Julian Gethmann wrote:
> On 08/14/2017 04:21 PM, Rob Crittenden wrote:
>> Julian Gethmann via FreeIPA-users wrote:
>>> Unfortunately I don't know when this problem occurred first, but it may
>>> have occurred after an update.
>>> The httpd does not start and aborts with the error
>>> [:info] [pid 15383] Using nickname Server-Cert.
>>> [...] [:error] [pid 15383] Certificate not found: 'Server-Cert'
>>> when I want to start FreeIPA via "systemctl start ipa" or "ipactl start"
>>> or "systemctl start httpd"
>>> If I turn the NSSEngine off it starts of cause.
>>> In contrast to this message "ipa-getcert list -d /etc/httpd/alias/ -n
>>> Server-Cert" does find a certificate, if I get the output  right.
>> ipa-getcert shows certs that are tracked by certmonger but doesn't
>> guarantee that those certificates actually exist in the filesystem (they
>> did at the time tracking was started).
>> You need to look at the Apache NSS database:
>> # certutil -L -d /etc/httpd/alias
> Ok, I also did this, but it seems to be there
> # certutil -L -d /etc/httpd/alias
> Certificate Nickname Trust
> Signing-Cert u,u,u
> ipaCert u,u,u
> Server-Cert Pu,u,u
> EXAMPLE.COM IPA CA CT,C,C
I'd check FS permissions. /etc/httpd/alias/*.db should be root:apache 0640
If that checks out, look for SELinux issues by starting httpd then
running: ausearch -m AVC -ts recent
As a last resort perhaps the NSS database is corrupted. You can exercise
# certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f
You should get: certutil: certificate is valid
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org