<div dir="ltr"><div>What do you mean with backup database?<br><br></div>Updating again the mod_nss RPM, Apache doesn't start ... so, this is the problem.<br><div><div class="gmail_extra"><br><div class="gmail_quote">2016-11-18 15:43 GMT+01:00 Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Morgan Marodin wrote:<br>
> It works!<br>
> Thanks for your support.<br>
><br>
> Anyway, I will try to update againt mod_nss package! :D<br>
<br>
</span>Glad it's working for you. I'm curious what the backup database was for.<br>
Did you create that?<br>
<br>
rob<br>
<span class=""><br>
> Bye!<br>
><br>
><br>
> 2016-11-18 15:21 GMT+01:00 Morgan Marodin <<a href="mailto:morgan@marodin.it">morgan@marodin.it</a><br>
</span>> <mailto:<a href="mailto:morgan@marodin.it">morgan@marodin.it</a>>>:<br>
><br>
> A little good news.<br>
><br>
> Downgrading the /mod_nss/ RPM package, and restoring the original<br>
> //etc/httpd/alias/ folder, /ipa-server-upgrade/ procedure has<br>
> finished well:<br>
> /# ipa-server-upgrade<br>
<div><div class="h5">> Upgrading IPA:<br>
> [1/10]: stopping directory server<br>
> [2/10]: saving configuration<br>
> [3/10]: disabling listeners<br>
> [4/10]: enabling DS global lock<br>
> [5/10]: starting directory server<br>
> [6/10]: updating schema<br>
> [7/10]: upgrading server<br>
> [8/10]: stopping directory server<br>
> [9/10]: restoring configuration<br>
> [10/10]: starting directory server<br>
> Done.<br>
> Update complete<br>
> Upgrading IPA services<br>
> Upgrading the configuration of the IPA services<br>
> [Verifying that root certificate is published]<br>
> [Migrate CRL publish directory]<br>
> CRL tree already moved<br>
> [Verifying that CA proxy configuration is correct]<br>
> [Verifying that KDC configuration is using ipa-kdb backend]<br>
> [Fix DS schema file syntax]<br>
> Syntax already fixed<br>
> [Removing RA cert from DS NSS database]<br>
> RA cert already removed<br>
> [Enable sidgen and extdom plugins by default]<br>
> [Updating HTTPD service IPA configuration]<br>
> [Updating mod_nss protocol versions]<br>
> Protocol versions already updated<br>
> [Updating mod_nss cipher suite]<br>
> [Fixing trust flags in /etc/httpd/alias]<br>
> Trust flags already processed<br>
> [Exporting KRA agent PEM file]<br>
> KRA is not enabled<br>
> [Removing self-signed CA]<br>
> [Removing Dogtag 9 CA]<br>
> [Checking for deprecated KDC configuration files]<br>
> [Checking for deprecated backups of Samba configuration files]<br>
> [Setting up Firefox extension]<br>
> [Add missing CA DNS records]<br>
> IPA CA DNS records already processed<br>
> [Removing deprecated DNS configuration options]<br>
> [Ensuring minimal number of connections]<br>
> [Enabling serial autoincrement in DNS]<br>
> [Updating GSSAPI configuration in DNS]<br>
> [Updating pid-file configuration in DNS]<br>
> [Checking global forwarding policy in named.conf to avoid conflicts<br>
> with automatic empty zones]<br>
> Global forward policy in named.conf will be changed to "only" to<br>
> avoid conflicts with automatic empty zones<br>
> [Adding server_id to named.conf]<br>
> Changes to named.conf have been made, restart named<br>
> Custodia service is being configured<br>
> Configuring ipa-custodia<br>
> [1/5]: Generating ipa-custodia config file<br>
> [2/5]: Making sure custodia container exists<br>
> [3/5]: Generating ipa-custodia keys<br>
> [4/5]: starting ipa-custodia<br>
> [5/5]: configuring ipa-custodia to start on boot<br>
> Done configuring ipa-custodia.<br>
> [Upgrading CA schema]<br>
> CA schema update complete<br>
> [Verifying that CA audit signing cert has 2 year validity]<br>
> [Update certmonger certificate renewal configuration to version 5]<br>
> Configuring certmonger to stop tracking system certificates for CA<br>
> Certmonger certificate renewal configuration updated to version 5<br>
> [Enable PKIX certificate path discovery and validation]<br>
> PKIX already enabled<br>
> [Authorizing RA Agent to modify profiles]<br>
> [Authorizing RA Agent to manage lightweight CAs]<br>
> [Ensuring Lightweight CAs container exists in Dogtag database]<br>
> [Adding default OCSP URI configuration]<br>
> pki-tomcat configuration changed, restart pki-tomcat<br>
> [Ensuring CA is using LDAPProfileSubsystem]<br>
> [Migrating certificate profiles to LDAP]<br>
> [Ensuring presence of included profiles]<br>
> [Add default CA ACL]<br>
> Default CA ACL already added<br>
> [Set up lightweight CA key retrieval]<br>
> Creating principal<br>
> Retrieving keytab<br>
> Creating Custodia keys<br>
> Configuring key retriever<br>
> The IPA services were upgraded<br>
</div></div>> The ipa-server-upgrade command was successful/<br>
<span class="">><br>
> And Apache has started, BUT there is a problem with the web certificate:<br>
</span>> /# tail -f /var/log/httpd/error_log<br>
<span class="">> [Fri Nov 18 15:14:43.002268 2016] [:info] [pid 18673] Connection to<br>
</span>> child 2 established (server <a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com:443</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com:443</a>>, client 192.168.0.252)<br>
<span class="">> [Fri Nov 18 15:14:43.207349 2016] [:info] [pid 18673] SSL input<br>
> filter read failed.<br>
> [Fri Nov 18 15:14:43.207389 2016] [:error] [pid 18673] SSL Library<br>
> Error: -12285 Unable to find the certificate or key necessary for<br>
> authentication<br>
> [Fri Nov 18 15:14:43.207460 2016] [:info] [pid 18673] Connection to<br>
</span>> child 2 closed (server <a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com:443</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com:443</a>>, client 192.168.0.252)/<br>
