Julian Gethmann wrote: > Hallo, > > On 08/14/2017 04:21 PM, Rob Crittenden wrote: >> Julian Gethmann via FreeIPA-users wrote: >>> Hallo, >>> >>> Unfortunately I don't know when this problem occurred first, but it may >>> have occurred after an update. >>> The httpd does not start and aborts with the error >>> >>> [:info] [pid 15383] Using nickname Server-Cert. >>> [...] [:error] [pid 15383] Certificate not found: 'Server-Cert' >>> >>> when I want to start FreeIPA via "systemctl start ipa" or "ipactl start" >>> or "systemctl start httpd" >>> If I turn the NSSEngine off it starts of cause. >>> >>> In contrast to this message "ipa-getcert list -d /etc/httpd/alias/ -n >>> Server-Cert" does find a certificate, if I get the output [1] right. >> >> ipa-getcert shows certs that are tracked by certmonger but doesn't >> guarantee that those certificates actually exist in the filesystem (they >> did at the time tracking was started). >> >> You need to look at the Apache NSS database: >> >> # certutil -L -d /etc/httpd/alias > Ok, I also did this, but it seems to be there > # certutil -L -d /etc/httpd/alias > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Signing-Cert u,u,u > ipaCert u,u,u > Server-Cert Pu,u,u > EXAMPLE.COM IPA CA CT,C,C
I'd check FS permissions. /etc/httpd/alias/*.db should be root:apache 0640 If that checks out, look for SELinux issues by starting httpd then running: ausearch -m AVC -ts recent As a last resort perhaps the NSS database is corrupted. You can exercise it with: # certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f /etc/httpd/alias/pwdfile.txt You should get: certutil: certificate is valid rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org