Fuji San via FreeIPA-users wrote: > Ok I figured out what happened. > > After the upgrade to F26, the file /etc/httpd/conf.d/ssl.conf has been > modified somehow preventing the httpd server to start. > > Line 5 : Listen 443 https > I had to comment it. > > Line 61: #ServerName myserver.mydomain:443 > I had to uncomment it. Somehow it was commented! > > Line 103: SSLCertificateFile /etc/pki/tls/certs/localhost.crt > Line 104: #SSLCertificateFile /etc/pki/tls/certs/myserver.mydomain.crt > Line 103 was added and the next line (the original one) was commented. So I > removed line 103 and uncommented line 104. > > Line 112: SSLCertificateKeyFile /etc/pki/tls/private/localhost.key > Line 113: #SSLCertificateKeyFile /etc/pki/tls/private/myserver.mydonmain.key > Same here, I removed line 112 and uncommented line 113. > > So, the question is : What happened ?
Hard to say. IPA does absolutely nothing with mod_ssl so my guess is that someone installed the package at some point between the last restart and the upgrade. I'd recommend uninstalling mod_ssl completely. rob > > > > ------------------------------------------- > $ ipa-server-upgrade > Upgrading IPA: > [1/10]: stopping directory server > [2/10]: saving configuration > [3/10]: disabling listeners > [4/10]: enabling DS global lock > [5/10]: starting directory server > [6/10]: updating schema > [7/10]: upgrading server > [8/10]: stopping directory server > [9/10]: restoring configuration > [10/10]: starting directory server > Done. > Update complete > Upgrading IPA services > Upgrading the configuration of the IPA services > [Verifying that root certificate is published] > [Migrate CRL publish directory] > CRL tree already moved > /etc/dirsrv/slapd-mydomain/certmap.conf is now managed by IPA. It will be > overwritten. A backup of the original will be made. > [Verifying that CA proxy configuration is correct] > [Verifying that KDC configuration is using ipa-kdb backend] > [Fix DS schema file syntax] > Syntax already fixed > [Removing RA cert from DS NSS database] > RA cert already removed > [Enable sidgen and extdom plugins by default] > [Updating HTTPD service IPA configuration] > [Updating mod_nss protocol versions] > Protocol versions already updated > [Updating mod_nss cipher suite] > [Fixing trust flags in /etc/httpd/alias] > Trust flags already processed > [Exporting KRA agent PEM file] > KRA is not enabled > [Removing self-signed CA] > [Removing Dogtag 9 CA] > [Checking for deprecated KDC configuration files] > [Checking for deprecated backups of Samba configuration files] > [Setting up Firefox extension] > [Remove FILE: prefix from 'dedicated keytab file' in Samba configuration] > [Add missing CA DNS records] > IPA CA DNS records already processed > [Removing deprecated DNS configuration options] > [Ensuring minimal number of connections] > [Updating GSSAPI configuration in DNS] > [Updating pid-file configuration in DNS] > [Checking global forwarding policy in named.conf to avoid conflicts with > automatic empty zones] > Changes to named.conf have been made, restart named > [Upgrading CA schema] > CA schema update complete (no changes) > [Verifying that CA audit signing cert has 2 year validity] > [Update certmonger certificate renewal configuration to version 5] > [Enable PKIX certificate path discovery and validation] > PKIX already enabled > [Authorizing RA Agent to modify profiles] > [Authorizing RA Agent to manage lightweight CAs] > [Ensuring Lightweight CAs container exists in Dogtag database] > [Adding default OCSP URI configuration] > [Ensuring CA is using LDAPProfileSubsystem] > [Migrating certificate profiles to LDAP] > [Ensuring presence of included profiles] > [Add default CA ACL] > Default CA ACL already added > [Set up lightweight CA key retrieval] > Creating principal > Retrieving keytab > Creating Custodia keys > Configuring key retriever > The IPA services were upgraded > The ipa-server-upgrade command was successful > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