<span class="">><br>
> How do you suggest to go on with my issue?<br>
><br>
> Thanks, Morgan<br>
><br>
> 2016-11-18 12:11 GMT+01:00 Morgan Marodin <<a href="mailto:morgan@marodin.it">morgan@marodin.it</a><br>
</span>> <mailto:<a href="mailto:morgan@marodin.it">morgan@marodin.it</a>>>:<br>
<span class="">><br>
> I've tried to add it to a new test folder, with a new<br>
</span>> certificate nickname, and then to replace it to /nss.conf/.<br>
><br>
> But the problem persists:<br>
> /# certutil -V -u V -d /etc/httpd/test -n ipa01cert<br>
> certutil: certificate is valid/<br>
><br>
> /# tail -f /var/log/httpd/error_log<br>
> /<br>
> /[Fri Nov 18 12:09:39.513833 2016] [suexec:notice] [pid 11552]<br>
<span class="">> AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)<br>
> [Fri Nov 18 12:09:39.514266 2016] [:warn] [pid 11552]<br>
> NSSSessionCacheTimeout is deprecated. Ignoring.<br>
> [Fri Nov 18 12:09:39.514299 2016] [:debug] [pid 11552]<br>
> nss_engine_init.c(454): SNI: <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br>
</span>> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>> -> ipa01cert<br>
<span class="">> [Fri Nov 18 12:09:39.824880 2016] [:error] [pid 11552] The<br>
> server key database has not been initialized.<br>
> [Fri Nov 18 12:09:39.832443 2016] [:info] [pid 11552]<br>
> Configuring server for SSL protocol<br>
> ...<br>
> [Fri Nov 18 12:09:39.832676 2016] [:info] [pid 11552] Using<br>
> nickname ipa01cert.<br>
> [Fri Nov 18 12:09:39.832678 2016] [:error] [pid 11552]<br>
</span>> Certificate not found: 'ipa01cert'/<br>
><br>
> I've found this guide:/<br>
<span class="">> Combine the server cert and key into a single file<br>
> # cp localhost.crt > Server-Cert.txt<br>
> # cat localhost.key >> Server-Cert.txt<br>
> Convert the server cert into a p12 file<br>
> # openssl pkcs12 -export -in Server-Cert.txt -out<br>
> Server-Cert.p12 -name "Server-Cert"<br>
> Now Import the Public and Private keys into the database at the<br>
> same time.<br>
> #pk12util -i /tmp/cert-files/Server-Cert.<wbr>p12 -d /etc/httpd/alias<br>
</span>> -n Server-Cert/<br>
<span class="">><br>
> Where is stored the key certificate file?<br>
><br>
> Thanks, Morgan<br>
><br>
><br>
> 2016-11-18 10:39 GMT+01:00 Florence Blanc-Renaud <<a href="mailto:flo@redhat.com">flo@redhat.com</a><br>
</span>> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>>>:<br>
<span class="">><br>
> On 11/18/2016 10:04 AM, Morgan Marodin wrote:<br>
><br>
> Hi Florence.<br>
><br>
> I've tried to configure the wrong certificate in<br>
> nss.conf (/ipaCert/),<br>
> and with this Apache started.<br>
> So I think the problem is in the /Server-Cert/ stored in<br>
> //etc/httpd/alias/, even if all manul checks are ok.<br>
><br>
> These are logs with the wrong certificate test:<br>
> /# tail -f /var/log/httpd/error_log/<br>
> /[Fri Nov 18 09:34:32.583700 2016] [suexec:notice] [pid<br>
> 7709] AH01232:<br>
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)<br>
> [Fri Nov 18 09:34:32.584142 2016] [:warn] [pid 7709]<br>
> NSSSessionCacheTimeout is deprecated. Ignoring.<br>
> [Fri Nov 18 09:34:32.584178 2016] [:debug] [pid 7709]<br>
> nss_engine_init.c(454): SNI: <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
</span>> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
<div><div class="h5">> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>> -> ipaCert<br>
><br>
> [Fri Nov 18 09:34:32.844487 2016] [:info] [pid 7709]<br>
> Configuring server<br>
> for SSL protocol<br>
> [Fri Nov 18 09:34:32.844635 2016] [:debug] [pid 7709]<br>
> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0<br>
> [Fri Nov 18 09:34:32.844657 2016] [:debug] [pid 7709]<br>
> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1<br>
> [Fri Nov 18 09:34:32.844668 2016] [:debug] [pid 7709]<br>
> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2<br>
> [Fri Nov 18 09:34:32.844677 2016] [:debug] [pid 7709]<br>
> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)<br>
> [Fri Nov 18 09:34:32.844684 2016] [:debug] [pid 7709]<br>
> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)<br>
> [Fri Nov 18 09:34:32.844738 2016] [:debug] [pid 7709]<br>
> nss_engine_init.c(906): Disabling TLS Session Tickets<br>
> [Fri Nov 18 09:34:32.844746 2016] [:debug] [pid 7709]<br>
> nss_engine_init.c(916): Enabling DHE key exchange<br>
> [Fri Nov 18 09:34:32.844760 2016] [:debug] [pid 7709]<br>
> nss_engine_init.c(1077): NSSCipherSuite: Configuring<br>
> permitted SSL<br>
> ciphers<br>
> [+aes_128_sha_256,+aes_256_<wbr>sha_256,+ecdhe_ecdsa_aes_128_<wbr>gcm_sha_256,+ecdhe_ecdsa_aes_<wbr>128_sha,+ecdhe_ecdsa_aes_256_<wbr>gcm_sha_384,+ecdhe_ecdsa_aes_<wbr>256_sha,+ecdhe_rsa_aes_128_<wbr>gcm_sha_256,+ecdhe_rsa_aes_<wbr>128_sha,+ecdhe_rsa_aes_256_<wbr>gcm_sha_384,+ecdhe_rsa_aes_<wbr>256_sha,+rsa_aes_128_gcm_sha_<wbr>256,+rsa_aes_128_sha,+rsa_aes_<wbr>256_gcm_sha_384,+rsa_aes_256_<wbr>sha]<br>
> [Fri Nov 18 09:34:32.844825 2016] [:debug] [pid 7709]<br>
> nss_engine_init.c(1140): Disable cipher: rsa_null_md5<br>
> ...<br>
> [Fri Nov 18 09:34:32.845105 2016] [:debug] [pid 7709]<br>
> nss_engine_init.c(1140): Enable cipher:<br>
> ecdhe_rsa_aes_128_gcm_sha_256<br>
> [Fri Nov 18 09:34:32.845110 2016] [:info] [pid 7709]<br>
> Using nickname ipaCert.<br>
> [Fri Nov 18 09:34:32.847451 2016] [:error] [pid 7709]<br>
> Misconfiguration<br>
> of certificate's CN and virtual name. The certificate CN<br>
> has IPA RA. We<br>
> expected <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
</div></div>> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
