716]<br>
> > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2<br>
> > [Fri Nov 18 09:34:33.372484 2016 <tel:372484%202016>]<br>
> > [:debug] [pid 7716]<br>
> > nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)<br>
> > [Fri Nov 18 09:34:33.372513 2016 <tel:372513%202016>]<br>
> > [:debug] [pid 7716]<br>
> > nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)<br>
> > [Fri Nov 18 09:34:33.372534 2016 <tel:372534%202016>]<br>
> > [:debug] [pid 7716]<br>
> > nss_engine_init.c(906): Disabling TLS Session Tickets<br>
> > [Fri Nov 18 09:34:33.372553 2016 <tel:372553%202016>]<br>
> > [:debug] [pid 7716]<br>
> > nss_engine_init.c(916): Enabling DHE key exchange<br>
> > [Fri Nov 18 09:34:33.372580 2016 <tel:372580%202016>]<br>
> > [:debug] [pid 7716]<br>
> > nss_engine_init.c(1077): NSSCipherSuite: Configuring<br>
> > permitted SSL<br>
> > ciphers<br>
> > [+aes_128_sha_256,+aes_256_<wbr>sha_256,+ecdhe_ecdsa_aes_128_<wbr>gcm_sha_256,+ecdhe_ecdsa_aes_<wbr>128_sha,+ecdhe_ecdsa_aes_256_<wbr>gcm_sha_384,+ecdhe_ecdsa_aes_<wbr>256_sha,+ecdhe_rsa_aes_128_<wbr>gcm_sha_256,+ecdhe_rsa_aes_<wbr>128_sha,+ecdhe_rsa_aes_256_<wbr>gcm_sha_384,+ecdhe_rsa_aes_<wbr>256_sha,+rsa_aes_128_gcm_sha_<wbr>256,+rsa_aes_128_sha,+rsa_aes_<wbr>256_gcm_sha_384,+rsa_aes_256_<wbr>sha]<br>
> > [Fri Nov 18 09:34:33.372627 2016 <tel:372627%202016>]<br>
> > [:debug] [pid 7716]<br>
> > nss_engine_init.c(1140): Disable cipher: rsa_null_md5<br>
> > ...<br>
> > [Fri Nov 18 09:34:33.373712 2016 <tel:373712%202016>]<br>
> > [:debug] [pid 7716]<br>
> > nss_engine_init.c(1140): Enable cipher:<br>
> > ecdhe_rsa_aes_128_gcm_sha_256<br>
> > [Fri Nov 18 09:34:33.373734 2016 <tel:373734%202016>]<br>
> > [:info] [pid 7716] Using nickname ipaCert.<br>
> > [Fri Nov 18 09:34:33.374652 2016 <tel:374652%202016>]<br>
> > [:error] [pid 7716] Misconfiguration<br>
> > of certificate's CN and virtual name. The certificate CN<br>
> > has IPA RA. We<br>
> > expected <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
</div></div><span class="im HOEnZb">> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>>><br>
</span><span class="im HOEnZb">> > as virtual name.<br>
> > [Fri Nov 18 09:34:33.<a href="tel:372295%202016" value="+393722952016">372295 2016</a> <tel:372295%202016>]<br>
> > [:error] [pid 7720] Misconfiguration<br>
> > of certificate's CN and virtual name. The certificate CN<br>
> > has IPA RA. We<br>
> > expected <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
</span><span class="im HOEnZb">> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>>><br>
> ><br>
</span><div class="HOEnZb"><div class="h5">> > as virtual name.<br>
> > [Fri Nov 18 09:34:33.412689 2016] [:info] [pid 7719]<br>
> > Configuring server<br>
> > for SSL protocol<br>
> > [Fri Nov 18 09:34:33.412791 2016] [:debug] [pid 7719]<br>
> > nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0<br>
> > [Fri Nov 18 09:34:33.412803 2016] [:debug] [pid 7719]<br>
> > nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1<br>
> > [Fri Nov 18 09:34:33.412807 2016] [:debug] [pid 7719]<br>
> > nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2<br>
> > [Fri Nov 18 09:34:33.412812 2016] [:debug] [pid 7719]<br>
> > nss_engine_init.c(839): NSSProtocol: [TLS 1.0]<br>
> (minimum)<br>
> > [Fri Nov 18 09:34:33.412817 2016] [:debug] [pid 7719]<br>
> > nss_engine_init.c(866): NSSProtocol: [TLS 1.2]<br>
> (maximum)<br>
> > [Fri Nov 18 09:34:33.412824 2016] [:debug] [pid 7719]<br>
> > nss_engine_init.c(906): Disabling TLS Session Tickets<br>
> > [Fri Nov 18 09:34:33.412828 2016] [:debug] [pid 7719]<br>
> > nss_engine_init.c(916): Enabling DHE key exchange<br>
