On 11/17/2016 12:09 PM, Morgan Marodin wrote:

This morning I've tried to upgrade my IPA server, but the upgrade
failed, and now the service doesn't start! :(

If I try lo launch the upgrade manually this is the output:
/[root@mlv-ipa01 download]# ipa-server-upgrade
Upgrading IPA:
  [1/8]: saving configuration
  [2/8]: disabling listeners
  [3/8]: enabling DS global lock
  [4/8]: starting directory server
  [5/8]: updating schema
  [6/8]: upgrading server
  [7/8]: stopping directory server
  [8/8]: restoring configuration
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating mod_nss protocol versions]
Protocol versions already updated
[Updating mod_nss cipher suite]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Exporting KRA agent PEM file]
KRA is not enabled
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: Command '/bin/systemctl start httpd.service'
returned non-zero exit status 1
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information/

These are error logs of Apache:
/[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] [pid 5664] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Nov 17 11:48:45.499220 2016] [:warn] [pid 5664]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664] Certificate not
found: 'Server-Cert'/

The problem seems to be the /Server-Cert /that could not be found.
But if I try to execute the certutil command manually I can see it:/
[root@mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/
Certificate Nickname                                         Trust

Signing-Cert                                                 u,u,u
ipaCert                                                      u,u,u
Server-Cert                                                  Pu,u,u
CA                                    CT,C,C/

Could you help me?
What could I try to do to restart my service?


I would first make sure that httpd is using /etc/httpd/alias as NSS DB (check the directive NSSCertificateDatabase in /etc/httpd/conf.d/nss.conf). Then it may be a file permission issue: the NSS DB should belong to root:apache (the relevant files are cert8.db, key3.db and secmod.db). You should also find a pwdfile.txt in the same directory, containing the NSS DB password. Check that the password is valid using
certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
(if the command succeeds then the password in pwdfile is OK).

You can also enable mod-nss debug in /etc/httpd/conf/nss.conf by setting "LogLevel debug", and check the output in /var/log/httpd/error_log.

Thanks, Morgan

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to