On 11/17/2016 12:09 PM, Morgan Marodin wrote:
This morning I've tried to upgrade my IPA server, but the upgrade
failed, and now the service doesn't start! :(
If I try lo launch the upgrade manually this is the output:
/[root@mlv-ipa01 download]# ipa-server-upgrade
[1/8]: saving configuration
[2/8]: disabling listeners
[3/8]: enabling DS global lock
[4/8]: starting directory server
[5/8]: updating schema
[6/8]: upgrading server
[7/8]: stopping directory server
[8/8]: restoring configuration
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating mod_nss protocol versions]
Protocol versions already updated
[Updating mod_nss cipher suite]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Exporting KRA agent PEM file]
KRA is not enabled
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: Command '/bin/systemctl start httpd.service'
returned non-zero exit status 1
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
These are error logs of Apache:
/[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] [pid 5664] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664] Certificate not
The problem seems to be the /Server-Cert /that could not be found.
But if I try to execute the certutil command manually I can see it:/
[root@mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust
IPA.MYDOMAIN.COM <http://IPA.MYDOMAIN.COM> IPA
Could you help me?
What could I try to do to restart my service?
I would first make sure that httpd is using /etc/httpd/alias as NSS DB
(check the directive NSSCertificateDatabase in /etc/httpd/conf.d/nss.conf).
Then it may be a file permission issue: the NSS DB should belong to
root:apache (the relevant files are cert8.db, key3.db and secmod.db).
You should also find a pwdfile.txt in the same directory, containing the
NSS DB password. Check that the password is valid using
certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
(if the command succeeds then the password in pwdfile is OK).
You can also enable mod-nss debug in /etc/httpd/conf/nss.conf by setting
"LogLevel debug", and check the output in /var/log/httpd/error_log.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project