Jan Cholasta wrote:
On 18.3.2016 15:12, Martin Babinsky wrote:
On 03/17/2016 05:36 PM, Martin Basti wrote:
https://fedorahosted.org/freeipa/ticket/5681

Patch attached.


Hi Martin,

Nitpick attack:

Please fix the commit message: "File httpd.service was created by RPM,
what causes that httpd service may", should be "..., which causes"

Otherwise the code looks good and works as expected.

However, you still cannot start httpd.service after ipa-server
uninstallation because some leftovers in /ipa/httpd/alias cause mod_nss
to fail (see http error_log):

"""
[Fri Mar 18 12:43:29.320276 2016] [suexec:notice] [pid 2033] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Mar 18 12:43:29.320288 2016] [:warn] [pid 2033]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Fri Mar 18 12:43:29.444287 2016] [:error] [pid 2033] Password for slot
internal is incorrect.
[Fri Mar 18 12:43:29.446090 2016] [:error] [pid 2033] NSS initialization
failed. Certificate database: /etc/httpd/alias.
[Fri Mar 18 12:43:29.446100 2016] [:error] [pid 2033] SSL Library Error:
-8177 The security password entered is incorrect

"""

I guess that this is beyond this patch, since I think it is related to
https://fedorahosted.org/freeipa/ticket/4639 but I am not sure. CC'ing
Jan who owns the ticket.

It seems so, on uninstall we restore mod_nss config, so httpd uses the
default password (whatever that is), but the database still uses the
password set by us on install.


The default password is blank, so no auth is required.

IIRC the reason we didn't move NSS databases around between installs is the case where there is already a private key that needs to be maintained.

rob

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to