<span class="">> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
> as virtual name.<br>
</span>> [Fri Nov 18 09:34:33.<a href="tel:028056%202016" value="+390280562016">028056 2016</a> <tel:028056%202016>]<br>
<span class="">> [auth_digest:notice] [pid 7709]<br>
> AH01757: generating secret for digest authentication ...<br>
</span>> [Fri Nov 18 09:34:33.<a href="tel:030039%202016" value="+390300392016">030039 2016</a> <tel:030039%202016>]<br>
<span class="">> [lbmethod_heartbeat:notice] [pid 7709]<br>
> AH02282: No slotmem from mod_heartmonitor<br>
</span>> [Fri Nov 18 09:34:33.<a href="tel:030122%202016" value="+390301222016">030122 2016</a> <tel:030122%202016>]<br>
<span class="">> [:warn] [pid 7709]<br>
> NSSSessionCacheTimeout is deprecated. Ignoring.<br>
</span>> [Fri Nov 18 09:34:33.<a href="tel:030176%202016" value="+390301762016">030176 2016</a> <tel:030176%202016>]<br>
<span class="">> [:debug] [pid 7709]<br>
> nss_engine_init.c(454): SNI: <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
</span>> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>> -> ipaCert<br>
><br>
> [Fri Nov 18 09:34:33.<a href="tel:051481%202016" value="+390514812016">051481 2016</a> <tel:051481%202016>]<br>
<span class="">> [mpm_prefork:notice] [pid 7709]<br>
> AH00163: Apache/2.4.6 () mod_auth_gssapi/1.4.0<br>
> mod_auth_kerb/5.4<br>
> mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4<br>
> Python/2.7.5 configured<br>
> -- resuming normal operations<br>
</span>> [Fri Nov 18 09:34:33.<a href="tel:051551%202016" value="+390515512016">051551 2016</a> <tel:051551%202016>]<br>
<span class="">> [core:notice] [pid 7709] AH00094:<br>
> Command line: '/usr/sbin/httpd -D FOREGROUND'<br>
> [Fri Nov 18 09:34:33.096050 2016] [proxy:debug] [pid 7717]<br>
> proxy_util.c(1838): AH00924: worker ajp://localhost<br>
> shared already<br>
> initialized<br>
</span>> [Fri Nov 18 09:34:33.<a href="tel:096163%202016" value="+390961632016">096163 2016</a> <tel:096163%202016>]<br>
<span class="">> [proxy:debug] [pid 7717]<br>
> proxy_util.c(1880): AH00926: worker ajp://localhost<br>
> local already<br>
> initialized<br>
> ...<br>
> [Fri Nov 18 09:34:33.105626 2016] [proxy:debug] [pid 7719]<br>
> proxy_util.c(1838): AH00924: worker<br>
> unix:/run/httpd/ipa-custodia.<wbr>sock|<a href="http://localhost/keys/" rel="noreferrer" target="_blank">http://localhost/keys/</a><br>
> shared already<br>
> initialized<br>
> [Fri Nov 18 09:34:33.105632 2016] [proxy:debug] [pid 7719]<br>
> proxy_util.c(1880): AH00926: worker<br>
> unix:/run/httpd/ipa-custodia.<wbr>sock|<a href="http://localhost/keys/" rel="noreferrer" target="_blank">http://localhost/keys/</a><br>
> local already<br>
> initialized<br>
</span>> [Fri Nov 18 09:34:33.<a href="tel:342762%202016" value="+393427622016">342762 2016</a> <tel:342762%202016>]<br>
<span class="">> [:info] [pid 7717] Configuring server<br>
> for SSL protocol<br>
</span>> [Fri Nov 18 09:34:33.<a href="tel:342867%202016" value="+393428672016">342867 2016</a> <tel:342867%202016>]<br>
<span class="">> [:debug] [pid 7717]<br>
> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0<br>
</span>> [Fri Nov 18 09:34:33.<a href="tel:342880%202016" value="+393428802016">342880 2016</a> <tel:342880%202016>]<br>
<span class="">> [:debug] [pid 7717]<br>
> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1<br>
</span>> [Fri Nov 18 09:34:33.<a href="tel:342885%202016" value="+393428852016">342885 2016</a> <tel:342885%202016>]<br>
<span class="">> [:debug] [pid 7717]<br>
> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2<br>
</span>> [Fri Nov 18 09:34:33.<a href="tel:342890%202016" value="+393428902016">342890 2016</a> <tel:342890%202016>]<br>
<span class="">> [:debug] [pid 7717]<br>
> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)<br>
</span>> [Fri Nov 18 09:34:33.342894 2016 <tel:342894%202016>]<br>
<span class="">> [:debug] [pid 7717]<br>
> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)<br>
</span>> [Fri Nov 18 09:34:33.342900 2016 <tel:342900%202016>]<br>
<span class="">> [:debug] [pid 7717]<br>
> nss_engine_init.c(906): Disabling TLS Session Tickets<br>
</span>> [Fri Nov 18 09:34:33.342904 2016 <tel:342904%202016>]<br>
<span class="">> [:debug] [pid 7717]<br>
> nss_engine_init.c(916): Enabling DHE key exchange<br>
</span>> [Fri Nov 18 09:34:33.342917 2016 <tel:342917%202016>]<br>
<span class="">> [:debug] [pid 7717]<br>
> nss_engine_init.c(1077): NSSCipherSuite: Configuring<br>
> permitted SSL<br>
> ciphers<br>
> [+aes_128_sha_256,+aes_256_<wbr>sha_256,+ecdhe_ecdsa_aes_128_<wbr>gcm_sha_256,+ecdhe_ecdsa_aes_<wbr>128_sha,+ecdhe_ecdsa_aes_256_<wbr>gcm_sha_384,+ecdhe_ecdsa_aes_<wbr>256_sha,+ecdhe_rsa_aes_128_<wbr>gcm_sha_256,+ecdhe_rsa_aes_<wbr>128_sha,+ecdhe_rsa_aes_256_<wbr>gcm_sha_384,+ecdhe_rsa_aes_<wbr>256_sha,+rsa_aes_128_gcm_sha_<wbr>256,+rsa_aes_128_sha,+rsa_aes_<wbr>256_gcm_sha_384,+rsa_aes_256_<wbr>sha]<br>
</span>> [Fri Nov 18 09:34:33.342970 2016 <tel:342970%202016>]<br>
<span class="">> [:debug] [pid 7717]<br>
> nss_engine_init.c(1140): Disable cipher: rsa_null_md5<br>
> ...<br>
</span>> [Fri Nov 18 09:34:33.343233 2016 <tel:343233%202016>]<br>
<span class="">> [:debug] [pid 7717]<br>
> nss_engine_init.c(1140): Enable cipher:<br>
> ecdhe_rsa_aes_128_gcm_sha_256<br>
</span>> [Fri Nov 18 09:34:33.343237 2016 <tel:343237%202016>]<br>
<span class="">> [:info] [pid 7717] Using nickname ipaCert.<br>
</span>> [Fri Nov 18 09:34:33.344533 2016 <tel:344533%202016>]<br>
<span class="">> [:error] [pid 7717] Misconfiguration<br>
> of certificate's CN and virtual name. The certificate CN<br>
