Morgan Marodin wrote:
> Hi Rob.
> 
> I've just tried to remove the group write to the *.db files, but it's
> not the problem.

I didn't expect it to be but you don't want Apache having write access
to your certs and keys.

> /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf
> NSSNickname Server-Cert/

Ok.

> 
> I've tried to run manually /dirsrv.target/ and /krb5kdc.service/, and it
> works, services went up.
> The same for /ntpd/, /named-pkcs11.service/, /smb.service/,
> /winbind.service/, /kadmin.service/, /memcached.service/ and
> /pki-tomcatd.target/.

Good, so you can limp along for a while then.

> Any other ideas?

So you upgraded. What did you actually upgrade? Only the IPA packages or
a lot more?

What version is running now, and what version of mod_nss?

$ rpm -q mod_nss

Let's see if the NSS tools can find the cert:

# certutil -V -u V -d /etc/httpd/alias -n Server-Cert

Should come back with: certutil: certificate is valid

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to