> > [Fri Nov 18 09:34:33.412840 2016] [:debug] [pid 7719]<br>
> > nss_engine_init.c(1077): NSSCipherSuite: Configuring<br>
> > permitted SSL<br>
> > ciphers<br>
> ><br>
> [+aes_128_sha_256,+aes_256_<wbr>sha_256,+ecdhe_ecdsa_aes_128_<wbr>gcm_sha_256,+ecdhe_ecdsa_aes_<wbr>128_sha,+ecdhe_ecdsa_aes_256_<wbr>gcm_sha_384,+ecdhe_ecdsa_aes_<wbr>256_sha,+ecdhe_rsa_aes_128_<wbr>gcm_sha_256,+ecdhe_rsa_aes_<wbr>128_sha,+ecdhe_rsa_aes_256_<wbr>gcm_sha_384,+ecdhe_rsa_aes_<wbr>256_sha,+rsa_aes_128_gcm_sha_<wbr>256,+rsa_aes_128_sha,+rsa_aes_<wbr>256_gcm_sha_384,+rsa_aes_256_<wbr>sha]<br>
> > [Fri Nov 18 09:34:33.412891 2016] [:debug] [pid 7719]<br>
> > nss_engine_init.c(1140): Disable cipher: rsa_null_md5<br>
> > ...<br>
> > [Fri Nov 18 09:34:33.413159 2016] [:debug] [pid 7719]<br>
> > nss_engine_init.c(1140): Enable cipher:<br>
> > ecdhe_rsa_aes_128_gcm_sha_256<br>
> > [Fri Nov 18 09:34:33.413164 2016] [:info] [pid 7719]<br>
> > Using nickname ipaCert.<br>
> > [Fri Nov 18 09:34:33.414462 2016] [:error] [pid 7719]<br>
> > Misconfiguration<br>
> > of certificate's CN and virtual name. The<br>
> certificate CN<br>
> > has IPA RA. We<br>
> > expected <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
</div></div><span class="im HOEnZb">> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>>><br>
</span><span class="im HOEnZb">> > as virtual name.<br>
> > [Fri Nov 18 09:34:35.558286 2016 <tel:558286%202016>]<br>
> > [:error] [pid 7715] ipa: WARNING:<br>
> > session memcached servers not running<br>
> > [Fri Nov 18 09:34:35.559653 2016 <tel:559653%202016>]<br>
> > [:error] [pid 7714] ipa: WARNING:<br>
> > session memcached servers not running<br>
> > [Fri Nov 18 09:34:37.511457 2016] [:error] [pid 7714]<br>
> > ipa: INFO: ***<br>
> > PROCESS START ***<br>
> > [Fri Nov 18 09:34:37.517899 2016] [:error] [pid 7715]<br>
> > ipa: INFO: ***<br>
> > PROCESS START ***<br>
> > [Fri Nov 18 09:34:51.498536 2016] [:info] [pid 7717]<br>
> > Connection to child<br>
> > 1 established (server <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
</span><span class="im HOEnZb">> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
</span><div class="HOEnZb"><div class="h5">> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>>>, client 192.168.0.239)<br>
> > [Fri Nov 18 09:34:51.510292 2016] [:info] [pid 7717] SSL<br>
> > input filter<br>
> > read failed.<br>
> > [Fri Nov 18 09:34:51.510311 2016] [:error] [pid 7717]<br>
> > SSL Library Error:<br>
> > -12285 Unable to find the certificate or key necessary<br>
> > for authentication<br>
> > [Fri Nov 18 09:34:51.510356 2016] [:info] [pid 7717]<br>
> > Connection to child<br>
> > 1 closed (server <a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com:443</a> <<a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com:443</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com:443</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com:443</a>>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com:443</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com:443</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com:443</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com:443</a>>>>, client<br>
> > 192.168.0.239)<br>
> > [Fri Nov 18 09:35:18.790760 2016] [mpm_prefork:notice]<br>
> > [pid 7709]<br>
> > AH00170: caught SIGWINCH, shutting down gracefully/<br>
> ><br>
> > Is possible to delete /Server-Cert/ from<br>
> > //etc/httpd/alias/ and reimport<br>
> > it from the original certificates of<br>
> > /<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
</div></div><span class="im HOEnZb">> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