> has IPA RA. We<br>
> expected <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
</span>> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
<span class="">> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
><br>
> as virtual name.<br>
</span>> [Fri Nov 18 09:34:33.364061 2016 <tel:364061%202016>]<br>
<span class="">> [:info] [pid 7718] Configuring server<br>
> for SSL protocol<br>
</span>> [Fri Nov 18 09:34:33.364156 2016 <tel:364156%202016>]<br>
<span class="">> [:debug] [pid 7718]<br>
> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0<br>
</span>> [Fri Nov 18 09:34:33.364167 2016 <tel:364167%202016>]<br>
<span class="">> [:debug] [pid 7718]<br>
> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1<br>
</span>> [Fri Nov 18 09:34:33.364172 2016 <tel:364172%202016>]<br>
<span class="">> [:debug] [pid 7718]<br>
> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2<br>
</span>> [Fri Nov 18 09:34:33.364176 2016 <tel:364176%202016>]<br>
<span class="">> [:debug] [pid 7718]<br>
> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)<br>
</span>> [Fri Nov 18 09:34:33.364180 2016 <tel:364180%202016>]<br>
<span class="">> [:debug] [pid 7718]<br>
> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)<br>
</span>> [Fri Nov 18 09:34:33.364187 2016 <tel:364187%202016>]<br>
<span class="">> [:debug] [pid 7718]<br>
> nss_engine_init.c(906): Disabling TLS Session Tickets<br>
</span>> [Fri Nov 18 09:34:33.364191 2016 <tel:364191%202016>]<br>
<span class="">> [:debug] [pid 7718]<br>
> nss_engine_init.c(916): Enabling DHE key exchange<br>
</span>> [Fri Nov 18 09:34:33.364202 2016 <tel:364202%202016>]<br>
<span class="">> [:debug] [pid 7718]<br>
> nss_engine_init.c(1077): NSSCipherSuite: Configuring<br>
> permitted SSL<br>
> ciphers<br>
> [+aes_128_sha_256,+aes_256_<wbr>sha_256,+ecdhe_ecdsa_aes_128_<wbr>gcm_sha_256,+ecdhe_ecdsa_aes_<wbr>128_sha,+ecdhe_ecdsa_aes_256_<wbr>gcm_sha_384,+ecdhe_ecdsa_aes_<wbr>256_sha,+ecdhe_rsa_aes_128_<wbr>gcm_sha_256,+ecdhe_rsa_aes_<wbr>128_sha,+ecdhe_rsa_aes_256_<wbr>gcm_sha_384,+ecdhe_rsa_aes_<wbr>256_sha,+rsa_aes_128_gcm_sha_<wbr>256,+rsa_aes_128_sha,+rsa_aes_<wbr>256_gcm_sha_384,+rsa_aes_256_<wbr>sha]<br>
</span>> [Fri Nov 18 09:34:33.364240 2016 <tel:364240%202016>]<br>
<span class="">> [:debug] [pid 7718]<br>
> nss_engine_init.c(1140): Disable cipher: rsa_null_md5<br>
> ...<br>
</span>> [Fri Nov 18 09:34:33.364611 2016 <tel:364611%202016>]<br>
<span class="">> [:debug] [pid 7718]<br>
> nss_engine_init.c(1140): Enable cipher:<br>
> ecdhe_rsa_aes_128_gcm_sha_256<br>
</span>> [Fri Nov 18 09:34:33.364625 2016 <tel:364625%202016>]<br>
<span class="">> [:info] [pid 7718] Using nickname ipaCert.<br>
</span>> [Fri Nov 18 09:34:33.365549 2016 <tel:365549%202016>]<br>
<span class="">> [:error] [pid 7718] Misconfiguration<br>
> of certificate's CN and virtual name. The certificate CN<br>
> has IPA RA. We<br>
> expected <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
</span>> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
<span class="">> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
><br>
> as virtual name.<br>
</span>> [Fri Nov 18 09:34:33.369972 2016 <tel:369972%202016>]<br>
<span class="">> [:info] [pid 7720] Configuring server<br>
> for SSL protocol<br>
</span>> [Fri Nov 18 09:34:33.370200 2016 <tel:370200%202016>]<br>
<span class="">> [:debug] [pid 7720]<br>
> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0<br>
</span>> [Fri Nov 18 09:34:33.370224 2016 <tel:370224%202016>]<br>
<span class="">> [:debug] [pid 7720]<br>
> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1<br>
</span>> [Fri Nov 18 09:34:33.370239 2016 <tel:370239%202016>]<br>
<span class="">> [:debug] [pid 7720]<br>
> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2<br>
</span>> [Fri Nov 18 09:34:33.370255 2016 <tel:370255%202016>]<br>
<span class="">> [:debug] [pid 7720]<br>
> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)<br>
</span>> [Fri Nov 18 09:34:33.370269 2016 <tel:370269%202016>]<br>
<span class="">> [:debug] [pid 7720]<br>
> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)<br>
</span>> [Fri Nov 18 09:34:33.370286 2016 <tel:370286%202016>]<br>
<span class="">> [:debug] [pid 7720]<br>
> nss_engine_init.c(906): Disabling TLS Session Tickets<br>
</span>> [Fri Nov 18 09:34:33.370301 2016 <tel:370301%202016>]<br>
<span class="">> [:debug] [pid 7720]<br>
> nss_engine_init.c(916): Enabling DHE key exchange<br>
</span>> [Fri Nov 18 09:34:33.370322 2016 <tel:370322%202016>]<br>
<span class="">> [:debug] [pid 7720]<br>
> nss_engine_init.c(1077): NSSCipherSuite: Configuring<br>
> permitted SSL<br>
> ciphers<br>
> [+aes_128_sha_256,+aes_256_<wbr>sha_256,+ecdhe_ecdsa_aes_128_<wbr>gcm_sha_256,+ecdhe_ecdsa_aes_<wbr>128_sha,+ecdhe_ecdsa_aes_256_<wbr>gcm_sha_384,+ecdhe_ecdsa_aes_<wbr>256_sha,+ecdhe_rsa_aes_128_<wbr>gcm_sha_256,+ecdhe_rsa_aes_<wbr>128_sha,+ecdhe_rsa_aes_256_<wbr>gcm_sha_384,+ecdhe_rsa_aes_<wbr>256_sha,+rsa_aes_128_gcm_sha_<wbr>256,+rsa_aes_128_sha,+rsa_aes_<wbr>256_gcm_sha_384,+rsa_aes_256_<wbr>sha]<br>
</span>> [Fri Nov 18 09:34:33.370383 2016 <tel:370383%202016>]<br>
<span class="">> [:debug] [pid 7720]<br>
> nss_engine_init.c(1140): Disable cipher: rsa_null_md5<br>
> ...<br>
</span>> [Fri Nov 18 09:34:33.371418 2016 <tel:371418%202016>]<br>
<span class="">> [:debug] [pid 7720]<br>
> nss_engine_init.c(1140): Enable cipher:<br>
> ecdhe_rsa_aes_128_gcm_sha_256<br>
</span>> [Fri Nov 18 09:34:33.371437 2016 <tel:371437%202016>]<br>
<span class="">> [:info] [pid 7720] Using nickname ipaCert.<br>
</span>> [Fri Nov 18 09:34:33.371486 2016 <tel:371486%202016>]<br>
