Julian Gethmann wrote:
> Hallo,
> On 08/14/2017 04:21 PM, Rob Crittenden wrote:
>> Julian Gethmann via FreeIPA-users wrote:
>>> Hallo,
>>> Unfortunately I don't know when this problem occurred first, but it may
>>> have occurred after an update.
>>> The httpd does not start and aborts with the error
>>> [:info] [pid 15383] Using nickname Server-Cert.
>>> [...] [:error] [pid 15383] Certificate not found: 'Server-Cert'
>>> when I want to start FreeIPA via "systemctl start ipa" or "ipactl start"
>>> or "systemctl start httpd"
>>> If I turn the NSSEngine off it starts of cause.
>>> In contrast to this message "ipa-getcert list -d /etc/httpd/alias/ -n
>>> Server-Cert" does find a certificate, if I get the output [1] right.
>> ipa-getcert shows certs that are tracked by certmonger but doesn't
>> guarantee that those certificates actually exist in the filesystem (they
>> did at the time tracking was started).
>> You need to look at the Apache NSS database:
>> # certutil -L -d /etc/httpd/alias
> Ok, I also did this, but it seems to be there
> # certutil -L -d /etc/httpd/alias
> Certificate Nickname                                         Trust
> Attributes
> Signing-Cert                                                 u,u,u
> ipaCert                                                      u,u,u
> Server-Cert                                                  Pu,u,u
> EXAMPLE.COM IPA CA                                           CT,C,C

I'd check FS permissions. /etc/httpd/alias/*.db should be root:apache 0640

If that checks out, look for SELinux issues by starting httpd then
running: ausearch -m AVC -ts recent

As a last resort perhaps the NSS database is corrupted. You can exercise
it with:

# certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f

You should get: certutil: certificate is valid

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to