On 08/14/2017 09:51 PM, Rob Crittenden wrote:
Julian Gethmann wrote:
On 08/14/2017 05:46 PM, Rob Crittenden wrote:
Julian Gethmann wrote:
Hallo,

On 08/14/2017 04:21 PM, Rob Crittenden wrote:
Julian Gethmann via FreeIPA-users wrote:
Hallo,

Unfortunately I don't know when this problem occurred first, but it
may
have occurred after an update.
The httpd does not start and aborts with the error

[:info] [pid 15383] Using nickname Server-Cert.
[...] [:error] [pid 15383] Certificate not found: 'Server-Cert'

when I want to start FreeIPA via "systemctl start ipa" or "ipactl
start"
or "systemctl start httpd"
If I turn the NSSEngine off it starts of cause.

In contrast to this message "ipa-getcert list -d /etc/httpd/alias/ -n
Server-Cert" does find a certificate, if I get the output [1] right.

ipa-getcert shows certs that are tracked by certmonger but doesn't
guarantee that those certificates actually exist in the filesystem
(they
did at the time tracking was started).

You need to look at the Apache NSS database:

# certutil -L -d /etc/httpd/alias
Ok, I also did this, but it seems to be there
# certutil -L -d /etc/httpd/alias

Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

Signing-Cert                                                 u,u,u
ipaCert                                                      u,u,u
Server-Cert                                                  Pu,u,u
EXAMPLE.COM IPA CA                                           CT,C,C


I'd check FS permissions. /etc/httpd/alias/*.db should be root:apache
0640
ok, the db were "root:apache 0660", but they were readable at least and
making them 0640 did not help either.

If that checks out, look for SELinux issues by starting httpd then
running: ausearch -m AVC -ts recent
I disabled SELinux for testing it, but that did not work. Now I also
tested:
# ausearch -m AVC -ts recent
<no matches>


As a last resort perhaps the NSS database is corrupted. You can exercise
it with:

# certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f
/etc/httpd/alias/pwdfile.txt

You should get: certutil: certificate is valid

I do get it:
# certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f
/etc/httpd/alias/pwdfile.txt
certutil: certificate is valid


If I just want to start httpd and not via IPA or with --force I get a
different error, which I think might be because the services started
before httpd in the IPA start-up-phase aren't running since the start of
IPA aborted:

-- Unit httpd.service has begun starting up.
Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: ipa
      : ERROR    Unknown error while retrieving setting from ldap
Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]:
Traceback (most recent call last):
Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]:   File
"/usr/libexec/ipa/ipa-httpd-kdcproxy", line 84, in _ldap_con
Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]:
self.con.do_bind(timeout=self.time_limit)
Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]:   File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16
Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]:
self.do_external_bind(pw_name, timeout=timeout)
Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]:   File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16
Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]:
self.__bind_with_wait(self.external_bind, timeout, user_name)
Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]:   File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16
Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]:
self.__wait_for_connection(timeout)
Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]:   File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16
Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]:
wait_for_open_socket(lurl.hostport, timeout)
Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]:   File
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 13
Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: raise e
Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: error:
[Errno 111] Connection refused
Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: ipa
      : ERROR    Unknown error while retrieving setting from ldap
Aug 14 19:05:14 ipa_server.example.com systemd[1]: httpd.service:
Control process exited, code=exited status=1
Aug 14 19:05:14 ipa_server.example.com audit[1]: SERVICE_START pid=1
uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s
Aug 14 19:05:14 ipa_server.example.com systemd[1]: Failed to start The
Apache HTTP Server.


The KDC proxy needs to talk to LDAP. If you want to continue down this
road you can edit /etc/systemd/system/httpd.service.d/ipa.conf and
comment out the ExecStartPre command, run systemctl daemon-reload and
try to start Apache (you just really need to remember to undo this).
Ok. Now the error is "Certificate not found: 'Server-Cert'" again.

That is a very strange and unexpected error out of mod_nss. What distro
Fedora Server 26
are you running and what version of mod_nss?
Version: 1.0.14 Release: 3.fc26

Can you share your nss.conf?
Sure, https://paste.fedoraproject.org/paste/HAEpFrh3reUlZZoCpARAXA

rob

Thanks.

Julian
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to