<span class="">> [:info] [pid 7716] Configuring server<br>
> for SSL protocol<br>
</span>> [Fri Nov 18 09:34:33.372383 2016 <tel:372383%202016>]<br>
<span class="">> [:debug] [pid 7716]<br>
> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0<br>
</span>> [Fri Nov 18 09:34:33.372439 2016 <tel:372439%202016>]<br>
<span class="">> [:debug] [pid 7716]<br>
> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1<br>
</span>> [Fri Nov 18 09:34:33.372459 2016 <tel:372459%202016>]<br>
<span class="">> [:debug] [pid 7716]<br>
> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2<br>
</span>> [Fri Nov 18 09:34:33.372484 2016 <tel:372484%202016>]<br>
<span class="">> [:debug] [pid 7716]<br>
> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)<br>
</span>> [Fri Nov 18 09:34:33.372513 2016 <tel:372513%202016>]<br>
<span class="">> [:debug] [pid 7716]<br>
> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)<br>
</span>> [Fri Nov 18 09:34:33.372534 2016 <tel:372534%202016>]<br>
<span class="">> [:debug] [pid 7716]<br>
> nss_engine_init.c(906): Disabling TLS Session Tickets<br>
</span>> [Fri Nov 18 09:34:33.372553 2016 <tel:372553%202016>]<br>
<span class="">> [:debug] [pid 7716]<br>
> nss_engine_init.c(916): Enabling DHE key exchange<br>
</span>> [Fri Nov 18 09:34:33.372580 2016 <tel:372580%202016>]<br>
<span class="">> [:debug] [pid 7716]<br>
> nss_engine_init.c(1077): NSSCipherSuite: Configuring<br>
> permitted SSL<br>
> ciphers<br>
> [+aes_128_sha_256,+aes_256_<wbr>sha_256,+ecdhe_ecdsa_aes_128_<wbr>gcm_sha_256,+ecdhe_ecdsa_aes_<wbr>128_sha,+ecdhe_ecdsa_aes_256_<wbr>gcm_sha_384,+ecdhe_ecdsa_aes_<wbr>256_sha,+ecdhe_rsa_aes_128_<wbr>gcm_sha_256,+ecdhe_rsa_aes_<wbr>128_sha,+ecdhe_rsa_aes_256_<wbr>gcm_sha_384,+ecdhe_rsa_aes_<wbr>256_sha,+rsa_aes_128_gcm_sha_<wbr>256,+rsa_aes_128_sha,+rsa_aes_<wbr>256_gcm_sha_384,+rsa_aes_256_<wbr>sha]<br>
</span>> [Fri Nov 18 09:34:33.372627 2016 <tel:372627%202016>]<br>
<span class="">> [:debug] [pid 7716]<br>
> nss_engine_init.c(1140): Disable cipher: rsa_null_md5<br>
> ...<br>
</span>> [Fri Nov 18 09:34:33.373712 2016 <tel:373712%202016>]<br>
<span class="">> [:debug] [pid 7716]<br>
> nss_engine_init.c(1140): Enable cipher:<br>
> ecdhe_rsa_aes_128_gcm_sha_256<br>
</span>> [Fri Nov 18 09:34:33.373734 2016 <tel:373734%202016>]<br>
<span class="">> [:info] [pid 7716] Using nickname ipaCert.<br>
</span>> [Fri Nov 18 09:34:33.374652 2016 <tel:374652%202016>]<br>
<span class="">> [:error] [pid 7716] Misconfiguration<br>
> of certificate's CN and virtual name. The certificate CN<br>
> has IPA RA. We<br>
> expected <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
</span>> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
<span class="">> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
> as virtual name.<br>
</span>> [Fri Nov 18 09:34:33.372295 2016 <tel:372295%202016>]<br>
<span class="">> [:error] [pid 7720] Misconfiguration<br>
> of certificate's CN and virtual name. The certificate CN<br>
> has IPA RA. We<br>
> expected <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
</span>> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
<div><div class="h5">> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
><br>
> as virtual name.<br>
> [Fri Nov 18 09:34:33.412689 2016] [:info] [pid 7719]<br>
> Configuring server<br>
> for SSL protocol<br>
> [Fri Nov 18 09:34:33.412791 2016] [:debug] [pid 7719]<br>
> nss_engine_init.c(770): NSSProtocol: Enabling TLSv1.0<br>
> [Fri Nov 18 09:34:33.412803 2016] [:debug] [pid 7719]<br>
> nss_engine_init.c(775): NSSProtocol: Enabling TLSv1.1<br>
> [Fri Nov 18 09:34:33.412807 2016] [:debug] [pid 7719]<br>
> nss_engine_init.c(780): NSSProtocol: Enabling TLSv1.2<br>
> [Fri Nov 18 09:34:33.412812 2016] [:debug] [pid 7719]<br>
> nss_engine_init.c(839): NSSProtocol: [TLS 1.0] (minimum)<br>
> [Fri Nov 18 09:34:33.412817 2016] [:debug] [pid 7719]<br>
> nss_engine_init.c(866): NSSProtocol: [TLS 1.2] (maximum)<br>
> [Fri Nov 18 09:34:33.412824 2016] [:debug] [pid 7719]<br>
> nss_engine_init.c(906): Disabling TLS Session Tickets<br>
> [Fri Nov 18 09:34:33.412828 2016] [:debug] [pid 7719]<br>
> nss_engine_init.c(916): Enabling DHE key exchange<br>
> [Fri Nov 18 09:34:33.412840 2016] [:debug] [pid 7719]<br>
> nss_engine_init.c(1077): NSSCipherSuite: Configuring<br>
> permitted SSL<br>
> ciphers<br>
> [+aes_128_sha_256,+aes_256_<wbr>sha_256,+ecdhe_ecdsa_aes_128_<wbr>gcm_sha_256,+ecdhe_ecdsa_aes_<wbr>128_sha,+ecdhe_ecdsa_aes_256_<wbr>gcm_sha_384,+ecdhe_ecdsa_aes_<wbr>256_sha,+ecdhe_rsa_aes_128_<wbr>gcm_sha_256,+ecdhe_rsa_aes_<wbr>128_sha,+ecdhe_rsa_aes_256_<wbr>gcm_sha_384,+ecdhe_rsa_aes_<wbr>256_sha,+rsa_aes_128_gcm_sha_<wbr>256,+rsa_aes_128_sha,+rsa_aes_<wbr>256_gcm_sha_384,+rsa_aes_256_<wbr>sha]<br>
> [Fri Nov 18 09:34:33.412891 2016] [:debug] [pid 7719]<br>
> nss_engine_init.c(1140): Disable cipher: rsa_null_md5<br>
> ...<br>
> [Fri Nov 18 09:34:33.413159 2016] [:debug] [pid 7719]<br>
> nss_engine_init.c(1140): Enable cipher:<br>
> ecdhe_rsa_aes_128_gcm_sha_256<br>
> [Fri Nov 18 09:34:33.413164 2016] [:info] [pid 7719]<br>
> Using nickname ipaCert.<br>
> [Fri Nov 18 09:34:33.414462 2016] [:error] [pid 7719]<br>
> Misconfiguration<br>
> of certificate's CN and virtual name. The certificate CN<br>
> has IPA RA. We<br>
> expected <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
</div></div>> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
<span class="">> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
> as virtual name.<br>
</span>> [Fri Nov 18 09:34:35.558286 2016 <tel:558286%202016>]<br>