</span><span class="im HOEnZb">> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>>>/?<br>
> > Where are stored the original certificates?<br>
> ><br>
> > Hi Morgan,<br>
> ><br>
> > with ldapsearch you should be able to find the certificate:<br>
> > ldapsearch -h ipaserver.ipadomain -p 389 -D "cn=directory<br>
> > manager" -w password -LLL -b<br>
> > krbprincipalname=HTTP/<wbr>ipaserver.ipadomain@IPADOMAIN,<wbr>cn=services,cn=accounts,dc=<wbr>IPADOMAIN<br>
> ><br>
> > The cert will be stored in the field "usercertificate".<br>
> ><br>
> > HTH,<br>
> > Flo.<br>
> ><br>
> > Please let me know, thanks.<br>
> > Bye, Morgan<br>
> ><br>
> > 2016-11-17 17:09 GMT+01:00 Florence Blanc-Renaud<br>
> > <<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a><br>
> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>>><br>
</span><span class="im HOEnZb">> > <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>><br>
> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>>>>>:<br>
> ><br>
> ><br>
</span><div class="HOEnZb"><div class="h5">> > On 11/17/2016 04:51 PM, Morgan Marodin wrote:<br>
> ><br>
> > Hi Rob.<br>
> ><br>
> > I've just tried to remove the group write<br>
> to the<br>
> > *.db files, but<br>
> > it's<br>
> > not the problem.<br>
> > /[root@mlv-ipa01 ~]# grep NSSNickname<br>
> > /etc/httpd/conf.d/nss.conf<br>
> > NSSNickname Server-Cert/<br>
> ><br>
> > I've tried to run manually /dirsrv.target/ and<br>
> > /krb5kdc.service/, and it<br>
> > works, services went up.<br>
> > The same for /ntpd/, /named-pkcs11.service/,<br>
> > /smb.service/,<br>
> > /winbind.service/, /kadmin.service/,<br>
> > /memcached.service/ and<br>
> > /pki-tomcatd.target/.<br>
> ><br>
> > But if I try to start /httpd.service/:<br>
> > /[root@mlv-ipa01 ~]# tail -f /var/log/messages<br>
> > Nov 17 16:46:06 mlv-ipa01 systemd[1]: Starting<br>
> > The Apache HTTP<br>
> > Server...<br>
> > Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy:<br>
> > ipa :<br>
> > INFO KDC<br>
> > proxy enabled<br>
> > Nov 17 16:46:07 mlv-ipa01 systemd[1]:<br>
> > httpd.service: main process<br>
> > exited, code=exited, status=1/FAILURE<br>
> > Nov 17 16:46:07 mlv-ipa01 kill: kill: cannot<br>
> > find process ""<br>
> > Nov 17 16:46:07 mlv-ipa01 systemd[1]:<br>
> > httpd.service: control process<br>
> > exited, code=exited status=1<br>
> > Nov 17 16:46:07 mlv-ipa01 systemd[1]:<br>
> Failed to<br>
> > start The Apache<br>
> > HTTP<br>
> > Server.<br>
> > Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit<br>
> > httpd.service entered<br>
> > failed<br>
> > state.<br>
> > Nov 17 16:46:07 mlv-ipa01 systemd[1]:<br>
> > httpd.service failed./<br>
> ><br>
> > Any other ideas?<br>
> ><br>
> > Hi,<br>
> ><br>
> > - Does the NSS Db contain the private key for<br>
> > Server-Cert? If yes,<br>
> > the command<br>
> > $ certutil -K -d /etc/httpd/alias/ -f<br>
> > /etc/httpd/alias/pwdfile.txt<br>
> > should display a line like this one:<br>
> > < 0> rsa<br>
> > 01a6cbd773f3d785ffa44233148dcb<wbr>8ade266ea5 NSS<br>
> > Certificate DB:Server-Cert<br>
> ><br>
> > - Is your system running with SElinux<br>
> enforcing? If<br>
> > yes, you can<br>
> > check if there were SElinux permission denials<br>
> using<br>
> > $ ausearch -m avc --start recent<br>
> ><br>
> > - If the certificate was expired, I believe you<br>
> > would see a<br>
> > different message, but it doesn't hurt to<br>
> check its<br>
> > validity<br>
> > $ certutil -L -d /etc/httpd/alias/ -n<br>
> Server-Cert |<br>
> > egrep "Not<br>
> > Before|Not After"<br>
> ><br>
> ><br>
> > Flo.<br>
> ><br>
> ><br>
> > Please let me know, thanks.<br>
