Morgan Marodin wrote: > Hi Rob. > > I've just tried to remove the group write to the *.db files, but it's > not the problem.
I didn't expect it to be but you don't want Apache having write access to your certs and keys. > /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf > NSSNickname Server-Cert/ Ok. > > I've tried to run manually /dirsrv.target/ and /krb5kdc.service/, and it > works, services went up. > The same for /ntpd/, /named-pkcs11.service/, /smb.service/, > /winbind.service/, /kadmin.service/, /memcached.service/ and > /pki-tomcatd.target/. Good, so you can limp along for a while then. > Any other ideas? So you upgraded. What did you actually upgrade? Only the IPA packages or a lot more? What version is running now, and what version of mod_nss? $ rpm -q mod_nss Let's see if the NSS tools can find the cert: # certutil -V -u V -d /etc/httpd/alias -n Server-Cert Should come back with: certutil: certificate is valid rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project