<span class="">> [:error] [pid 7715] ipa: WARNING:<br>
> session memcached servers not running<br>
</span>> [Fri Nov 18 09:34:35.559653 2016 <tel:559653%202016>]<br>
<span class="">> [:error] [pid 7714] ipa: WARNING:<br>
> session memcached servers not running<br>
> [Fri Nov 18 09:34:37.511457 2016] [:error] [pid 7714]<br>
> ipa: INFO: ***<br>
> PROCESS START ***<br>
> [Fri Nov 18 09:34:37.517899 2016] [:error] [pid 7715]<br>
> ipa: INFO: ***<br>
> PROCESS START ***<br>
> [Fri Nov 18 09:34:51.498536 2016] [:info] [pid 7717]<br>
> Connection to child<br>
> 1 established (server <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
</span>> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
<span class="">> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>>, client 192.168.0.239)<br>
> [Fri Nov 18 09:34:51.510292 2016] [:info] [pid 7717] SSL<br>
> input filter<br>
> read failed.<br>
> [Fri Nov 18 09:34:51.510311 2016] [:error] [pid 7717]<br>
> SSL Library Error:<br>
> -12285 Unable to find the certificate or key necessary<br>
> for authentication<br>
> [Fri Nov 18 09:34:51.510356 2016] [:info] [pid 7717]<br>
> Connection to child<br>
> 1 closed (server <a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com:443</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com:443</a>><br>
</span>> <<a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com:443</a><br>
<span class="">> <<a href="http://mlv-ipa01.ipa.mydomain.com:443" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com:443</a>>>, client<br>
> 192.168.0.239)<br>
> [Fri Nov 18 09:35:18.790760 2016] [mpm_prefork:notice]<br>
> [pid 7709]<br>
> AH00170: caught SIGWINCH, shutting down gracefully/<br>
><br>
> Is possible to delete /Server-Cert/ from<br>
> //etc/httpd/alias/ and reimport<br>
> it from the original certificates of<br>
> /<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
</span>> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
<span class="">> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>>/?<br>
> Where are stored the original certificates?<br>
><br>
> Hi Morgan,<br>
><br>
> with ldapsearch you should be able to find the certificate:<br>
> ldapsearch -h ipaserver.ipadomain -p 389 -D "cn=directory<br>
> manager" -w password -LLL -b<br>
> krbprincipalname=HTTP/<wbr>ipaserver.ipadomain@IPADOMAIN,<wbr>cn=services,cn=accounts,dc=<wbr>IPADOMAIN<br>
><br>
> The cert will be stored in the field "usercertificate".<br>
><br>
> HTH,<br>
> Flo.<br>
><br>
> Please let me know, thanks.<br>
> Bye, Morgan<br>
><br>
> 2016-11-17 17:09 GMT+01:00 Florence Blanc-Renaud<br>
> <<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>><br>
</span>> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>>>>:<br>
><br>
><br>
<div class="HOEnZb"><div class="h5">> On 11/17/2016 04:51 PM, Morgan Marodin wrote:<br>
><br>
> Hi Rob.<br>
><br>
> I've just tried to remove the group write to the<br>
> *.db files, but<br>
> it's<br>
> not the problem.<br>
> /[root@mlv-ipa01 ~]# grep NSSNickname<br>
> /etc/httpd/conf.d/nss.conf<br>
> NSSNickname Server-Cert/<br>
><br>
> I've tried to run manually /dirsrv.target/ and<br>
> /krb5kdc.service/, and it<br>
> works, services went up.<br>
> The same for /ntpd/, /named-pkcs11.service/,<br>
> /smb.service/,<br>
> /winbind.service/, /kadmin.service/,<br>
> /memcached.service/ and<br>
> /pki-tomcatd.target/.<br>
><br>
> But if I try to start /httpd.service/:<br>
> /[root@mlv-ipa01 ~]# tail -f /var/log/messages<br>
> Nov 17 16:46:06 mlv-ipa01 systemd[1]: Starting<br>
> The Apache HTTP<br>
> Server...<br>
> Nov 17 16:46:06 mlv-ipa01 ipa-httpd-kdcproxy:<br>
> ipa :<br>
> INFO KDC<br>
> proxy enabled<br>
> Nov 17 16:46:07 mlv-ipa01 systemd[1]:<br>
> httpd.service: main process<br>
> exited, code=exited, status=1/FAILURE<br>
> Nov 17 16:46:07 mlv-ipa01 kill: kill: cannot<br>
> find process ""<br>
> Nov 17 16:46:07 mlv-ipa01 systemd[1]:<br>
> httpd.service: control process<br>
> exited, code=exited status=1<br>
> Nov 17 16:46:07 mlv-ipa01 systemd[1]: Failed to<br>
> start The Apache<br>
> HTTP<br>
> Server.<br>
> Nov 17 16:46:07 mlv-ipa01 systemd[1]: Unit<br>
> httpd.service entered<br>
> failed<br>
> state.<br>
> Nov 17 16:46:07 mlv-ipa01 systemd[1]:<br>
> httpd.service failed./<br>
><br>
> Any other ideas?<br>
><br>
> Hi,<br>
><br>
> - Does the NSS Db contain the private key for<br>
> Server-Cert? If yes,<br>
> the command<br>
> $ certutil -K -d /etc/httpd/alias/ -f<br>
> /etc/httpd/alias/pwdfile.txt<br>
> should display a line like this one:<br>
> < 0> rsa<br>
> 01a6cbd773f3d785ffa44233148dcb<wbr>8ade266ea5 NSS<br>
> Certificate DB:Server-Cert<br>
><br>
> - Is your system running with SElinux enforcing? If<br>
> yes, you can<br>
> check if there were SElinux permission denials using<br>
> $ ausearch -m avc --start recent<br>
><br>
> - If the certificate was expired, I believe you<br>
> would see a<br>
> different message, but it doesn't hurt to check its<br>
> validity<br>
> $ certutil -L -d /etc/httpd/alias/ -n Server-Cert |<br>
> egrep "Not<br>
> Before|Not After"<br>
><br>
><br>
> Flo.<br>
><br>
><br>
> Please let me know, thanks.<br>
> Morgan<br>
><br>
> 2016-11-17 16:11 GMT+01:00 Rob Crittenden<br>
> <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>><wbr>>:<br>
><br>
><br>
><br>
> Morgan Marodin wrote:<br>
> > Hi Florence.<br>
> ><br>
> > Thanks for your support.<br>
> ><br>
> > Yes, httpd is using /etc/httpd/alias as<br>
> NSS DB. And seems<br>
> that all<br>
> > permissions and certificates are good:<br>
> > /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/<br>
> > total 184<br>