> > Morgan<br>
> ><br>
> > 2016-11-17 16:11 GMT+01:00 Rob Crittenden<br>
> > <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>><br>
> > <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> > <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>><br>
> > <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> > <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> > <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>><wbr>>>:<br>
> ><br>
> ><br>
> ><br>
> > Morgan Marodin wrote:<br>
> > > Hi Florence.<br>
> > ><br>
> > > Thanks for your support.<br>
> > ><br>
> > > Yes, httpd is using /etc/httpd/alias as<br>
> > NSS DB. And seems<br>
> > that all<br>
> > > permissions and certificates are good:<br>
> > > /[root@mlv-ipa01 ~]# ls -l<br>
> /etc/httpd/alias/<br>
> > > total 184<br>
> > > -r--r--r-- 1 root root 1345 Sep 7<br>
> > 2015 cacert.asc<br>
> > > -rw-rw---- 1 root apache 65536 Nov 17<br>
> > 11:06 cert8.db<br>
> > > -rw-r-----. 1 root apache 65536 Sep 4<br>
> > 2015 cert8.db.orig<br>
> > > -rw-------. 1 root root 4833 Sep 4<br>
> > 2015 install.log<br>
> > > -rw-rw---- 1 root apache 16384 Nov 17<br>
> > 11:06 key3.db<br>
> > > -rw-r-----. 1 root apache 16384 Sep 4<br>
> > 2015 key3.db.orig<br>
> > > lrwxrwxrwx 1 root root 24 Nov 17<br>
> > 10:24 libnssckbi.so -><br>
> > > /usr/lib64/libnssckbi.so<br>
> > > -rw-rw---- 1 root apache 20 Sep 7<br>
> > 2015 pwdfile.txt<br>
> > > -rw-rw---- 1 root apache 16384 Sep 7<br>
> > 2015 secmod.db<br>
> > > -rw-r-----. 1 root apache 16384 Sep 4<br>
> > 2015 secmod.db.orig/<br>
> ><br>
> > Eventually you'll want to remove group<br>
> write<br>
> > on the *.db files.<br>
> ><br>
> > > And password validations seems ok, too:<br>
> > > /[root@mlv-ipa01 ~]# certutil -K -d<br>
> > /etc/httpd/alias/ -f<br>
> > > /etc/httpd/alias/pwdfile.txt<br>
> > good<br>
> ><br>
> > > Enabling mod-nss debug I can see<br>
> these logs:<br>
> > > /[root@mlv-ipa01 ~]# tail -f<br>
> > /var/log/httpd/error_log<br>
> > > [Thu Nov 17 15:05:10.807603 2016]<br>
> > [suexec:notice] [pid<br>
> > 10660] AH01232:<br>
> > > suEXEC mechanism enabled (wrapper:<br>
> > /usr/sbin/suexec)<br>
> > > [Thu Nov 17 15:05:10.807958 2016]<br>
> [:warn]<br>
> > [pid 10660]<br>
> > > NSSSessionCacheTimeout is deprecated.<br>
> > Ignoring.<br>
> > > [Thu Nov 17 15:05:10.807991 2016]<br>
> [:debug]<br>
> > [pid 10660]<br>
> > > nss_engine_init.c(454): SNI:<br>
> > <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>>>><br>
> > > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>>><br>
> ><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>>>>> -> Server-Cert<br>
> > > [Thu Nov 17 15:05:11.002664 2016]<br>
> [:info]<br>
> > [pid 10660]<br>
> > Configuring server<br>
> > > for SSL protocol<br>
> > > [Thu Nov 17 15:05:11.002817 2016]<br>
> [:debug]<br>
> > [pid 10660]<br>
> > > nss_engine_init.c(770): NSSProtocol:<br>
> > Enabling TLSv1.0<br>
> > > [Thu Nov 17 15:05:11.002838 2016]<br>
> [:debug]<br>
> > [pid 10660]<br>
> > > nss_engine_init.c(775): NSSProtocol:<br>
> > Enabling TLSv1.1<br>
> > > [Thu Nov 17 15:05:11.002847 2016]<br>
> [:debug]<br>
> > [pid 10660]<br>
> > > nss_engine_init.c(780): NSSProtocol:<br>
> > Enabling TLSv1.2<br>
> > > [Thu Nov 17 15:05:11.002856 2016]<br>
> [:debug]<br>
> > [pid 10660]<br>
> > > nss_engine_init.c(839):<br>
> NSSProtocol: [TLS<br>
> > 1.0] (minimum)<br>
> > > [Thu Nov 17 15:05:11.002876 2016]<br>
> [:debug]<br>
> > [pid 10660]<br>
> > > nss_engine_init.c(866):<br>
> NSSProtocol: [TLS<br>
> > 1.2] (maximum)<br>
> > > [Thu Nov 17 15:05:11.003099 2016]<br>
> [:debug]<br>
> > [pid 10660]<br>