> > -r--r--r-- 1 root root 1345 Sep 7<br>
> 2015 cacert.asc<br>
> > -rw-rw---- 1 root apache 65536 Nov 17<br>
> 11:06 cert8.db<br>
> > -rw-r-----. 1 root apache 65536 Sep 4<br>
> 2015 cert8.db.orig<br>
> > -rw-------. 1 root root 4833 Sep 4<br>
> 2015 install.log<br>
> > -rw-rw---- 1 root apache 16384 Nov 17<br>
> 11:06 key3.db<br>
> > -rw-r-----. 1 root apache 16384 Sep 4<br>
> 2015 key3.db.orig<br>
> > lrwxrwxrwx 1 root root 24 Nov 17<br>
> 10:24 libnssckbi.so -><br>
> > /usr/lib64/libnssckbi.so<br>
> > -rw-rw---- 1 root apache 20 Sep 7<br>
> 2015 pwdfile.txt<br>
> > -rw-rw---- 1 root apache 16384 Sep 7<br>
> 2015 secmod.db<br>
> > -rw-r-----. 1 root apache 16384 Sep 4<br>
> 2015 secmod.db.orig/<br>
><br>
> Eventually you'll want to remove group write<br>
> on the *.db files.<br>
><br>
> > And password validations seems ok, too:<br>
> > /[root@mlv-ipa01 ~]# certutil -K -d<br>
> /etc/httpd/alias/ -f<br>
> > /etc/httpd/alias/pwdfile.txt<br>
> good<br>
><br>
> > Enabling mod-nss debug I can see these logs:<br>
> > /[root@mlv-ipa01 ~]# tail -f<br>
> /var/log/httpd/error_log<br>
> > [Thu Nov 17 15:05:10.807603 2016]<br>
> [suexec:notice] [pid<br>
> 10660] AH01232:<br>
> > suEXEC mechanism enabled (wrapper:<br>
> /usr/sbin/suexec)<br>
> > [Thu Nov 17 15:05:10.807958 2016] [:warn]<br>
> [pid 10660]<br>
> > NSSSessionCacheTimeout is deprecated.<br>
> Ignoring.<br>
> > [Thu Nov 17 15:05:10.807991 2016] [:debug]<br>
> [pid 10660]<br>
> > nss_engine_init.c(454): SNI:<br>
> <a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">mlv-ipa01.ipa.mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>>><br>
> > <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>><br>
><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a><br>
> <<a href="http://mlv-ipa01.ipa.mydomain.com" rel="noreferrer" target="_blank">http://mlv-ipa01.ipa.<wbr>mydomain.com</a>>>>> -> Server-Cert<br>
> > [Thu Nov 17 15:05:11.002664 2016] [:info]<br>
> [pid 10660]<br>
> Configuring server<br>
> > for SSL protocol<br>
> > [Thu Nov 17 15:05:11.002817 2016] [:debug]<br>
> [pid 10660]<br>
> > nss_engine_init.c(770): NSSProtocol:<br>
> Enabling TLSv1.0<br>
> > [Thu Nov 17 15:05:11.002838 2016] [:debug]<br>
> [pid 10660]<br>
> > nss_engine_init.c(775): NSSProtocol:<br>
> Enabling TLSv1.1<br>
> > [Thu Nov 17 15:05:11.002847 2016] [:debug]<br>
> [pid 10660]<br>
> > nss_engine_init.c(780): NSSProtocol:<br>
> Enabling TLSv1.2<br>
> > [Thu Nov 17 15:05:11.002856 2016] [:debug]<br>
> [pid 10660]<br>
> > nss_engine_init.c(839): NSSProtocol: [TLS<br>
> 1.0] (minimum)<br>
> > [Thu Nov 17 15:05:11.002876 2016] [:debug]<br>
> [pid 10660]<br>
> > nss_engine_init.c(866): NSSProtocol: [TLS<br>
> 1.2] (maximum)<br>
> > [Thu Nov 17 15:05:11.003099 2016] [:debug]<br>
> [pid 10660]<br>
> > nss_engine_init.c(906): Disabling TLS<br>
> Session Tickets<br>
> > [Thu Nov 17 15:05:11.003198 2016] [:debug]<br>
> [pid 10660]<br>
> > nss_engine_init.c(916): Enabling DHE key<br>
> exchange<br>
> > [Thu Nov 17 15:05:11.003313 2016] [:debug]<br>
> [pid 10660]<br>
> > nss_engine_init.c(1077): NSSCipherSuite:<br>
> Configuring<br>
> permitted SSL<br>
> > ciphers<br>
> ><br>
><br>
> [+aes_128_sha_256,+aes_256_<wbr>sha_256,+ecdhe_ecdsa_aes_128_<wbr>gcm_sha_256,+ecdhe_ecdsa_aes_<wbr>128_sha,+ecdhe_ecdsa_aes_256_<wbr>gcm_sha_384,+ecdhe_ecdsa_aes_<wbr>256_sha,+ecdhe_rsa_aes_128_<wbr>gcm_sha_256,+ecdhe_rsa_aes_<wbr>128_sha,+ecdhe_rsa_aes_256_<wbr>gcm_sha_384,+ecdhe_rsa_aes_<wbr>256_sha,+rsa_aes_128_gcm_sha_<wbr>256,+rsa_aes_128_sha,+rsa_aes_<wbr>256_gcm_sha_384,+rsa_aes_256_<wbr>sha]<br>
> > [Thu Nov 17 15:05:11.003469 2016] [:debug]<br>
> [pid 10660]<br>
> > [Thu Nov 17 15:05:11.006759 2016] [:info]<br>
> [pid 10660]<br>
> Using nickname<br>
> > Server-Cert.<br>
> [snip]<br>
> > [Thu Nov 17 15:05:11.006771 2016] [:error]<br>
> [pid 10660]<br>
> Certificate not<br>
> > found: 'Server-Cert'<br>
><br>
> Can you shows what this returns:<br>
><br>
> # grep NSSNickname /etc/httpd/conf.d/nss.conf<br>
><br>
> > Do you think there is a kerberos problem?<br>
><br>
> It definitely is not.<br>
><br>
> You can bring the system up in a minimal way<br>
> by manually<br>
> starting the<br>
> <a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a><br>
> <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a>> <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a><br>
> <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a>>><br>
> <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a><br>
> <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a>> <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a><br>
> <mailto:<a href="mailto:dirsrv@EXAMPLE.COM">dirsrv@EXAMPLE.COM</a>>>> service<br>
><br>
> and then<br>
> krb5kdc. This will at least let your<br>
> users authenticate. The management framework<br>
> (GUI) runs<br>
> through Apache<br>
> so that will be down until we can get Apache<br>
> started again.<br>
><br>
> rob<br>
><br>
> ><br>
> > Please let me know, thanks.<br>
> > Bye, Morgan<br>
> ><br>
> > 2016-11-17 14:39 GMT+01:00 Florence<br>
> Blanc-Renaud<br>
> <<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>><br>
> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>>><br>
> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>><br>
> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>>>><br>
> > <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a><br>
> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a><br>
> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>>><br>
> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>><br>
> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>>>>>>:<br>
><br>
> ><br>
> > On 11/17/2016 12:09 PM, Morgan Marodin<br>
> wrote:<br>
> ><br>
> > Hello.<br>
> ><br>
> > This morning I've tried to upgrade<br>
> my IPA server,<br>
> but the<br>
> upgrade<br>
> > failed, and now the service<br>
> doesn't start! :(<br>
> ><br>
> > If I try lo launch the upgrade<br>
> manually this is<br>
> the output:<br>
> > /[root@mlv-ipa01 download]#<br>
> ipa-server-upgrade<br>
> ><br>
> > Upgrading IPA:<br>
> > [1/8]: saving configuration<br>
> > [2/8]: disabling listeners<br>
> > [3/8]: enabling DS global lock<br>
> > [4/8]: starting directory server<br>
> > [5/8]: updating schema<br>
> > [6/8]: upgrading server<br>
> > [7/8]: stopping directory server<br>
> > [8/8]: restoring configuration<br>
> > Done.<br>
> > Update complete<br>
> > Upgrading IPA services<br>
> > Upgrading the configuration of the<br>
> IPA services<br>
> > [Verifying that root certificate<br>
> is published]<br>
> > [Migrate CRL publish directory]<br>
> > CRL tree already moved<br>
> > [Verifying that CA proxy<br>
> configuration is correct]<br>
> > [Verifying that KDC configuration<br>
> is using ipa-kdb<br>
> backend]<br>
> > [Fix DS schema file syntax]<br>
> > Syntax already fixed<br>
> > [Removing RA cert from DS NSS<br>
> database]<br>
> > RA cert already removed<br>
> > [Enable sidgen and extdom plugins<br>
> by default]<br>
> > [Updating HTTPD service IPA<br>
> configuration]<br>
> > [Updating mod_nss protocol versions]<br>
> > Protocol versions already updated<br>
> > [Updating mod_nss cipher suite]<br>
> > [Fixing trust flags in<br>
> /etc/httpd/alias]<br>
> > Trust flags already processed<br>
> > [Exporting KRA agent PEM file]<br>
> > KRA is not enabled<br>
> > IPA server upgrade failed: Inspect<br>
> /var/log/ipaupgrade.log<br>
> and run<br>
> > command ipa-server-upgrade manually.<br>
> > Unexpected error - see<br>
> /var/log/ipaupgrade.log for<br>
> details:<br>
> > CalledProcessError: Command<br>
> '/bin/systemctl start<br>
> httpd.service'<br>
> > returned non-zero exit status 1<br>
> > The ipa-server-upgrade command<br>
> failed. See<br>
> > /var/log/ipaupgrade.log for<br>
> > more information/<br>
> ><br>
> > These are error logs of Apache:<br>
> > /[Thu Nov 17 11:48:45.498510 2016]<br>
> [suexec:notice]<br>
> [pid 5664]<br>
> > AH01232:<br>
> > suEXEC mechanism enabled (wrapper:<br>
> /usr/sbin/suexec)<br>
> > [Thu Nov 17 11:48:45.499220 2016]<br>
> [:warn] [pid 5664]<br>
> > NSSSessionCacheTimeout is<br>
> deprecated. Ignoring.<br>
> > [Thu Nov 17 11:48:45.830910 2016]<br>
> [:error] [pid 5664]<br>
> > Certificate not<br>
> > found: 'Server-Cert'/<br>
> ><br>
> > The problem seems to be the<br>
> /Server-Cert /that<br>
> could not<br>
> be found.<br>
> > But if I try to execute the<br>
> certutil command<br>
> manually I<br>
> can see it:/<br>
> > [root@mlv-ipa01 log]# certutil -L<br>
> -d /etc/httpd/alias/<br>
> > Certificate Nickname<br>
> Trust<br>
> > Attributes<br>
> ><br>
> > SSL,S/MIME,JAR/XPI<br>
> > Signing-Cert<br>
> u,u,u<br>
> > ipaCert<br>
> u,u,u<br>
> > Server-Cert<br>
> Pu,u,u<br>
> > <a href="http://IPA.MYDOMAIN.COM" rel="noreferrer" target="_blank">IPA.MYDOMAIN.COM</a><br>
> <<a href="http://IPA.MYDOMAIN.COM" rel="noreferrer" target="_blank">http://IPA.MYDOMAIN.COM</a>> <<a href="http://IPA.MYDOMAIN.COM" rel="noreferrer" target="_blank">http://IPA.MYDOMAIN.COM</a>><br>
> <<a href="http://IPA.MYDOMAIN.COM" rel="noreferrer" target="_blank">http://IPA.MYDOMAIN.COM</a>><br>
> <<a href="http://IPA.MYDOMAIN.COM" rel="noreferrer" target="_blank">http://IPA.MYDOMAIN.COM</a>><br>
> > <<a href="http://IPA.MYDOMAIN.COM" rel="noreferrer" target="_blank">http://IPA.MYDOMAIN.COM</a>> IPA<br>
> > CA<br>
> CT,C,C/<br>
> ><br>
> > Could you help me?<br>
> > What could I try to do to restart<br>
> my service?<br>
> ><br>
> > Hi,<br>
> ><br>
> > I would first make sure that httpd is<br>
> using<br>
> /etc/httpd/alias<br>
> as NSS<br>
> > DB (check the directive<br>
> NSSCertificateDatabase in<br>
> > /etc/httpd/conf.d/nss.conf).<br>
> > Then it may be a file permission<br>
> issue: the NSS DB should<br>
> belong to<br>
> > root:apache (the relevant files are<br>
> cert8.db, key3.db and<br>
> secmod.db).<br>
> > You should also find a pwdfile.txt in<br>
> the same directory,<br>
> containing<br>
> > the NSS DB password. Check that the<br>
> password is valid<br>
> using<br>
> > certutil -K -d /etc/httpd/alias/ -f<br>
> /etc/httpd/alias/pwdfile.txt<br>
> > (if the command succeeds then the<br>
> password in pwdfile<br>
> is OK).<br>
> ><br>
> > You can also enable mod-nss debug in<br>
> /etc/httpd/conf/nss.conf by<br>
> > setting "LogLevel debug", and check<br>
> the output in<br>
> > /var/log/httpd/error_log.<br>
> ><br>
> > HTH,<br>
> > Flo.<br>
> ><br>
> > Thanks, Morgan<br>
> ><br>
> ><br>
> ><br>
> > --<br>
> > Manage your subscription for the<br>
> Freeipa-users mailing<br>
> list:<br>
> ><br>
> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>><br>
><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>>><br>
><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>><br>
><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>>>><br>
> ><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>><br>
><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>>><br>
><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>><br>
><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>>>>><br>
> > Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info<br>
> on the project<br>
> ><br>
> ><br>
><br>
<br>
</div></div></blockquote></div><br></div></div></div>