> > > nss_engine_init.c(906): Disabling TLS<br>
> > Session Tickets<br>
> > > [Thu Nov 17 15:05:11.003198 2016]<br>
> [:debug]<br>
> > [pid 10660]<br>
> > > nss_engine_init.c(916): Enabling DHE key<br>
> > exchange<br>
> > > [Thu Nov 17 15:05:11.003313 2016]<br>
> [:debug]<br>
> > [pid 10660]<br>
> > > nss_engine_init.c(1077): NSSCipherSuite:<br>
> > Configuring<br>
> > permitted SSL<br>
> > > ciphers<br>
> > ><br>
> ><br>
> ><br>
> [+aes_128_sha_256,+aes_256_<wbr>sha_256,+ecdhe_ecdsa_aes_128_<wbr>gcm_sha_256,+ecdhe_ecdsa_aes_<wbr>128_sha,+ecdhe_ecdsa_aes_256_<wbr>gcm_sha_384,+ecdhe_ecdsa_aes_<wbr>256_sha,+ecdhe_rsa_aes_128_<wbr>gcm_sha_256,+ecdhe_rsa_aes_<wbr>128_sha,+ecdhe_rsa_aes_256_<wbr>gcm_sha_384,+ecdhe_rsa_aes_<wbr>256_sha,+rsa_aes_128_gcm_sha_<wbr>256,+rsa_aes_128_sha,+rsa_aes_<wbr>256_gcm_sha_384,+rsa_aes_256_<wbr>sha]<br>
> > > [Thu Nov 17 15:05:11.003469 2016]<br>
> [:debug]<br>
> > [pid 10660]<br>
> > > [Thu Nov 17 15:05:11.006759 2016]<br>
> [:info]<br>
> > [pid 10660]<br>
> > Using nickname<br>
> > > Server-Cert.<br>
> > [snip]<br>
> > > [Thu Nov 17 15:05:11.006771 2016]<br>
> [:error]<br>
> > [pid 10660]<br>
> > Certificate not<br>
> > > found: 'Server-Cert'<br>
> ><br>
> > Can you shows what this returns:<br>
> ><br>
> > # grep NSSNickname<br>
> /etc/httpd/conf.d/nss.conf<br>
> ><br>
> > > Do you think there is a kerberos<br>
> problem?<br>
> ><br>
> > It definitely is not.<br>
> ><br>
> > You can bring the system up in a<br>
> minimal way<br>
> > by manually<br>
> > starting the<br>
> > <a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a><br>
> <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a>><br>
> > <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a><br>
> <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a>>> <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a><br>
> <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a>><br>
> > <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a><br>
> <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a>>>><br>
> > <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a><br>
> <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a>><br>
> > <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a><br>
> <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a>>> <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a><br>
> <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a>><br>
> > <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a><br>
> <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a>>>>> service<br>
> ><br>
> > and then<br>
> > krb5kdc. This will at least let your<br>
> > users authenticate. The management<br>
> framework<br>
> > (GUI) runs<br>
> > through Apache<br>
> > so that will be down until we can get<br>
> Apache<br>
> > started again.<br>
> ><br>
> > rob<br>
> ><br>
> > ><br>
> > > Please let me know, thanks.<br>
> > > Bye, Morgan<br>
> > ><br>
> > > 2016-11-17 14:39 GMT+01:00 Florence<br>
> > Blanc-Renaud<br>
> > <<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>><br>
> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>>><br>
> > <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>><br>
> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>>>><br>
> > <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>><br>
> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>>><br>
> > <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a><br>
> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a><br>
> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>>>>><br>
> > > <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a><br>
> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>><br>
> > <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>>><br>
> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>><br>
> > <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>>>><br>
> > <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a><br>
> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>>><br>
> > <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>><br>
> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>>>>>>>:<br>
> ><br>
> > ><br>
> > > On 11/17/2016 12:09 PM, Morgan<br>
> Marodin<br>
> > wrote:<br>
> > ><br>
> > > Hello.<br>
> > ><br>
> > > This morning I've tried to<br>
> upgrade<br>
> > my IPA server,<br>
> > but the<br>
> > upgrade<br>
> > > failed, and now the service<br>
> > doesn't start! :(<br>
> > ><br>
> > > If I try lo launch the upgrade<br>
> > manually this is<br>
> > the output:<br>
> > > /[root@mlv-ipa01 download]#<br>
> > ipa-server-upgrade<br>
> > ><br>
> > > Upgrading IPA:<br>
> > > [1/8]: saving configuration<br>
> > > [2/8]: disabling listeners<br>
> > > [3/8]: enabling DS global lock<br>
> > > [4/8]: starting directory<br>
> server<br>
> > > [5/8]: updating schema<br>
> > > [6/8]: upgrading server<br>
> > > [7/8]: stopping directory<br>
> server<br>
> > > [8/8]: restoring configuration<br>
> > > Done.<br>
> > > Update complete<br>
> > > Upgrading IPA services<br>
> > > Upgrading the configuration<br>
> of the<br>
> > IPA services<br>
> > > [Verifying that root certificate<br>
> > is published]<br>
> > > [Migrate CRL publish directory]<br>
> > > CRL tree already moved<br>
> > > [Verifying that CA proxy<br>
> > configuration is correct]<br>
> > > [Verifying that KDC<br>
> configuration<br>
> > is using ipa-kdb<br>
> > backend]<br>
> > > [Fix DS schema file syntax]<br>
> > > Syntax already fixed<br>
> > > [Removing RA cert from DS NSS<br>
> > database]<br>
> > > RA cert already removed<br>
> > > [Enable sidgen and extdom<br>
> plugins<br>
> > by default]<br>
> > > [Updating HTTPD service IPA<br>
> > configuration]<br>
> > > [Updating mod_nss protocol<br>
> versions]<br>
> > > Protocol versions already<br>
> updated<br>
> > > [Updating mod_nss cipher suite]<br>
> > > [Fixing trust flags in<br>
> > /etc/httpd/alias]<br>
> > > Trust flags already processed<br>
> > > [Exporting KRA agent PEM file]<br>
> > > KRA is not enabled<br>
> > > IPA server upgrade failed:<br>
> Inspect<br>
> > /var/log/ipaupgrade.log<br>
> > and run<br>
> > > command ipa-server-upgrade<br>
> manually.<br>
> > > Unexpected error - see<br>
> > /var/log/ipaupgrade.log for<br>
> > details:<br>
> > > CalledProcessError: Command<br>
> > '/bin/systemctl start<br>
> > httpd.service'<br>
> > > returned non-zero exit status 1<br>
> > > The ipa-server-upgrade command<br>
> > failed. See<br>
> > > /var/log/ipaupgrade.log for<br>
> > > more information/<br>
> > ><br>
> > > These are error logs of Apache:<br>
> > > /[Thu Nov 17 11:48:45.498510<br>
> 2016]<br>
> > [suexec:notice]<br>
> > [pid 5664]<br>
> > > AH01232:<br>
> > > suEXEC mechanism enabled<br>
> (wrapper:<br>
> > /usr/sbin/suexec)<br>
> > > [Thu Nov 17 11:48:45.499220<br>
> 2016]<br>
> > [:warn] [pid 5664]<br>
> > > NSSSessionCacheTimeout is<br>
> > deprecated. Ignoring.<br>
> > > [Thu Nov 17 11:48:45.830910<br>
> 2016]<br>
> > [:error] [pid 5664]<br>
> > > Certificate not<br>
> > > found: 'Server-Cert'/<br>
> > ><br>
> > > The problem seems to be the<br>
> > /Server-Cert /that<br>
> > could not<br>
> > be found.<br>
> > > But if I try to execute the<br>
> > certutil command<br>
> > manually I<br>
> > can see it:/<br>
> > > [root@mlv-ipa01 log]#<br>
> certutil -L<br>
> > -d /etc/httpd/alias/<br>
> > > Certificate Nickname<br>
> > Trust<br>
> > > Attributes<br>
> > ><br>
> > > SSL,S/MIME,JAR/XPI<br>
> > > Signing-Cert<br>
> > u,u,u<br>
> > > ipaCert<br>
> > u,u,u<br>
> > > Server-Cert<br>
> > Pu,u,u<br>
> > > <a href="http://IPA.MYDOMAIN.COM" rel="noreferrer" target="_blank">IPA.MYDOMAIN.COM</a><br>
> <<a href="http://IPA.MYDOMAIN.COM" rel="noreferrer" target="_blank">http://IPA.MYDOMAIN.COM</a>><br>
> > <<a href="http://IPA.MYDOMAIN.COM" rel="noreferrer" target="_blank">http://IPA.MYDOMAIN.COM</a>> <<a href="http://IPA.MYDOMAIN.COM" rel="noreferrer" target="_blank">http://IPA.MYDOMAIN.COM</a>><br>
> > <<a href="http://IPA.MYDOMAIN.COM" rel="noreferrer" target="_blank">http://IPA.MYDOMAIN.COM</a>><br>
> > <<a href="http://IPA.MYDOMAIN.COM" rel="noreferrer" target="_blank">http://IPA.MYDOMAIN.COM</a>><br>
> > > <<a href="http://IPA.MYDOMAIN.COM" rel="noreferrer" target="_blank">http://IPA.MYDOMAIN.COM</a>> IPA<br>
> > > CA<br>
> > CT,C,C/<br>
> > ><br>
> > > Could you help me?<br>
> > > What could I try to do to<br>
> restart<br>
> > my service?<br>
> > ><br>
> > > Hi,<br>
> > ><br>
> > > I would first make sure that<br>
> httpd is<br>
> > using<br>
> > /etc/httpd/alias<br>
> > as NSS<br>
> > > DB (check the directive<br>
> > NSSCertificateDatabase in<br>
> > > /etc/httpd/conf.d/nss.conf).<br>
> > > Then it may be a file permission<br>
> > issue: the NSS DB should<br>
> > belong to<br>
> > > root:apache (the relevant files are<br>
> > cert8.db, key3.db and<br>
> > secmod.db).<br>
> > > You should also find a<br>
> pwdfile.txt in<br>
> > the same directory,<br>
> > containing<br>
> > > the NSS DB password. Check that the<br>
> > password is valid<br>
> > using<br>
> > > certutil -K -d /etc/httpd/alias/ -f<br>
> > /etc/httpd/alias/pwdfile.txt<br>
> > > (if the command succeeds then the<br>
> > password in pwdfile<br>
> > is OK).<br>
> > ><br>
> > > You can also enable mod-nss debug in<br>
> > /etc/httpd/conf/nss.conf by<br>
> > > setting "LogLevel debug", and check<br>
> > the output in<br>
> > > /var/log/httpd/error_log.<br>
> > ><br>
> > > HTH,<br>
> > > Flo.<br>
> > ><br>
> > > Thanks, Morgan<br>
> > ><br>
> > ><br>
> > ><br>
> > > --<br>
> > > Manage your subscription for the<br>
> > Freeipa-users mailing<br>
> > list:<br>
> > ><br>
> ><br>
> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>><br>
> ><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>>><br>
> ><br>
> ><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>><br>
> ><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>>>><br>
> ><br>
> ><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>><br>
> ><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>>><br>
> ><br>
> ><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>><br>
> ><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>>>>><br>
> > ><br>
> ><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>><br>
> ><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>>><br>
> ><br>
> ><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>><br>
> ><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>>>><br>
> ><br>
> ><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>><br>
> ><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>>><br>
> ><br>
> ><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>><br>
> ><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>>>>>><br>
> > > Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for<br>
> more info<br>
> > on the project<br>
> > ><br>
> > ><br>
> ><br>
><br>
</div></div></blockquote></div></div></div>